526b432752bac2edc49ee4a3cc2428f5d7249fa3afe66deba5d23e12e4bce68c

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-11-2024 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rack/5578d702c7fd246e11f71c4edb27b316ca267c6161effab324c9f6e6260bc9e5.exe
Size

193KB
MD5

30e0b36b2d521349158517b34d4acd78
SHA1

cd42b3395aa69071e9b60bd6760c356ec91478ee
SHA256

5578d702c7fd246e11f71c4edb27b316ca267c6161effab324c9f6e6260bc9e5
SHA512

ead402fd51d9438d94019d5311e6a82b550e436a30df107a5d78b3a83ef89730a9250c8f5b1f5ba1e77373d94cc8d432ffa3f5d9e3ebb2c813dcb8e1be552722
SSDEEP

3072:9DsjAbUHwEHnhP3UL9QPbOSp6KgT2vGagCJK51YinXp:9DmAAHtx3UL9+bOVKqCJK5mi5

Score

9^/10

defense_evasion discovery evasion execution impact persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uzexyjpb = "C:\\Windows\\oquxekob.exe"	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

5578d702c7fd246e11f71c4edb27b316ca267c6161effab324c9f6e6260bc9e5.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5578d702c7fd246e11f71c4edb27b316ca267c6161effab324c9f6e6260bc9e5.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5578d702c7fd246e11f71c4edb27b316ca267c6161effab324c9f6e6260bc9e5.exe

description	pid	Process	procid_target
PID 764 set thread context of 2024	764	5578d702c7fd246e11f71c4edb27b316ca267c6161effab324c9f6e6260bc9e5.exe	31

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description	ioc	Process
File created	C:\Windows\oquxekob.exe	explorer.exe
File opened for modification	C:\Windows\oquxekob.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

5578d702c7fd246e11f71c4edb27b316ca267c6161effab324c9f6e6260bc9e5.exeexplorer.exevssadmin.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5578d702c7fd246e11f71c4edb27b316ca267c6161effab324c9f6e6260bc9e5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

Processes:

vssadmin.exe

pid	Process
2696	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description	pid	Process
Token: SeBackupPrivilege	3064	vssvc.exe
Token: SeRestorePrivilege	3064	vssvc.exe
Token: SeAuditPrivilege	3064	vssvc.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5578d702c7fd246e11f71c4edb27b316ca267c6161effab324c9f6e6260bc9e5.exeexplorer.exe

description	pid	Process	procid_target
PID 764 wrote to memory of 2024	764	5578d702c7fd246e11f71c4edb27b316ca267c6161effab324c9f6e6260bc9e5.exe	31
PID 764 wrote to memory of 2024	764	5578d702c7fd246e11f71c4edb27b316ca267c6161effab324c9f6e6260bc9e5.exe	31
PID 764 wrote to memory of 2024	764	5578d702c7fd246e11f71c4edb27b316ca267c6161effab324c9f6e6260bc9e5.exe	31
PID 764 wrote to memory of 2024	764	5578d702c7fd246e11f71c4edb27b316ca267c6161effab324c9f6e6260bc9e5.exe	31
PID 764 wrote to memory of 2024	764	5578d702c7fd246e11f71c4edb27b316ca267c6161effab324c9f6e6260bc9e5.exe	31
PID 2024 wrote to memory of 2696	2024	explorer.exe	32
PID 2024 wrote to memory of 2696	2024	explorer.exe	32
PID 2024 wrote to memory of 2696	2024	explorer.exe	32
PID 2024 wrote to memory of 2696	2024	explorer.exe	32

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Rack\5578d702c7fd246e11f71c4edb27b316ca267c6161effab324c9f6e6260bc9e5.exe
"C:\Users\Admin\AppData\Local\Temp\Rack\5578d702c7fd246e11f71c4edb27b316ca267c6161effab324c9f6e6260bc9e5.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\system32\explorer.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2696

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ycivoroqytavyzoh\01000000

Filesize
193KB

MD5
7f73b67e79642a910acd269555131602

SHA1
98a34cee5db6767e84641370a75ed40aa39c4f71

SHA256
4c6be25d1851b0735e296924a526cca2ac7577a3a010e50178a8ba6565d11320

SHA512
c682406bda926fbb77db90c5d8288eb8a2442d174d8e2ebaa9df3c88e91d73ff031ece20394b94e39d64d35085587a0f1a7a87179e5dd70a4bb01eb489cfd9da

Download Submit
memory/2024-3-0x0000000000080000-0x00000000000BB000-memory.dmp

Filesize
236KB

Download
memory/2024-1-0x0000000000080000-0x00000000000BB000-memory.dmp

Filesize
236KB

Download
memory/2024-5-0x0000000000080000-0x00000000000BB000-memory.dmp

Filesize
236KB

Download
memory/2024-10-0x0000000000080000-0x00000000000BB000-memory.dmp

Filesize
236KB

Download
memory/2024-12-0x0000000000080000-0x00000000000BB000-memory.dmp

Filesize
236KB

Download