Overview
overview
10Static
static
6AES-NI.exe
windows7-x64
7AES-NI.exe
windows10-2004-x64
7Abrechnung.exe
windows7-x64
8Abrechnung.exe
windows10-2004-x64
8Box (2).exe
windows7-x64
3Box (2).exe
windows10-2004-x64
3Box.exe
windows7-x64
3Box.exe
windows10-2004-x64
3a66dde2298...43.exe
windows7-x64
9a66dde2298...43.exe
windows10-2004-x64
9a7768f4973...e0.exe
windows7-x64
10a7768f4973...e0.exe
windows10-2004-x64
10aa7ff3bc28...1e.exe
windows7-x64
7aa7ff3bc28...1e.exe
windows10-2004-x64
7aace43af8d...99.exe
windows7-x64
8aace43af8d...99.exe
windows10-2004-x64
8ad3cc219a8...ws.dll
windows7-x64
10ad3cc219a8...ws.dll
windows10-2004-x64
10aee03626b8...b1.exe
windows7-x64
6aee03626b8...b1.exe
windows10-2004-x64
6afd3b729cf...2e.exe
windows7-x64
10afd3b729cf...2e.exe
windows10-2004-x64
10b56c4569d6...ss.exe
windows7-x64
3b56c4569d6...ss.exe
windows10-2004-x64
30.84762379...67.exe
windows7-x64
70.84762379...67.exe
windows10-2004-x64
3zsgblrbrum...ke.exe
windows7-x64
7zsgblrbrum...ke.exe
windows10-2004-x64
3b7d9f11c16...b0.exe
windows7-x64
5b7d9f11c16...b0.exe
windows10-2004-x64
5b8f60c64c7...af.exe
windows7-x64
10b8f60c64c7...af.exe
windows10-2004-x64
10Resubmissions
22-11-2024 22:54
241122-2vh7gaxmfl 1022-11-2024 03:27
241122-dzqkcatmht 1022-11-2024 03:16
241122-dsgc4atlgs 10Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:27
Behavioral task
behavioral1
Sample
AES-NI.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
AES-NI.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Abrechnung.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Abrechnung.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Box (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Box (2).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Box.exe
Resource
win7-20241023-en
Behavioral task
behavioral8
Sample
Box.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
a7768f4973ad7cf8217212a4d12dbae0.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
a7768f4973ad7cf8217212a4d12dbae0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
aa7ff3bc285bcb4ec48bf2f361f0ad0a1d9fc8f17b7323d2f0615ade68973c1e.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
aa7ff3bc285bcb4ec48bf2f361f0ad0a1d9fc8f17b7323d2f0615ade68973c1e.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
aace43af8d0932a7b01c5b8fb71c8199.exe
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
aace43af8d0932a7b01c5b8fb71c8199.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
ad3cc219a818047d6d3c38a8e4662e21dfedc858578cb2bde2c127d66dfeb7de_PonyNews.dll
Resource
win7-20240729-en
Behavioral task
behavioral18
Sample
ad3cc219a818047d6d3c38a8e4662e21dfedc858578cb2bde2c127d66dfeb7de_PonyNews.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
aee03626b83a88b71b06899116cb7ce4b8092365103d69792b0c2d7153f24cb1.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
aee03626b83a88b71b06899116cb7ce4b8092365103d69792b0c2d7153f24cb1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
b56c4569d639e8ce104d9e52dffeba6d18813c058887a3404350904811f32d54_not_packed_maybe_useless.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
b56c4569d639e8ce104d9e52dffeba6d18813c058887a3404350904811f32d54_not_packed_maybe_useless.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
0.8476237917779167.exe
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
0.8476237917779167.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
zsgblrbrumorwxfizuke.exe
Resource
win7-20241023-en
Behavioral task
behavioral28
Sample
zsgblrbrumorwxfizuke.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
b7d9f11c166fa1a4ceef446dd9c8561c77115cb3ce4910a056dd6a361338a2b0.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
b7d9f11c166fa1a4ceef446dd9c8561c77115cb3ce4910a056dd6a361338a2b0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe
Resource
win7-20240708-en
Behavioral task
behavioral32
Sample
b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe
Resource
win10v2004-20241007-en
General
-
Target
a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe
-
Size
212KB
-
MD5
c697914b3e3c115391e5a32e6d8d3a98
-
SHA1
b61335cc60ff37680e82c7245ec268d206fc21e2
-
SHA256
a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43
-
SHA512
dbdd230a9829eeae3cbb7ba7cead7b378661275ca3a97bef7c4d60a7c8a5a475120bda551c2e2d81e69f9cc4f0dc798f9160d2e94d11f1ed3cc9cdf4752ae35b
-
SSDEEP
3072:HTS1pU/dvuuCtCxzxXXQu+pbSCu9P+5qd/o1x3wPWnK:HTeu/Zat6gH9un0ePW
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iwygivaf = "\"C:\\Windows\\omodyqam.exe\"" explorer.exe -
Processes:
a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exedescription pid process target process PID 2180 set thread context of 3060 2180 a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Windows\omodyqam.exe explorer.exe File created C:\Windows\omodyqam.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exeexplorer.exevssadmin.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2764 vssadmin.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PhishingFilter explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2132 vssvc.exe Token: SeRestorePrivilege 2132 vssvc.exe Token: SeAuditPrivilege 2132 vssvc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exeexplorer.exedescription pid process target process PID 2180 wrote to memory of 3060 2180 a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe explorer.exe PID 2180 wrote to memory of 3060 2180 a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe explorer.exe PID 2180 wrote to memory of 3060 2180 a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe explorer.exe PID 2180 wrote to memory of 3060 2180 a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe explorer.exe PID 2180 wrote to memory of 3060 2180 a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe explorer.exe PID 3060 wrote to memory of 2764 3060 explorer.exe vssadmin.exe PID 3060 wrote to memory of 2764 3060 explorer.exe vssadmin.exe PID 3060 wrote to memory of 2764 3060 explorer.exe vssadmin.exe PID 3060 wrote to memory of 2764 3060 explorer.exe vssadmin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe"C:\Users\Admin\AppData\Local\Temp\a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe"1⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2764
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2132
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212KB
MD5d6d1c8fbb124b1fb48ebfee6ebbc30cb
SHA18aadacd8913e4c51a1a6630335d896cc7d6aea55
SHA25667691b9abbfb53e5d4a755077749fccc637219f5d1bef4b248f51c2c89eaa00d
SHA512456433369157acb4b48f4b5fc2c7dd22a4930fb79e70ddc87af30e8708f34d8dbac5690ad649eaa82a3024184b75f4d9e2c1c0497617d7f9def8f57b6b8b577c