5de4db7670dd11f2f3e1873fe5a87349c2676739912fd92b671fa1432d4461f5

Analysis

max time kernel
56s
max time network
60s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-03-2024 22:34

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

5de4db7670dd11f2f3e1873fe5a87349c2676739912fd92b671fa1432d4461f5.exe
Size

50KB
MD5

381da20afb7a5cfd4c7574faea82da3a
SHA1

34458e430b147540a508474e6531016540bb4bf0
SHA256

5de4db7670dd11f2f3e1873fe5a87349c2676739912fd92b671fa1432d4461f5
SHA512

974258bb044869ceb6cc90062f1d10e8586a945cc87b106971d98686d50d43e95f41781be81e06161acd1c9d3fdac8229b02157311d13c0e8839411d3bf97451
SSDEEP

768:LZ+Zxe90i19C92eocaWTmNtY6coZOu5dGcTYKBZUkhkPZoMi/M6rm0ZO:LaiZ19C92eocaWTKtNJZOu5EFgZHQ816

Score

9^/10

evasion persistence ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2948	bcdedit.exe
592	bcdedit.exe
268	bcdedit.exe
580	bcdedit.exe
2404	bcdedit.exe
1944	bcdedit.exe
1796	bcdedit.exe
1076	bcdedit.exe
1352	bcdedit.exe
1608	bcdedit.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\f76b7bb.sys	utokwu.exe

Executes dropped EXE 3 IoCs

pid	Process
3012	lcm.exe
2444	lsias.exe
2472	utokwu.exe

Loads dropped DLL 4 IoCs

pid	Process
3048	5de4db7670dd11f2f3e1873fe5a87349c2676739912fd92b671fa1432d4461f5.exe
3048	5de4db7670dd11f2f3e1873fe5a87349c2676739912fd92b671fa1432d4461f5.exe
3012	lcm.exe
2444	lsias.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Utokwu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Fyik\\utokwu.exe"	utokwu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2444 set thread context of 2508	2444	lsias.exe	52

