Analysis
-
max time kernel
149s -
max time network
177s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 04:27
Static task
static1
Behavioral task
behavioral1
Sample
8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe
Resource
win10v2004-20220812-en
General
-
Target
8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe
-
Size
352KB
-
MD5
b4de54b35be567dccdb82bdd68ee2e65
-
SHA1
2bd1c9fa438584b9305cd08f7b81c3b02eb9bfdc
-
SHA256
8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d
-
SHA512
8d5a2128d10061572550ca3af95e04af04b3149af64306aa2044c23772651054e010ad9a3b6ffc6103bcde5c934abb00f81f74dc819292be888652f41da1124c
-
SSDEEP
6144:Ii7FhAd2I4+zdGDSkKstgehkB2bNlHRQp1SKjrU8C:nFmdH4adGDSkl9/87
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
Processes:
explorer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dfb5f6db.exe explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*fb5f6db = "C:\\Users\\Admin\\AppData\\Roaming\\dfb5f6db.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dfb5f6d = "C:\\dfb5f6db\\dfb5f6db.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*fb5f6d = "C:\\dfb5f6db\\dfb5f6db.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dfb5f6db = "C:\\Users\\Admin\\AppData\\Roaming\\dfb5f6db.exe" explorer.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-addr.es 5 myexternalip.com 7 myexternalip.com -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1204 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exepid process 1628 8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe 1628 8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exeexplorer.exepid process 1628 8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe 1312 explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1368 vssvc.exe Token: SeRestorePrivilege 1368 vssvc.exe Token: SeAuditPrivilege 1368 vssvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exeexplorer.exedescription pid process target process PID 1628 wrote to memory of 1312 1628 8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe explorer.exe PID 1628 wrote to memory of 1312 1628 8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe explorer.exe PID 1628 wrote to memory of 1312 1628 8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe explorer.exe PID 1628 wrote to memory of 1312 1628 8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe explorer.exe PID 1312 wrote to memory of 852 1312 explorer.exe svchost.exe PID 1312 wrote to memory of 852 1312 explorer.exe svchost.exe PID 1312 wrote to memory of 852 1312 explorer.exe svchost.exe PID 1312 wrote to memory of 852 1312 explorer.exe svchost.exe PID 1312 wrote to memory of 1204 1312 explorer.exe vssadmin.exe PID 1312 wrote to memory of 1204 1312 explorer.exe vssadmin.exe PID 1312 wrote to memory of 1204 1312 explorer.exe vssadmin.exe PID 1312 wrote to memory of 1204 1312 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe"C:\Users\Admin\AppData\Local\Temp\8aae7f0575d68d4070b66bb528c3e4f4270a09156c00989fe25609c7b519a76d.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\explorer.exe"C:\Windows\syswow64\explorer.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\svchost.exe-k netsvcs3⤵
-
C:\Windows\syswow64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/852-62-0x0000000000000000-mapping.dmp
-
memory/852-65-0x0000000000080000-0x00000000000A5000-memory.dmpFilesize
148KB
-
memory/852-66-0x0000000000080000-0x00000000000A5000-memory.dmpFilesize
148KB
-
memory/1204-63-0x0000000000000000-mapping.dmp
-
memory/1312-56-0x0000000000000000-mapping.dmp
-
memory/1312-59-0x0000000075201000-0x0000000075203000-memory.dmpFilesize
8KB
-
memory/1312-60-0x0000000000080000-0x00000000000A5000-memory.dmpFilesize
148KB
-
memory/1628-54-0x0000000075831000-0x0000000075833000-memory.dmpFilesize
8KB
-
memory/1628-55-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/1628-57-0x0000000002310000-0x000000000295A000-memory.dmpFilesize
6.3MB
-
memory/1628-61-0x0000000002310000-0x000000000295A000-memory.dmpFilesize
6.3MB