Analysis
-
max time kernel
199s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 04:28
Static task
static1
Behavioral task
behavioral1
Sample
ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe
Resource
win10v2004-20221111-en
General
-
Target
ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe
-
Size
372KB
-
MD5
7de1750d1c18abc7625d3aa4c0647d96
-
SHA1
474e30032017bd76d9c44df06b3f779f404d7823
-
SHA256
ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8
-
SHA512
f7344382d112dcf8cfef8a390dbf313618880fa4017a31e63f72c4e11d647451333731433eb4f08cedcd371bae3d5f327f0b2c19bb64026edbff092adfd57746
-
SSDEEP
6144:90tCnRyUFrHko+wU21RTJInao0scy+cAZOe/6VL11meQfah3WGhzfNHjrvq3KWSu:7RzeoswR9JoxiL/UmeQfah3WYxVhbLc
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-2386679933-1492765628-3466841596-1000\Recovery+gshdd.txt
http://ytrest84y5i456hghadefdsd.pontogrot.com/35DBEF295EC2D457
http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/35DBEF295EC2D457
http://5rport45vcdef345adfkksawe.bematvocal.at/35DBEF295EC2D457
http://xlowfznrg4wf7dli.onion/35DBEF295EC2D457
http://xlowfznrg4wf7dli.ONION/35DBEF295EC2D457
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
jelkcqlbavue.exejelkcqlbavue.exepid process 1324 jelkcqlbavue.exe 5064 jelkcqlbavue.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exejelkcqlbavue.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation jelkcqlbavue.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
jelkcqlbavue.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run jelkcqlbavue.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dchckwfyaoqh = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\jelkcqlbavue.exe\"" jelkcqlbavue.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exejelkcqlbavue.exedescription pid process target process PID 204 set thread context of 2168 204 ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe PID 1324 set thread context of 5064 1324 jelkcqlbavue.exe jelkcqlbavue.exe -
Drops file in Program Files directory 5 IoCs
Processes:
jelkcqlbavue.exedescription ioc process File opened for modification C:\Program Files\7-Zip\History.txt jelkcqlbavue.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt jelkcqlbavue.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt jelkcqlbavue.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt jelkcqlbavue.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt jelkcqlbavue.exe -
Drops file in Windows directory 2 IoCs
Processes:
ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exedescription ioc process File opened for modification C:\Windows\jelkcqlbavue.exe ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe File created C:\Windows\jelkcqlbavue.exe ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
jelkcqlbavue.exepid process 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe 5064 jelkcqlbavue.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exejelkcqlbavue.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2168 ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe Token: SeDebugPrivilege 5064 jelkcqlbavue.exe Token: SeIncreaseQuotaPrivilege 5100 WMIC.exe Token: SeSecurityPrivilege 5100 WMIC.exe Token: SeTakeOwnershipPrivilege 5100 WMIC.exe Token: SeLoadDriverPrivilege 5100 WMIC.exe Token: SeSystemProfilePrivilege 5100 WMIC.exe Token: SeSystemtimePrivilege 5100 WMIC.exe Token: SeProfSingleProcessPrivilege 5100 WMIC.exe Token: SeIncBasePriorityPrivilege 5100 WMIC.exe Token: SeCreatePagefilePrivilege 5100 WMIC.exe Token: SeBackupPrivilege 5100 WMIC.exe Token: SeRestorePrivilege 5100 WMIC.exe Token: SeShutdownPrivilege 5100 WMIC.exe Token: SeDebugPrivilege 5100 WMIC.exe Token: SeSystemEnvironmentPrivilege 5100 WMIC.exe Token: SeRemoteShutdownPrivilege 5100 WMIC.exe Token: SeUndockPrivilege 5100 WMIC.exe Token: SeManageVolumePrivilege 5100 WMIC.exe Token: 33 5100 WMIC.exe Token: 34 5100 WMIC.exe Token: 35 5100 WMIC.exe Token: 36 5100 WMIC.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exejelkcqlbavue.exepid process 204 ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe 1324 jelkcqlbavue.