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2444	lsias.exe
2472	utokwu.exe
2472	utokwu.exe
2472	utokwu.exe
2472	utokwu.exe
2472	utokwu.exe
2472	utokwu.exe
2472	utokwu.exe
2472	utokwu.exe
2472	utokwu.exe
2472	utokwu.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2472	utokwu.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2444	lsias.exe
2472	utokwu.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 3012	3048	5de4db7670dd11f2f3e1873fe5a87349c2676739912fd92b671fa1432d4461f5.exe	28
PID 3048 wrote to memory of 3012	3048	5de4db7670dd11f2f3e1873fe5a87349c2676739912fd92b671fa1432d4461f5.exe	28
PID 3048 wrote to memory of 3012	3048	5de4db7670dd11f2f3e1873fe5a87349c2676739912fd92b671fa1432d4461f5.exe	28
PID 3048 wrote to memory of 3012	3048	5de4db7670dd11f2f3e1873fe5a87349c2676739912fd92b671fa1432d4461f5.exe	28
PID 3012 wrote to memory of 2444	3012	lcm.exe	30
PID 3012 wrote to memory of 2444	3012	lcm.exe	30
PID 3012 wrote to memory of 2444	3012	lcm.exe	30
PID 3012 wrote to memory of 2444	3012	lcm.exe	30
PID 2444 wrote to memory of 2472	2444	lsias.exe	31
PID 2444 wrote to memory of 2472	2444	lsias.exe	31
PID 2444 wrote to memory of 2472	2444	lsias.exe	31
PID 2444 wrote to memory of 2472	2444	lsias.exe	31
PID 2472 wrote to memory of 2948	2472	utokwu.exe	32
PID 2472 wrote to memory of 2948	2472	utokwu.exe	32
PID 2472 wrote to memory of 2948	2472	utokwu.exe	32
PID 2472 wrote to memory of 2948	2472	utokwu.exe	32
PID 2472 wrote to memory of 592	2472	utokwu.exe	33
PID 2472 wrote to memory of 592	2472	utokwu.exe	33
PID 2472 wrote to memory of 592	2472	utokwu.exe	33
PID 2472 wrote to memory of 592	2472	utokwu.exe	33
PID 2472 wrote to memory of 580	2472	utokwu.exe	34
PID 2472 wrote to memory of 580	2472	utokwu.exe	34
PID 2472 wrote to memory of 580	2472	utokwu.exe	34
PID 2472 wrote to memory of 580	2472	utokwu.exe	34
PID 2472 wrote to memory of 268	2472	utokwu.exe	35
PID 2472 wrote to memory of 268	2472	utokwu.exe	35
PID 2472 wrote to memory of 268	2472	utokwu.exe	35
PID 2472 wrote to memory of 268	2472	utokwu.exe	35
PID 2472 wrote to memory of 2404	2472	utokwu.exe	37
PID 2472 wrote to memory of 2404	2472	utokwu.exe	37
PID 2472 wrote to memory of 2404	2472	utokwu.exe	37
PID 2472 wrote to memory of 2404	2472	utokwu.exe	37
PID 2472 wrote to memory of 1944	2472	utokwu.exe	38
PID 2472 wrote to memory of 1944	2472	utokwu.exe	38
PID 2472 wrote to memory of 1944	2472	utokwu.exe	38
PID 2472 wrote to memory of 1944	2472	utokwu.exe	38
PID 2472 wrote to memory of 1796	2472	utokwu.exe	40
PID 2472 wrote to memory of 1796	2472	utokwu.exe	40
PID 2472 wrote to memory of 1796	2472	utokwu.exe	40
PID 2472 wrote to memory of 1796	2472	utokwu.exe	40
PID 2472 wrote to memory of 1076	2472	utokwu.exe	41
PID 2472 wrote to memory of 1076	2472	utokwu.exe	41
PID 2472 wrote to memory of 1076	2472	utokwu.exe	41
PID 2472 wrote to memory of 1076	2472	utokwu.exe	41
PID 2472 wrote to memory of 1352	2472	utokwu.exe	42
PID 2472 wrote to memory of 1352	2472	utokwu.exe	42
PID 2472 wrote to memory of 1352	2472	utokwu.exe	42
PID 2472 wrote to memory of 1352	2472	utokwu.exe	42
PID 2472 wrote to memory of 1608	2472	utokwu.exe	43
PID 2472 wrote to memory of 1608	2472	utokwu.exe	43
PID 2472 wrote to memory of 1608	2472	utokwu.exe	43
PID 2472 wrote to memory of 1608	2472	utokwu.exe	43
PID 2472 wrote to memory of 1116	2472	utokwu.exe	19
PID 2472 wrote to memory of 1116	2472	utokwu.exe	19
PID 2472 wrote to memory of 1116	2472	utokwu.exe	19
PID 2472 wrote to memory of 1116	2472	utokwu.exe	19
PID 2472 wrote to memory of 1116	2472	utokwu.exe	19
PID 2472 wrote to memory of 1172	2472	utokwu.exe	20
PID 2472 wrote to memory of 1172	2472	utokwu.exe	20
PID 2472 wrote to memory of 1172	2472	utokwu.exe	20
PID 2472 wrote to memory of 1172	2472	utokwu.exe	20
PID 2472 wrote to memory of 1172	2472	utokwu.exe	20
PID 2472 wrote to memory of 1200	2472	utokwu.exe	21
PID 2472 wrote to memory of 1200	2472	utokwu.exe	21

