748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7

Analysis

max time kernel
155s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7.exe
Size

654KB
MD5

9cd4cebf8b04cd6864b59e4c0cf4aafa
SHA1

2287faa3026c5981f3796268112998ac1c06c5d3
SHA256

748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7
SHA512

03ec7b69a8f616ab4254429499d80e5b5e7e28c1b44b418b446f6a341bdc77393482cd790764981498c6d54d2ffd0d32c118c45dee056d681533167f7b83359d
SSDEEP

12288:MkzXMinmtrfsNG9USY7x3lgSsIXlYlOHls2E/qZaTcMUJnGHqsvXX1tfLs:LjArfCG+nN3aNIXNFZ5R1GHqsvDI

Score

8^/10

ransomware

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ovfgrqj.exe

pid process

4292 ovfgrqj.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

svchost.exe

description ioc process

File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ReadSave.CRW.wkjfrmb svchost.exe

pid	process
4292	ovfgrqj.exe

description	ioc	process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ReadSave.CRW.wkjfrmb	svchost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7.exeovfgrqj.exe

pid	process
1136	748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7.exe
1136	748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7.exe
4292	ovfgrqj.exe
4292	ovfgrqj.exe
4292	ovfgrqj.exe
4292	ovfgrqj.exe
4292	ovfgrqj.exe
4292	ovfgrqj.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ovfgrqj.exe

description pid process

Token: SeDebugPrivilege 4292 ovfgrqj.exe

description	pid	process
Token: SeDebugPrivilege	4292	ovfgrqj.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

ovfgrqj.exesvchost.exe

description	pid	process	target process
PID 4292 wrote to memory of 792	4292	ovfgrqj.exe	svchost.exe
PID 792 wrote to memory of 4308	792	svchost.exe	wmiprvse.exe
PID 792 wrote to memory of 4308	792	svchost.exe	wmiprvse.exe
PID 792 wrote to memory of 4100	792	svchost.exe	DllHost.exe
PID 792 wrote to memory of 4100	792	svchost.exe	DllHost.exe
PID 792 wrote to memory of 1688	792	svchost.exe	mousocoreworker.exe
PID 792 wrote to memory of 1688	792	svchost.exe	mousocoreworker.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
2⤵
PID:4308

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:4100

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
2⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7.exe
"C:\Users\Admin\AppData\Local\Temp\748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1136

C:\Users\Admin\AppData\Local\Temp\ovfgrqj.exe
C:\Users\Admin\AppData\Local\Temp\ovfgrqj.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla\qzqqxbc
Filesize
654B

MD5
c45e06935a08de2a8e1125673d67492b

SHA1
64cf26aa88f58663db90eef1d749352080d84042

SHA256
84036fa641b9e74a57226528e8bdc2da0d0f37fa3ed252af6f49a7785c63122c

SHA512
73b792a8317938fa6fc6ebc84fd075286a20fd9fd67bd450715964c7249985ae709a92a576ef03fa6a3c39b4415c7762a6690e1c94fa63f4bf8f6ff341c40cce

Download Submit
C:\ProgramData\Mozilla\qzqqxbc
Filesize
654B

MD5
c45e06935a08de2a8e1125673d67492b

SHA1
64cf26aa88f58663db90eef1d749352080d84042

SHA256
84036fa641b9e74a57226528e8bdc2da0d0f37fa3ed252af6f49a7785c63122c

SHA512
73b792a8317938fa6fc6ebc84fd075286a20fd9fd67bd450715964c7249985ae709a92a576ef03fa6a3c39b4415c7762a6690e1c94fa63f4bf8f6ff341c40cce

Download Submit
C:\ProgramData\Mozilla\qzqqxbc
Filesize
654B

MD5
f846a1f212b617bc1556236e941bcd8c

SHA1
5b56561892a25f5b2584fe774781c8ba380a7e4f

SHA256
9654c840b232bb13b31b99c701bd0536ebfa948de98605a30064a126126c77f0

SHA512
04bb67ed17ff1dc506627cb877ba451370cd5d6dbc64aa432f6e87a558cc32e238d65e7f93dd1b7fa280cd711844ad352606e62f91021b4713de846be8d23586

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovfgrqj.exe
Filesize
654KB

MD5
9cd4cebf8b04cd6864b59e4c0cf4aafa

SHA1
2287faa3026c5981f3796268112998ac1c06c5d3

SHA256
748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7

SHA512
03ec7b69a8f616ab4254429499d80e5b5e7e28c1b44b418b446f6a341bdc77393482cd790764981498c6d54d2ffd0d32c118c45dee056d681533167f7b83359d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovfgrqj.exe
Filesize
654KB

MD5
9cd4cebf8b04cd6864b59e4c0cf4aafa

SHA1
2287faa3026c5981f3796268112998ac1c06c5d3

SHA256
748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7

SHA512
03ec7b69a8f616ab4254429499d80e5b5e7e28c1b44b418b446f6a341bdc77393482cd790764981498c6d54d2ffd0d32c118c45dee056d681533167f7b83359d

Download Submit
memory/792-138-0x0000000014010000-0x0000000014087000-memory.dmp

Filesize
476KB

Download
memory/1136-132-0x0000000000940000-0x0000000000B5A000-memory.dmp

Filesize
2.1MB

Download
memory/1136-133-0x0000000000B60000-0x0000000000DAB000-memory.dmp

Filesize
2.3MB

Download
memory/1688-144-0x0000000000000000-mapping.dmp

Download
memory/4100-143-0x0000000000000000-mapping.dmp

Download
memory/4292-137-0x00000000013D0000-0x000000000161B000-memory.dmp

Filesize
2.3MB

Download
memory/4308-142-0x0000000000000000-mapping.dmp

Download