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exead3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exejelkcqlbavue.exejelkcqlbavue.exedescription pid process target process PID 204 wrote to memory of 2168 204 ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe PID 204 wrote to memory of 2168 204 ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe PID 204 wrote to memory of 2168 204 ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe PID 204 wrote to memory of 2168 204 ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe PID 204 wrote to memory of 2168 204 ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe PID 204 wrote to memory of 2168 204 ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe PID 204 wrote to memory of 2168 204 ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe PID 204 wrote to memory of 2168 204 ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe PID 204 wrote to memory of 2168 204 ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe PID 204 wrote to memory of 2168 204 ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe PID 2168 wrote to memory of 1324 2168 ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe jelkcqlbavue.exe PID 2168 wrote to memory of 1324 2168 ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe jelkcqlbavue.exe PID 2168 wrote to memory of 1324 2168 ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe jelkcqlbavue.exe PID 2168 wrote to memory of 3632 2168 ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe cmd.exe PID 2168 wrote to memory of 3632 2168 ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe cmd.exe PID 2168 wrote to memory of 3632 2168 ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe cmd.exe PID 1324 wrote to memory of 5064 1324 jelkcqlbavue.exe jelkcqlbavue.exe PID 1324 wrote to memory of 5064 1324 jelkcqlbavue.exe jelkcqlbavue.exe PID 1324 wrote to memory of 5064 1324 jelkcqlbavue.exe jelkcqlbavue.exe PID 1324 wrote to memory of 5064 1324 jelkcqlbavue.exe jelkcqlbavue.exe PID 1324 wrote to memory of 5064 1324 jelkcqlbavue.exe jelkcqlbavue.exe PID 1324 wrote to memory of 5064 1324 jelkcqlbavue.exe jelkcqlbavue.exe PID 1324 wrote to memory of 5064 1324 jelkcqlbavue.exe jelkcqlbavue.exe PID 1324 wrote to memory of 5064 1324 jelkcqlbavue.exe jelkcqlbavue.exe PID 1324 wrote to memory of 5064 1324 jelkcqlbavue.exe jelkcqlbavue.exe PID 1324 wrote to memory of 5064 1324 jelkcqlbavue.exe jelkcqlbavue.exe PID 5064 wrote to memory of 5100 5064 jelkcqlbavue.exe WMIC.exe PID 5064 wrote to memory of 5100 5064 jelkcqlbavue.exe WMIC.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
jelkcqlbavue.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System jelkcqlbavue.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" jelkcqlbavue.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe"C:\Users\Admin\AppData\Local\Temp\ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe"C:\Users\Admin\AppData\Local\Temp\ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\jelkcqlbavue.exeC:\Windows\jelkcqlbavue.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\jelkcqlbavue.exeC:\Windows\jelkcqlbavue.exe4⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\AD3A9D~1.EXE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\jelkcqlbavue.exeFilesize
372KB
MD57de1750d1c18abc7625d3aa4c0647d96
SHA1474e30032017bd76d9c44df06b3f779f404d7823
SHA256ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8
SHA512f7344382d112dcf8cfef8a390dbf313618880fa4017a31e63f72c4e11d647451333731433eb4f08cedcd371bae3d5f327f0b2c19bb64026edbff092adfd57746
-
C:\Windows\jelkcqlbavue.exeFilesize
372KB
MD57de1750d1c18abc7625d3aa4c0647d96
SHA1474e30032017bd76d9c44df06b3f779f404d7823
SHA256ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8
SHA512f7344382d112dcf8cfef8a390dbf313618880fa4017a31e63f72c4e11d647451333731433eb4f08cedcd371bae3d5f327f0b2c19bb64026edbff092adfd57746
-
C:\Windows\jelkcqlbavue.exeFilesize
372KB
MD57de1750d1c18abc7625d3aa4c0647d96
SHA1474e30032017bd76d9c44df06b3f779f404d7823
SHA256ad3a9d7402d494048c934b5af612bdf8da822fa7b22e57b8fe48e98a92f772b8
SHA512f7344382d112dcf8cfef8a390dbf313618880fa4017a31e63f72c4e11d647451333731433eb4f08cedcd371bae3d5f327f0b2c19bb64026edbff092adfd57746
-
memory/204-137-0x0000000000E80000-0x0000000000E83000-memory.dmpFilesize
12KB
-
memory/204-132-0x0000000000E80000-0x0000000000E83000-memory.dmpFilesize
12KB
-
memory/204-133-0x0000000000E80000-0x0000000000E83000-memory.dmpFilesize
12KB
-
memory/1324-145-0x0000000000980000-0x0000000000983000-memory.dmpFilesize
12KB
-
memory/1324-139-0x0000000000000000-mapping.dmp
-
memory/2168-144-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/2168-134-0x0000000000000000-mapping.dmp
-
memory/2168-142-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/2168-136-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/2168-135-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/2168-138-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/3632-143-0x0000000000000000-mapping.dmp
-
memory/5064-146-0x0000000000000000-mapping.dmp
-
memory/5064-149-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/5064-150-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/5064-151-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/5064-152-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/5100-153-0x0000000000000000-mapping.dmp