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\5de4db7670dd11f2f3e1873fe5a87349c2676739912fd92b671fa1432d4461f5.exe
  "C:\Users\Admin\AppData\Local\Temp\5de4db7670dd11f2f3e1873fe5a87349c2676739912fd92b671fa1432d4461f5.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\lcm.exe
    "C:\Users\Admin\AppData\Local\Temp\lcm.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Users\Admin\AppData\Local\Temp\lsias.exe
      "C:\Users\Admin\AppData\Local\Temp\lsias.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Users\Admin\AppData\Local\Temp\Fyik\utokwu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Fyik\utokwu.exe"
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of UnmapMainImage
        Suspicious use of WriteProcessMemory
        
        PID:2472
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe -set TESTSIGNING ON
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2948
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe -set TESTSIGNING ON
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:592
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe -set TESTSIGNING ON
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:580
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe -set TESTSIGNING ON
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:268
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe -set TESTSIGNING ON
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2404
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe -set TESTSIGNING ON
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1944
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe -set TESTSIGNING ON
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1796
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe -set TESTSIGNING ON
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1076
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe -set TESTSIGNING ON
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1352
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe -set TESTSIGNING ON
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1608
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\XVA7019.bat"
        5⤵
        
        PID:2508

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1992

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1516

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Fyik\utokwu.exe

Filesize
593KB

MD5
e52de097e438cc75589aece0951304c1

SHA1
f5594451e26ef1c111053b9862d50bcda37de35a

SHA256
49975ac43a85667441728f48712f8c2e2bcd450a87654149d00349df61eac575

SHA512
d81fb1f1ef2c6f1f2c67da64aa34e28513f16bf3b3dd3fe1e57c5f0c99d4fb1a2a26980dd57d9b8e46cb9c6e1bfc5b924d6e6bcc0e09ffd86894b6dda73a173a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XVA7019.bat

Filesize
185B

MD5
daac85d3f5372590292d98fbbf207854

SHA1
00cd4d3101cb555f598234d7fce7d1c78d500b5b

SHA256
044ab3a57555fda93b2abff5751c8c718f59979b0a43c9ffc169913fc131cf6e

SHA512
c9631b58459c5bcaaf06eed54de781751b321a1e9d300f15718dd86d5ca4cb38d7aba987827f976b47665ad6b7b489e05f0c94e0d2cc477b56e9d2fd5014abc3

Download Submit
\Users\Admin\AppData\Local\Temp\lcm.exe

Filesize
50KB

MD5
a3f062366e42df2ce2fbd7f73fb0c47c

SHA1
0f2f2277e12da12f21b7bf32c1716854a955c102

SHA256
9d5259b14ef67de963442801822d598c722667010d0c835847508b9b8aa3b50e

SHA512
9e6ac17121236129692d86d6a250e556459e013dba8e2df0b1d5c46d1b30caacde08df13269820d00651a97d931dcb8e035c8132dba87a12713b057ededc5077

Download Submit
\Users\Admin\AppData\Local\Temp\lsias.exe

Filesize
593KB

MD5
b765fa6dafe847a21badd35b2db70ce0

SHA1
8de082342547052dbe43bf9d9df0ec5fc4586eb9

SHA256
b943dea63930db983b6d4524dbecf76bc94ece24bc68ee69a658c3e05164ffb9

SHA512
4ccdc9bad6e957f5df3f7ccb3cd11085b44fa234334dacbf042ec942ed67b244178681426f85d38d7ca4c5583d5b546a5c43ba6d6c098d5f63522ed06c99c674

