Analysis
-
max time kernel
154s -
max time network
191s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 04:16
Static task
static1
Behavioral task
behavioral1
Sample
bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe
Resource
win10v2004-20220901-en
General
-
Target
bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe
-
Size
263KB
-
MD5
1d578c11069c7446ca6d05ff7623a972
-
SHA1
252759f5d85c024fd19fedc2626b985d9ddd5e21
-
SHA256
bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded
-
SHA512
254163628075ac979342769c17db709c5ba7c0a8711f05e77ce10b90fceb50621c7e08d300b353af0b61d5f2099c5d67a8e9eefbbb2937c54e04ba041b96b3ba
-
SSDEEP
6144:88dNXSEpwxSHrJDfRiBhzNCEQAI6jAHtb1sTJKq4Cv2uv:np4SHTczNCEQB6jQeJv2uv
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Loads dropped DLL 4 IoCs
Processes:
bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exepid process 1184 bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe 1184 bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe 1184 bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe 1184 bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\atezeved = "\"C:\\Windows\\ezilylis.exe\"" explorer.exe -
Processes:
bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exebee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exedescription pid process target process PID 1184 set thread context of 960 1184 bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe PID 960 set thread context of 692 960 bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\ezilylis.exe explorer.exe File created C:\Windows\ezilylis.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 608 vssadmin.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PhishingFilter explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1520 vssvc.exe Token: SeRestorePrivilege 1520 vssvc.exe Token: SeAuditPrivilege 1520 vssvc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exebee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exeexplorer.exedescription pid process target process PID 1184 wrote to memory of 960 1184 bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe PID 1184 wrote to memory of 960 1184 bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe PID 1184 wrote to memory of 960 1184 bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe PID 1184 wrote to memory of 960 1184 bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe PID 1184 wrote to memory of 960 1184 bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe PID 1184 wrote to memory of 960 1184 bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe PID 1184 wrote to memory of 960 1184 bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe PID 1184 wrote to memory of 960 1184 bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe PID 1184 wrote to memory of 960 1184 bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe PID 1184 wrote to memory of 960 1184 bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe PID 1184 wrote to memory of 960 1184 bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe PID 960 wrote to memory of 692 960 bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe explorer.exe PID 960 wrote to memory of 692 960 bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe explorer.exe PID 960 wrote to memory of 692 960 bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe explorer.exe PID 960 wrote to memory of 692 960 bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe explorer.exe PID 960 wrote to memory of 692 960 bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe explorer.exe PID 692 wrote to memory of 608 692 explorer.exe vssadmin.exe PID 692 wrote to memory of 608 692 explorer.exe vssadmin.exe PID 692 wrote to memory of 608 692 explorer.exe vssadmin.exe PID 692 wrote to memory of 608 692 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe"C:\Users\Admin\AppData\Local\Temp\bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe"C:\Users\Admin\AppData\Local\Temp\bee59e28496dc0ba496c1135356771c7e85256f87c13c347a1f16a4187e71ded.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\idumewitynofyran\01000000Filesize
263KB
MD5b9f10019e10e5671d5f91d236055aea5
SHA1225585d8faf8fbf068ca4c482e158185f0dc461a
SHA256598fefc6255acc4bca4e854c4ffa31f8896dc18821efe3cb367c7b144dd432fc
SHA5124519c056fe7b3d5da4947faf9bb4f811c41317b39fc7039ac6b5d4d63a33ecf78a8a7304273e30fa2993cb1460aeb29a9ea390b170c89a89099b7a95ed9fa75c
-
\Users\Admin\AppData\Local\Temp\nsyB4C1.tmp\UserInfo.dllFilesize
4KB
MD5d9a3fc12d56726dde60c1ead1df366f7
SHA1f531768159c14f07ac896437445652b33750a237
SHA256401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
SHA5126b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51
-
\Users\Admin\AppData\Local\Temp\nsyB4C1.tmp\UserInfo.dllFilesize
4KB
MD5d9a3fc12d56726dde60c1ead1df366f7
SHA1f531768159c14f07ac896437445652b33750a237
SHA256401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
SHA5126b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51
-
\Users\Admin\AppData\Local\Temp\nsyB4C1.tmp\UserInfo.dllFilesize
4KB
MD5d9a3fc12d56726dde60c1ead1df366f7
SHA1f531768159c14f07ac896437445652b33750a237
SHA256401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a
SHA5126b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51
-
\Users\Admin\AppData\Local\Temp\nsyB4C1.tmp\sarongs.dllFilesize
224KB
MD5e904468f46fb32b65bff12f6374b929b
SHA1a7d8a02be67c4154d72fd9bca65ea9b10ba3ffc9
SHA256c7e716ed797191bcc80a86000f936331c54cafd1ab704b0a0cac50c8b6b136fb
SHA512517ca85dceec697da20422d4c53e9c72165f929b4b3b8d5d8bd336e6edd60cf20afd6c264dd1bf2d37d87fe9eee3dfc8feaad12eb6b44b375a55dccdbd388a7d
-
memory/608-84-0x0000000000000000-mapping.dmp
-
memory/692-74-0x00000000000F0000-0x000000000012C000-memory.dmpFilesize
240KB
-
memory/692-85-0x0000000072D41000-0x0000000072D43000-memory.dmpFilesize
8KB
-
memory/692-83-0x00000000000F0000-0x000000000012C000-memory.dmpFilesize
240KB
-
memory/692-80-0x00000000752A1000-0x00000000752A3000-memory.dmpFilesize
8KB
-
memory/692-76-0x00000000000F0000-0x000000000012C000-memory.dmpFilesize
240KB
-
memory/692-78-0x000000000010A140-mapping.dmp
-
memory/960-60-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/960-72-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/960-73-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/960-69-0x000000000040A61E-mapping.dmp
-
memory/960-68-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/960-66-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/960-65-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/960-82-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/960-64-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/960-62-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/960-59-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1184-54-0x00000000767F1000-0x00000000767F3000-memory.dmpFilesize
8KB