Overview

overview

8

Static

static

3

92b12fe648...5d.exe

windows7-x64

92b12fe648...5d.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    15s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    05-02-2024 18:30

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    92b12fe648b47778e2a4650c5879435d.exe

  • Size

    26KB

  • MD5

    92b12fe648b47778e2a4650c5879435d

  • SHA1

    ead32e4e4792f5f1ae793e1faa9b5c62a0c83bfd

  • SHA256

    12f4a3d856f41dd24cc6affed8739851d837a317f6eadbed2f943fd5853d9025

  • SHA512

    886f7f8317b54cc77aeebe9bf9ab0b805e3561c0d588fdfab2a268eeedf97169cb32a40082fd09bbfb7d089c85f01b5fd7ec1843c0cd5ec9964a2b45ca30fa53

  • SSDEEP

    768:iykaN68NHRVVA4Tc6ArEbrlHT7OJV0Ex:iykaw8PVJAr+HTCJC

Score
8/10
evasion

Malware Config

Signatures

  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\92b12fe648b47778e2a4650c5879435d.exe
    "C:\Users\Admin\AppData\Local\Temp\92b12fe648b47778e2a4650c5879435d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Modifies Control Panel
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Users\Admin\AppData\Local\Temp\92b12fe648b47778e2a4650c5879435d.exe
      C:\Users\Admin\AppData\Local\Temp\92b12fe648b47778e2a4650c5879435d.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2068
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
        • Disables RegEdit via registry modification
        • Deletes itself
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1732
        • C:\Windows\SysWOW64\reg.exe
          reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
          4⤵
            PID:2112
          • C:\Windows\SysWOW64\shutdown.exe
            shutdown.exe -r -f -t 0
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2936
          • C:\Users\Admin\AppData\Local\Temp\03192A897B73CCFF8646.exe
            C:\Users\Admin\AppData\Local\Temp\03192A897B73CCFF8646.exe
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Modifies Control Panel
            • Suspicious use of WriteProcessMemory
            PID:2756
            • C:\Users\Admin\AppData\Local\Temp\03192A897B73CCFF8646.exe
              C:\Users\Admin\AppData\Local\Temp\03192A897B73CCFF8646.exe
              5⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2524
              • C:\Windows\SysWOW64\svchost.exe
                svchost.exe
                6⤵
                  PID:1192
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2696
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B0" "00000000000005AC"
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:1220
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x0
        1⤵
          PID:868
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x1
          1⤵
            PID:2132

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\03192A897B73CCFF8646.exe
            Filesize

            26KB

            MD5

            92b12fe648b47778e2a4650c5879435d

            SHA1

            ead32e4e4792f5f1ae793e1faa9b5c62a0c83bfd

            SHA256

            12f4a3d856f41dd24cc6affed8739851d837a317f6eadbed2f943fd5853d9025

            SHA512

            886f7f8317b54cc77aeebe9bf9ab0b805e3561c0d588fdfab2a268eeedf97169cb32a40082fd09bbfb7d089c85f01b5fd7ec1843c0cd5ec9964a2b45ca30fa53

            Download Submit
          • memory/868-43-0x00000000029C0000-0x00000000029C1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1192-38-0x000000007EFA0000-0x000000007EFAE000-memory.dmp
            Filesize

            56KB

            Download
          • memory/1192-45-0x000000007EFA0000-0x000000007EFAE000-memory.dmp
            Filesize

            56KB

            Download
          • memory/1192-42-0x000000007EFA0000-0x000000007EFAE000-memory.dmp
            Filesize

            56KB

            Download
          • memory/1192-36-0x000000007EFA0000-0x000000007EFAE000-memory.dmp
            Filesize

            56KB

            Download
          • memory/1732-18-0x0000000000100000-0x000000000010A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/1732-34-0x000000007EFA0000-0x000000007EFAE000-memory.dmp
            Filesize

            56KB

            Download
          • memory/1732-10-0x000000007EFA0000-0x000000007EFAE000-memory.dmp
            Filesize

            56KB

            Download
          • memory/1732-11-0x000000007EFA0000-0x000000007EFAE000-memory.dmp
            Filesize

            56KB

            Download
          • memory/2064-1-0x0000000000240000-0x000000000024A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/2064-6-0x0000000000400000-0x000000000040A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/2064-0-0x0000000000400000-0x000000000040A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/2068-2-0x0000000000400000-0x0000000000411000-memory.dmp
            Filesize

            68KB

            Download
          • memory/2068-9-0x0000000000400000-0x0000000000411000-memory.dmp
            Filesize

            68KB

            Download
          • memory/2068-8-0x0000000000400000-0x0000000000411000-memory.dmp
            Filesize

            68KB

            Download
          • memory/2068-3-0x0000000000400000-0x0000000000411000-memory.dmp
            Filesize

            68KB

            Download
          • memory/2068-4-0x0000000000400000-0x0000000000411000-memory.dmp
            Filesize

            68KB

            Download
          • memory/2132-48-0x0000000002760000-0x0000000002761000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2524-39-0x0000000000400000-0x0000000000411000-memory.dmp
            Filesize

            68KB

            Download
          • memory/2756-26-0x0000000000400000-0x000000000040A000-memory.dmp
            Filesize

            40KB

            Download