Analysis
-
max time kernel
160s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 08:01
Static task
static1
Behavioral task
behavioral1
Sample
MensajePdf_____________________________________________________________.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
MensajePdf_____________________________________________________________.exe
Resource
win10v2004-20220812-en
General
-
Target
MensajePdf_____________________________________________________________.exe
-
Size
313KB
-
MD5
97b0a298b70cbb33056e43cd3360a096
-
SHA1
a6ccdae016b8330c0ff44a694b44108f37eea595
-
SHA256
78167371bd593b20a32902f0e3182d892b047521a1185904305671b6bafd51ab
-
SHA512
89c7e317b11579e636aa07b3e50d110ec23f0d5e10fedf90543f1d9ca291871ea7337c7adfeef49377eaaa7ec607f05103ee339495a39a49533fbee2014f4f1a
-
SSDEEP
6144:l24g1A0OvpVXJ8Q0T2c/H+csQMxnw9OoteG7qIEjp/4UQ1Ms:84g1A0OvDJI2c3sQNIotjup91
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uxorupig = "C:\\Windows\\gwhtycoj.exe" explorer.exe -
Processes:
MensajePdf_____________________________________________________________.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MensajePdf_____________________________________________________________.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MensajePdf_____________________________________________________________.exedescription pid process target process PID 3940 set thread context of 776 3940 MensajePdf_____________________________________________________________.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\gwhtycoj.exe explorer.exe File created C:\Windows\gwhtycoj.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1060 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1452 vssvc.exe Token: SeRestorePrivilege 1452 vssvc.exe Token: SeAuditPrivilege 1452 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
MensajePdf_____________________________________________________________.exeexplorer.exedescription pid process target process PID 3940 wrote to memory of 776 3940 MensajePdf_____________________________________________________________.exe explorer.exe PID 3940 wrote to memory of 776 3940 MensajePdf_____________________________________________________________.exe explorer.exe PID 3940 wrote to memory of 776 3940 MensajePdf_____________________________________________________________.exe explorer.exe PID 3940 wrote to memory of 776 3940 MensajePdf_____________________________________________________________.exe explorer.exe PID 776 wrote to memory of 1060 776 explorer.exe vssadmin.exe PID 776 wrote to memory of 1060 776 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MensajePdf_____________________________________________________________.exe"C:\Users\Admin\AppData\Local\Temp\MensajePdf_____________________________________________________________.exe"1⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ewosolyzuhobytal\01000000Filesize
313KB
MD5179c3daef6cad1c34bdf0aab7118f0d4
SHA119a933977f51f3a5b23dc17bf28a38e966b590d0
SHA2563c044157e5e1995baa6d0a97d9033822ce19324323f4e0ed8248ec934f0d6379
SHA51261391f37feae2f0842318a4cc7a29df9873f13abff8da544b2a4f772b073c07f25f8ca811057b81daaf3ff43bf592a7da2c44afb4548670da6b49efe9c512e53
-
memory/776-135-0x0000000000000000-mapping.dmp
-
memory/776-136-0x0000000000760000-0x000000000079B000-memory.dmpFilesize
236KB
-
memory/776-138-0x0000000000760000-0x000000000079B000-memory.dmpFilesize
236KB
-
memory/776-141-0x0000000000760000-0x000000000079B000-memory.dmpFilesize
236KB
-
memory/1060-140-0x0000000000000000-mapping.dmp
-
memory/3940-132-0x0000000002980000-0x0000000002AD5000-memory.dmpFilesize
1.3MB
-
memory/3940-133-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB