Overview

overview

9

Static

static

3

9b1da81048...db.exe

windows7-x64

9

9b1da81048...db.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2023 13:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9b1da810487cdcb458d46f394f561fdb.exe

  • Size

    766KB

  • MD5

    9b1da810487cdcb458d46f394f561fdb

  • SHA1

    b8fbf9babf7182cf7dd1e6039e4c2a072a4df70c

  • SHA256

    4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1

  • SHA512

    babbecf43d00e1cfe58b9b3d2895993624e62f136178f64616f43e49c1006dc9d64d6e2dcfa3b88434ad9b9790270aa063236deaaf92022d8b3ebeaa42efd7fc

  • SSDEEP

    12288:CH+pDu9YrDQKiXEfiVzhY1Iys0P9ckgveteiZLnfHSoGKmeVd8kyBwvBH4JVJ:Ce0sDNiUfiPgI91kgveYAHSoGoWeOVJ

Score
9/10
evasionpersistenceransomwaretrojan

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\9b1da810487cdcb458d46f394f561fdb.exe
    "C:\Users\Admin\AppData\Local\Temp\9b1da810487cdcb458d46f394f561fdb.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\Users\Admin\AppData\Local\Temp\9b1da810487cdcb458d46f394f561fdb.exe
      "C:\Users\Admin\AppData\Local\Temp\9b1da810487cdcb458d46f394f561fdb.exe"
      2⤵
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3900
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\system32\explorer.exe"
        3⤵
        • Adds Run key to start application
        • Drops file in Windows directory
        • Modifies Internet Explorer Phishing Filter
        • Suspicious use of WriteProcessMemory
        PID:4536
        • C:\Windows\SYSTEM32\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          4⤵
          • Interacts with shadow copies
          PID:3372
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4288

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\aduqeliginopicah\01000000
    Filesize

    766KB

    MD5

    b08099f62223f6fcb24b05adcbbc74ad

    SHA1

    af92c74915e34d1d63d03783132d424848843de5

    SHA256

    659aa6c68411cdbcfd6053ec3db63a4b3b2ceedeba3b21488b8690e3259d8e38

    SHA512

    5dd58501fc459b0bd3d742a022cf5a10cfb8d3d699f8e1d7394ee3e217e8be25f9253cea61ad4978a76b0471c3e0f338a9ec06f19bdc402eefc84cd0b5a40e27

    Download Submit

  • memory/2532-0-0x0000000002270000-0x0000000002271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2532-1-0x0000000002290000-0x0000000002298000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2532-3-0x0000000000400000-0x00000000004C6000-memory.dmp

    Filesize

    792KB

    Download

  • memory/3900-6-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3900-5-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3900-4-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3900-14-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3900-2-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4536-8-0x00000000004D0000-0x000000000050C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4536-19-0x00000000004D0000-0x000000000050C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4536-20-0x00000000004D0000-0x000000000050C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4536-17-0x00000000004D0000-0x000000000050C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4536-10-0x00000000004D0000-0x000000000050C000-memory.dmp

    Filesize

    240KB

    Download