Download Submit
memory/1116-44-0x0000000001E00000-0x0000000001E6D000-memory.dmp

Filesize
436KB

Download
memory/1116-41-0x0000000001E00000-0x0000000001E6D000-memory.dmp

Filesize
436KB

Download
memory/1116-43-0x0000000001E00000-0x0000000001E6D000-memory.dmp

Filesize
436KB

Download
memory/1116-45-0x0000000001E00000-0x0000000001E6D000-memory.dmp

Filesize
436KB

Download
memory/1116-42-0x0000000001E00000-0x0000000001E6D000-memory.dmp

Filesize
436KB

Download
memory/1172-47-0x0000000001C50000-0x0000000001CBD000-memory.dmp

Filesize
436KB

Download
memory/1172-50-0x0000000001C50000-0x0000000001CBD000-memory.dmp

Filesize
436KB

Download
memory/1172-48-0x0000000001C50000-0x0000000001CBD000-memory.dmp

Filesize
436KB

Download
memory/1172-49-0x0000000001C50000-0x0000000001CBD000-memory.dmp

Filesize
436KB

Download
memory/1200-53-0x0000000002BB0000-0x0000000002C1D000-memory.dmp

Filesize
436KB

Download
memory/1200-52-0x0000000002BB0000-0x0000000002C1D000-memory.dmp

Filesize
436KB

Download
memory/1200-55-0x0000000002BB0000-0x0000000002C1D000-memory.dmp

Filesize
436KB

Download
memory/1200-54-0x0000000002BB0000-0x0000000002C1D000-memory.dmp

Filesize
436KB

Download
memory/1516-112-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download
memory/1992-60-0x00000000027E0000-0x000000000284D000-memory.dmp

Filesize
436KB

Download
memory/1992-59-0x00000000027E0000-0x000000000284D000-memory.dmp

Filesize
436KB

Download
memory/1992-58-0x00000000027E0000-0x000000000284D000-memory.dmp

Filesize
436KB

Download
memory/1992-57-0x00000000027E0000-0x000000000284D000-memory.dmp

Filesize
436KB

Download
memory/2196-122-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/2444-75-0x0000000000380000-0x00000000003ED000-memory.dmp

Filesize
436KB

Download
memory/2444-19-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/2444-63-0x0000000000380000-0x00000000003ED000-memory.dmp

Filesize
436KB

Download
memory/2444-66-0x0000000000380000-0x00000000003ED000-memory.dmp

Filesize
436KB

Download
memory/2444-65-0x0000000000380000-0x00000000003ED000-memory.dmp

Filesize
436KB

Download
memory/2444-67-0x0000000000380000-0x00000000003ED000-memory.dmp

Filesize
436KB

Download
memory/2444-68-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2444-69-0x0000000000380000-0x00000000003ED000-memory.dmp

Filesize
436KB

Download
memory/2444-70-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2444-26-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2444-76-0x0000000077B90000-0x0000000077B91000-memory.dmp

Filesize
4KB

Download
memory/2444-93-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2444-20-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2444-64-0x0000000000380000-0x00000000003ED000-memory.dmp

Filesize
436KB

Download
memory/2444-71-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2444-77-0x0000000000380000-0x00000000003ED000-memory.dmp

Filesize
436KB

Download
memory/2444-74-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2444-73-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2444-72-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2444-21-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2472-82-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2472-80-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2472-121-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2472-40-0x0000000000250000-0x0000000000256000-memory.dmp

Filesize
24KB

Download
memory/2472-110-0x0000000000250000-0x0000000000256000-memory.dmp

Filesize
24KB

Download
memory/2472-109-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/2472-33-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/2508-91-0x00000000001F0000-0x000000000025D000-memory.dmp

Filesize
436KB

Download
memory/2508-96-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2508-99-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2508-98-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2508-101-0x0000000077B90000-0x0000000077B91000-memory.dmp

Filesize
4KB

Download
memory/2508-97-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2508-108-0x00000000001F0000-0x000000000025D000-memory.dmp

Filesize
436KB

Download
memory/2508-94-0x00000000001F0000-0x000000000025D000-memory.dmp

Filesize
436KB

Download
memory/2508-95-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2508-89-0x00000000001F0000-0x000000000025D000-memory.dmp

Filesize
436KB

Download
memory/2508-92-0x00000000001F0000-0x000000000025D000-memory.dmp

Filesize
436KB

Download
memory/2508-85-0x00000000001F0000-0x000000000025D000-memory.dmp

Filesize
436KB

Download
memory/3012-10-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3048-1-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads