Overview

overview

8

Static

static

3

67b78d6833...e2.exe

windows7-x64

67b78d6833...e2.exe

windows10-2004-x64

Analysis

  • max time kernel
    7s
  • max time network
    7s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    19-01-2024 13:20

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    67b78d68337844c4ce0c585851b633e2.exe

  • Size

    39KB

  • MD5

    67b78d68337844c4ce0c585851b633e2

  • SHA1

    e356526d53a8f1bef9587544c46af4035d31d7f8

  • SHA256

    d1bf365dc4132fb562fb99e01e3613ed2a3548d5af74a810debacb7da8bf4e28

  • SHA512

    0b4ce217d00d6f1f76700a15aeae9cbf91a88f3e4ec96806e4f45b04480f19b734151fd74934921d8cf08ea702b49c4f88682df446d8330c6486e9169e8ec0be

  • SSDEEP

    384:bZk4nwCxOnBpWP0Gre5dHMvjNk4UIgeOdCAH2N7gt/V5bd2ChRl9mmu1ZPeic:bZhwCepW1re5arXAHr/Lbd2Pmbi

Score
8/10
evasion

Malware Config

Signatures

  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\67b78d68337844c4ce0c585851b633e2.exe
    "C:\Users\Admin\AppData\Local\Temp\67b78d68337844c4ce0c585851b633e2.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      2⤵
      • Disables RegEdit via registry modification
      • Deletes itself
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Windows\SysWOW64\reg.exe
        reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
        3⤵
          PID:1840
        • C:\Windows\SysWOW64\shutdown.exe
          shutdown.exe -r -f -t 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3064
        • C:\Users\Admin\AppData\Local\Temp\DF0AC804A0483CF409AB.exe
          C:\Users\Admin\AppData\Local\Temp\DF0AC804A0483CF409AB.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3068
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            4⤵
              PID:2000
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1932
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000005C" "0000000000000570"
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:2548
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x0
        1⤵
          PID:1940
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x1
          1⤵
            PID:1444

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\DF0AC804A0483CF409AB.exe
            Filesize

            39KB

            MD5

            67b78d68337844c4ce0c585851b633e2

            SHA1

            e356526d53a8f1bef9587544c46af4035d31d7f8

            SHA256

            d1bf365dc4132fb562fb99e01e3613ed2a3548d5af74a810debacb7da8bf4e28

            SHA512

            0b4ce217d00d6f1f76700a15aeae9cbf91a88f3e4ec96806e4f45b04480f19b734151fd74934921d8cf08ea702b49c4f88682df446d8330c6486e9169e8ec0be

            Download Submit
          • memory/1444-27-0x0000000002AB0000-0x0000000002AB1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1940-26-0x0000000002E10000-0x0000000002E11000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2000-16-0x000000007EFA0000-0x000000007EFAE000-memory.dmp
            Filesize

            56KB

            Download
          • memory/2000-21-0x000000007EFA0000-0x000000007EFAE000-memory.dmp
            Filesize

            56KB

            Download
          • memory/2000-23-0x000000007EFA0000-0x000000007EFAE000-memory.dmp
            Filesize

            56KB

            Download
          • memory/2264-0-0x0000000000020000-0x0000000000026000-memory.dmp
            Filesize

            24KB

            Download
          • memory/2264-3-0x0000000000400000-0x0000000000413000-memory.dmp
            Filesize

            76KB

            Download
          • memory/2468-1-0x000000007EFA0000-0x000000007EFAE000-memory.dmp
            Filesize

            56KB

            Download
          • memory/2468-2-0x000000007EFA0000-0x000000007EFAE000-memory.dmp
            Filesize

            56KB

            Download
          • memory/2468-17-0x000000007EFA0000-0x000000007EFAE000-memory.dmp
            Filesize

            56KB

            Download
          • memory/3068-15-0x0000000000400000-0x0000000000413000-memory.dmp
            Filesize

            76KB

            Download