Overview
overview
10Static
static
6AES-NI.exe
windows7-x64
10Abrechnung.exe
windows7-x64
8Box (2).exe
windows7-x64
3Box.exe
windows7-x64
3a66dde2298...43.exe
windows7-x64
9a7768f4973...e0.exe
windows7-x64
10aa7ff3bc28...1e.exe
windows7-x64
7aace43af8d...99.exe
windows7-x64
8ad3cc219a8...ws.dll
windows7-x64
10aee03626b8...b1.exe
windows7-x64
6afd3b729cf...2e.exe
windows7-x64
10b56c4569d6...ss.exe
windows7-x64
3b7989d9eac...ss.zip
windows7-x64
7b7d9f11c16...b0.exe
windows7-x64
6b8f60c64c7...af.exe
windows7-x64
10bb0e8d9ba9...38.zip
windows7-x64
9bb89efd602...59.zip
windows7-x64
9bc557a7bfe...8f.exe
windows7-x64
7bd2d4d4300...17.vbs
windows7-x64
1be03e43db0...5F.exe
windows7-x64
7be03e43db0...8A.exe
windows7-x64
7be514549a2...1f.exe
windows7-x64
9bfb8f7f6cb...-0.dll
windows7-x64
8bldjad.ex1.exe
windows7-x64
1bldjad.exe
windows7-x64
1bldjad2.exe
windows7-x64
5c145a26dd6...a0.exe
windows7-x64
3c325092750...db.apk
windows7-x64
3c36c46f4de...6e.exe
windows7-x64
3c3dd2e3cf0...04.exe
windows7-x64
7c71c26bf89...3_.exe
windows7-x64
7c846282987...fd.exe
windows7-x64
5Resubmissions
22-11-2024 22:54
241122-2vh7gaxmfl 1022-11-2024 03:27
241122-dzqkcatmht 1022-11-2024 03:16
241122-dsgc4atlgs 10Analysis
-
max time kernel
298s -
max time network
298s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:16
Behavioral task
behavioral1
Sample
AES-NI.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Abrechnung.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
Box (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Box.exe
Resource
win7-20241010-en
Behavioral task
behavioral5
Sample
a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
a7768f4973ad7cf8217212a4d12dbae0.exe
Resource
win7-20241023-en
Behavioral task
behavioral7
Sample
aa7ff3bc285bcb4ec48bf2f361f0ad0a1d9fc8f17b7323d2f0615ade68973c1e.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
aace43af8d0932a7b01c5b8fb71c8199.exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
ad3cc219a818047d6d3c38a8e4662e21dfedc858578cb2bde2c127d66dfeb7de_PonyNews.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
aee03626b83a88b71b06899116cb7ce4b8092365103d69792b0c2d7153f24cb1.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
Resource
win7-20241023-en
Behavioral task
behavioral12
Sample
b56c4569d639e8ce104d9e52dffeba6d18813c058887a3404350904811f32d54_not_packed_maybe_useless.exe
Resource
win7-20241010-en
Behavioral task
behavioral13
Sample
b7989d9eacb5a8b224fd183f6ba65e4e6bd30a4f0e4e1a299f0d2b63dcb56730_Archive_useless.zip
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
b7d9f11c166fa1a4ceef446dd9c8561c77115cb3ce4910a056dd6a361338a2b0.exe
Resource
win7-20240708-en
Behavioral task
behavioral15
Sample
b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
bb0e8d9ba927076fbe076960ee7c3b31afa9086583b7358c748d78a55b044a38.zip
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
bb89efd602f3ddae8dc8c804053c5800c6628dbc7073c46bb3d268261130ba59.zip
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
bc557a7bfec430aab3a1b326f35c8d6c1d2de0532263df872b2280af65f32b8f.exe
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
bd2d4d43009623941f49554f5932188154fc9d16d820e00db1281d057468b017.vbs
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
be03e43db0b190b879c893102a76183231ea39ec51206d25651a3cacffa8d81d_Dumped_TDS=4F8C315F.exe
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
be03e43db0b190b879c893102a76183231ea39ec51206d25651a3cacffa8d81d_TDS=4F90A68A.exe
Resource
win7-20240729-en
Behavioral task
behavioral22
Sample
be514549a2e654706aeeaa15c8cffce504f0e271c904fe07d865f3999ebaa61f.exe
Resource
win7-20240903-en
Behavioral task
behavioral23
Sample
