Analysis
-
max time kernel
154s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 04:16
Static task
static1
Behavioral task
behavioral1
Sample
d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe
Resource
win10v2004-20220901-en
General
-
Target
d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe
-
Size
229KB
-
MD5
ca59e1d9b1d33ce3490269ce3766974d
-
SHA1
f5d3ecef61077dabebb19ac095c29eff37878d4c
-
SHA256
d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25
-
SHA512
4d9a69c08f15545bbb5e1ec345affea1bf58080672c3fda45b18aa606fcfd00edef73d86a93816ea6d8de66e9dd87a391faea89894e6be70975d0e7d9adc2457
-
SSDEEP
6144:88dNXSEpBIDTskaBiS6e5l9mmbvuSVAJEviKsv3Di5qVOtn:npqESS6e5lEumSVhpoDi5P9
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Loads dropped DLL 4 IoCs
Processes:
d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exepid process 900 d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe 900 d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe 900 d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe 900 d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inpcwqug = "\"C:\\Windows\\ewilukom.exe\"" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe -
Processes:
d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exed9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exedescription pid process target process PID 900 set thread context of 2004 900 d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe PID 2004 set thread context of 1932 2004 d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\ewilukom.exe explorer.exe File created C:\Windows\ewilukom.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1376 vssadmin.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PhishingFilter explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1164 vssvc.exe Token: SeRestorePrivilege 1164 vssvc.exe Token: SeAuditPrivilege 1164 vssvc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exed9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exeexplorer.exedescription pid process target process PID 900 wrote to memory of 2004 900 d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe PID 900 wrote to memory of 2004 900 d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe PID 900 wrote to memory of 2004 900 d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe PID 900 wrote to memory of 2004 900 d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe PID 900 wrote to memory of 2004 900 d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe PID 900 wrote to memory of 2004 900 d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe PID 900 wrote to memory of 2004 900 d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe PID 900 wrote to memory of 2004 900 d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe PID 900 wrote to memory of 2004 900 d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe PID 900 wrote to memory of 2004 900 d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe PID 900 wrote to memory of 2004 900 d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe PID 2004 wrote to memory of 1932 2004 d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe explorer.exe PID 2004 wrote to memory of 1932 2004 d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe explorer.exe PID 2004 wrote to memory of 1932 2004 d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe explorer.exe PID 2004 wrote to memory of 1932 2004 d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe explorer.exe PID 2004 wrote to memory of 1932 2004 d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe explorer.exe PID 1932 wrote to memory of 1376 1932 explorer.exe vssadmin.exe PID 1932 wrote to memory of 1376 1932 explorer.exe vssadmin.exe PID 1932 wrote to memory of 1376 1932 explorer.exe vssadmin.exe PID 1932 wrote to memory of 1376 1932 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe"C:\Users\Admin\AppData\Local\Temp\d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe"C:\Users\Admin\AppData\Local\Temp\d9927fe092ccf71305cfb5b97b7306e78597af99b9313f5a855f569c491dcc25.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\idumewitynofyran\01000000Filesize
229KB
MD54987c1ffe03a013f9bd9ab38599a05af
SHA19793d28110d114c6dfc6fb5de4ceef5b627012af
SHA25681cc81cd99e56c3ed5823f07694352ef7f83b9e1b2aad863c1707ebc0aab53ac
SHA5125b821f63053053c796cbf4acf09260e04a962b1062ea9886540bd3be846ccff31dad1e0132d48d01ba3217af12c9aae65a48db16958aa577093bce4518bc080b
-
\Users\Admin\AppData\Local\Temp\nso194D.tmp\UserInfo.dllFilesize
4KB
MD5d9a3fc12d56726dde60c1ead1df366f7
SHA1f531768159c14f07ac896437445652b33750a237
SHA256401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
SHA5126b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51
-
\Users\Admin\AppData\Local\Temp\nso194D.tmp\UserInfo.dllFilesize
4KB
MD5d9a3fc12d56726dde60c1ead1df366f7
SHA1f531768159c14f07ac896437445652b33750a237
SHA256401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
SHA5126b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51
-
\Users\Admin\AppData\Local\Temp\nso194D.tmp\UserInfo.dllFilesize
4KB
MD5d9a3fc12d56726dde60c1ead1df366f7
SHA1f531768159c14f07ac896437445652b33750a237
SHA256401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
SHA5126b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51
-
\Users\Admin\AppData\Local\Temp\nso194D.tmp\ane.dllFilesize
29KB
MD51f1ac338ebc0e5fa49ffeb78f40d6b5b
SHA1b911254b50654927d34770507d2bcf0a8d44a780
SHA2569ae8e14b33d7e34ea602e45ac9e5af87f5184379afe7b99164b627f031171cd1
SHA512633a7839abd053a9fecc85d1ff0d2a4d09ab61350c47aceef3c221034b6a84a552c26c7d40333c16192374a70a9ea8c0797dad8962e21b7b8366ea2bee666487
-
memory/900-54-0x0000000076121000-0x0000000076123000-memory.dmpFilesize
8KB
-
memory/1376-84-0x0000000000000000-mapping.dmp
-
memory/1932-74-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/1932-85-0x0000000072771000-0x0000000072773000-memory.dmpFilesize
8KB
-
memory/1932-83-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/1932-86-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/1932-80-0x0000000074D71000-0x0000000074D73000-memory.dmpFilesize
8KB
-
memory/1932-78-0x000000000009A140-mapping.dmp
-
memory/1932-76-0x0000000000080000-0x00000000000BC000-memory.dmpFilesize
240KB
-
memory/2004-62-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2004-73-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2004-72-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2004-69-0x000000000040A61E-mapping.dmp
-
memory/2004-68-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2004-66-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2004-82-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2004-65-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2004-64-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2004-59-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2004-60-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB