Analysis
-
max time kernel
186s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 04:26
Static task
static1
Behavioral task
behavioral1
Sample
4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe
Resource
win10v2004-20221111-en
General
-
Target
4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe
-
Size
766KB
-
MD5
9b1da810487cdcb458d46f394f561fdb
-
SHA1
b8fbf9babf7182cf7dd1e6039e4c2a072a4df70c
-
SHA256
4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1
-
SHA512
babbecf43d00e1cfe58b9b3d2895993624e62f136178f64616f43e49c1006dc9d64d6e2dcfa3b88434ad9b9790270aa063236deaaf92022d8b3ebeaa42efd7fc
-
SSDEEP
12288:CH+pDu9YrDQKiXEfiVzhY1Iys0P9ckgveteiZLnfHSoGKmeVd8kyBwvBH4JVJ:Ce0sDNiUfiPgI91kgveYAHSoGoWeOVJ
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\etokiloj = "\"C:\\Windows\\edezesoh.exe\"" explorer.exe -
Processes:
4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exedescription pid process target process PID 2508 set thread context of 4368 2508 4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe 4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe PID 4368 set thread context of 4288 4368 4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\edezesoh.exe explorer.exe File created C:\Windows\edezesoh.exe explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 428 vssadmin.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\PhishingFilter explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 4436 vssvc.exe Token: SeRestorePrivilege 4436 vssvc.exe Token: SeAuditPrivilege 4436 vssvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exeexplorer.exedescription pid process target process PID 2508 wrote to memory of 4368 2508 4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe 4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe PID 2508 wrote to memory of 4368 2508 4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe 4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe PID 2508 wrote to memory of 4368 2508 4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe 4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe PID 2508 wrote to memory of 4368 2508 4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe 4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe PID 2508 wrote to memory of 4368 2508 4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe 4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe PID 4368 wrote to memory of 4288 4368 4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe explorer.exe PID 4368 wrote to memory of 4288 4368 4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe explorer.exe PID 4368 wrote to memory of 4288 4368 4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe explorer.exe PID 4368 wrote to memory of 4288 4368 4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe explorer.exe PID 4288 wrote to memory of 428 4288 explorer.exe vssadmin.exe PID 4288 wrote to memory of 428 4288 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe"C:\Users\Admin\AppData\Local\Temp\4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe"C:\Users\Admin\AppData\Local\Temp\4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\aduqeliginopicah\01000000Filesize
766KB
MD5b08099f62223f6fcb24b05adcbbc74ad
SHA1af92c74915e34d1d63d03783132d424848843de5
SHA256659aa6c68411cdbcfd6053ec3db63a4b3b2ceedeba3b21488b8690e3259d8e38
SHA5125dd58501fc459b0bd3d742a022cf5a10cfb8d3d699f8e1d7394ee3e217e8be25f9253cea61ad4978a76b0471c3e0f338a9ec06f19bdc402eefc84cd0b5a40e27
-
memory/428-144-0x0000000000000000-mapping.dmp
-
memory/2508-132-0x0000000002230000-0x0000000002238000-memory.dmpFilesize
32KB
-
memory/4288-139-0x0000000000A50000-0x0000000000A8C000-memory.dmpFilesize
240KB
-
memory/4288-145-0x0000000000A50000-0x0000000000A8C000-memory.dmpFilesize
240KB
-
memory/4288-143-0x0000000000A50000-0x0000000000A8C000-memory.dmpFilesize
240KB
-
memory/4288-138-0x0000000000000000-mapping.dmp
-
memory/4368-135-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/4368-137-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/4368-142-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/4368-136-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/4368-134-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/4368-133-0x0000000000000000-mapping.dmp