bfb8f7f6cbe24330a310e5c7cbe99ed4_api-ms-win-system-wer-l1-1-0.dll
Resource
win7-20241023-en
Behavioral task
behavioral24
Sample
bldjad.ex1.exe
Resource
win7-20241010-en
Behavioral task
behavioral25
Sample
bldjad.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
bldjad2.exe
Resource
win7-20240903-en
Behavioral task
behavioral27
Sample
c145a26dd6d200080c16300456e7c0bc95f2b71f56d94136619e239e466a04a0.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
c325092750dd55898c47be7ec8a7622c3bf8d1a79c40b160ef7901c2ef18f5db.apk
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
c36c46f4de045ef332decc006694db6e.exe
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
c3dd2e3cf0ebeec7a6c280e187a044a32b54b369a78aaaa89c600a0767b49704.exe
Resource
win7-20240903-en
Behavioral task
behavioral31
Sample
c71c26bf894feb5dbedb2cf2477258f3edf3133a3c22c68ab378ba65ecf251d3_.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
c8462829871b7bdb005f4dd881d253aa255a1b2f6f3d89edb1d609b51f5d04fd.exe
Resource
win7-20241010-en
General
-
Target
a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe
-
Size
212KB
-
MD5
c697914b3e3c115391e5a32e6d8d3a98
-
SHA1
b61335cc60ff37680e82c7245ec268d206fc21e2
-
SHA256
a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43
-
SHA512
dbdd230a9829eeae3cbb7ba7cead7b378661275ca3a97bef7c4d60a7c8a5a475120bda551c2e2d81e69f9cc4f0dc798f9160d2e94d11f1ed3cc9cdf4752ae35b
-
SSDEEP
3072:HTS1pU/dvuuCtCxzxXXQu+pbSCu9P+5qd/o1x3wPWnK:HTeu/Zat6gH9un0ePW
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\idyrehoh = "\"C:\\Windows\\egozjliv.exe\"" explorer.exe -
Processes:
a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exedescription pid process target process PID 2568 set thread context of 2380 2568 a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\egozjliv.exe explorer.exe File created C:\Windows\egozjliv.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exeexplorer.exevssadmin.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2356 vssadmin.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PhishingFilter explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2484 vssvc.exe Token: SeRestorePrivilege 2484 vssvc.exe Token: SeAuditPrivilege 2484 vssvc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exeexplorer.exedescription pid process target process PID 2568 wrote to memory of 2380 2568 a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe explorer.exe PID 2568 wrote to memory of 2380 2568 a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe explorer.exe PID 2568 wrote to memory of 2380 2568 a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe explorer.exe PID 2568 wrote to memory of 2380 2568 a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe explorer.exe PID 2568 wrote to memory of 2380 2568 a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe explorer.exe PID 2380 wrote to memory of 2356 2380 explorer.exe vssadmin.exe PID 2380 wrote to memory of 2356 2380 explorer.exe vssadmin.exe PID 2380 wrote to memory of 2356 2380 explorer.exe vssadmin.exe PID 2380 wrote to memory of 2356 2380 explorer.exe vssadmin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe"C:\Users\Admin\AppData\Local\Temp\a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe"1⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2356
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2484
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212KB
MD5d6d1c8fbb124b1fb48ebfee6ebbc30cb
SHA18aadacd8913e4c51a1a6630335d896cc7d6aea55
SHA25667691b9abbfb53e5d4a755077749fccc637219f5d1bef4b248f51c2c89eaa00d
SHA512456433369157acb4b48f4b5fc2c7dd22a4930fb79e70ddc87af30e8708f34d8dbac5690ad649eaa82a3024184b75f4d9e2c1c0497617d7f9def8f57b6b8b577c