51b3773145652b5d559396a08e1282a3a1d92d4df473f774d61791386fca0598

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe
Size

212KB
MD5

c697914b3e3c115391e5a32e6d8d3a98
SHA1

b61335cc60ff37680e82c7245ec268d206fc21e2
SHA256

a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43
SHA512

dbdd230a9829eeae3cbb7ba7cead7b378661275ca3a97bef7c4d60a7c8a5a475120bda551c2e2d81e69f9cc4f0dc798f9160d2e94d11f1ed3cc9cdf4752ae35b
SSDEEP

3072:HTS1pU/dvuuCtCxzxXXQu+pbSCu9P+5qd/o1x3wPWnK:HTeu/Zat6gH9un0ePW

Score

9^/10

defense_evasion discovery evasion execution impact persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ckineplj = "\"C:\\Windows\\ezuzilet.exe\""	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe

description	pid	process	target process
PID 1628 set thread context of 220	1628	a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description ioc process

File created C:\Windows\ezuzilet.exe explorer.exe
File opened for modification C:\Windows\ezuzilet.exe explorer.exe

description	ioc	process
File created	C:\Windows\ezuzilet.exe	explorer.exe
File opened for modification	C:\Windows\ezuzilet.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

5060 vssadmin.exe

pid	process
5060	vssadmin.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\PhishingFilter	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	explorer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 5116 vssvc.exe
Token: SeRestorePrivilege 5116 vssvc.exe
Token: SeAuditPrivilege 5116 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	5116	vssvc.exe
Token: SeRestorePrivilege	5116	vssvc.exe
Token: SeAuditPrivilege	5116	vssvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exeexplorer.exe

description	pid	process	target process
PID 1628 wrote to memory of 220	1628	a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe	explorer.exe
PID 1628 wrote to memory of 220	1628	a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe	explorer.exe
PID 1628 wrote to memory of 220	1628	a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe	explorer.exe
PID 1628 wrote to memory of 220	1628	a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe	explorer.exe
PID 220 wrote to memory of 5060	220	explorer.exe	vssadmin.exe
PID 220 wrote to memory of 5060	220	explorer.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe
"C:\Users\Admin\AppData\Local\Temp\a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\system32\explorer.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer Phishing Filter
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:5060

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\abekelataheficij\01000000

Filesize
212KB

MD5
d6d1c8fbb124b1fb48ebfee6ebbc30cb

SHA1
8aadacd8913e4c51a1a6630335d896cc7d6aea55

SHA256
67691b9abbfb53e5d4a755077749fccc637219f5d1bef4b248f51c2c89eaa00d

SHA512
456433369157acb4b48f4b5fc2c7dd22a4930fb79e70ddc87af30e8708f34d8dbac5690ad649eaa82a3024184b75f4d9e2c1c0497617d7f9def8f57b6b8b577c

Download Submit
memory/220-1-0x00000000012A0000-0x00000000012D8000-memory.dmp

Filesize
224KB

Download
memory/220-7-0x00000000012A0000-0x00000000012D8000-memory.dmp

Filesize
224KB

Download
memory/220-11-0x00000000012A0000-0x00000000012D8000-memory.dmp

Filesize
224KB

Download
memory/220-14-0x00000000012A0000-0x00000000012D8000-memory.dmp

Filesize
224KB

Download