e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4

General

Target

e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4
Sample

191025-dn8qy4kq5x
SHA256

e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4

Score

N/A

Malware Config

Signatures

Drops Office document 20 IoCs

description	ioc	pid	Process
File opened for modification	\??\c:\Users\Admin\Documents\ConvertSubmit.xls	2024	e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4.exe
File opened for modification	\??\c:\Users\Admin\Desktop\DisableReceive.ppt	2024	e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4.exe
File opened for modification	\??\c:\Users\Admin\Documents\PopRevoke.potx	2024	e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4.exe
File opened for modification	\??\c:\Users\Admin\Documents\UnblockUnprotect.xlsx	2024	e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4.exe
File opened for modification	\??\c:\Users\Admin\Music\ApproveTest.xlt	2024	e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4.exe
File opened for modification	\??\c:\Users\Admin\Music\LimitGet.xlt	2024	e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4.exe
File opened for modification	\??\c:\Users\Admin\Desktop\StopUnregister.docx	2024	e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4.exe
File opened for modification	\??\c:\Users\Admin\Documents\Are.docx	2024	e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4.exe
File opened for modification	\??\c:\Users\Admin\Documents\Files.docx	2024	e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4.exe
File opened for modification	\??\c:\Users\Admin\Documents\Opened.docx	2024	e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4.exe
File opened for modification	\??\c:\Users\Admin\Documents\Recently.docx	2024	e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4.exe
File opened for modification	\??\c:\Users\Admin\Documents\These.docx	2024	e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4.exe
File opened for modification	\??\c:\Users\Admin\Documents\WaitSelect.dotm	2024	e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4.exe
File opened for modification	\??\c:\Users\Admin\Music\MeasureSearch.xltm	2024	e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4.exe
File opened for modification	\??\c:\Users\Admin\Music\RemoveOut.pot	2024	e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4.exe
File opened for modification	\??\c:\Users\Admin\Music\RestoreConvertTo.xltm	2024	e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4.exe
File opened for modification	\??\c:\Users\Admin\Documents\LimitRead.ppt	2024	e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4.exe
File opened for modification	\??\c:\Users\Admin\Documents\SplitAssert.xls	2024	e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4.exe
File opened for modification	\??\c:\Users\Admin\Documents\UninstallClear.ppsm	2024	e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4.exe
File opened for modification	\??\c:\Users\Admin\Documents\ExportPush.dotx	2024	e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1480	vssvc.exe
Token: SeRestorePrivilege	1480	vssvc.exe
Token: SeAuditPrivilege	1480	vssvc.exe

Deletes shadow copies 2 TTPs 1 IoCs

ransomware

Inhibit System Recovery

T1490

pid	Process
1456	vssadmin.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 1456	1560	taskeng.exe	29
PID 2024 wrote to memory of 1572	2024	e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4.exe	33
PID 2024 wrote to memory of 1952	2024	e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4.exe	36
PID 1572 wrote to memory of 1496	1572	iexplore.exe	38

Modifies control panel 2 IoCs

evasion

description	ioc	pid	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\WallpaperStyle = "0"	2024	e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\TileWallpaper = "0"	2024	e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	pid	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\ykcol.bmp"	2024	e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
848	conhost.exe
1664	conhost.exe
1572	iexplore.exe
1496	IEXPLORE.EXE

Deletes itself 1 IoCs

pid	Process
1952	cmd.exe

Drops file in system dir 1 IoCs

description	ioc	pid	Process
File opened for modification	C:\Windows\SysWOW64\GDIPFONTCACHEV1.DAT	1668	DllHost.exe

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

T1112

description	ioc	pid	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	1572	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0AE20331-F72A-11E9-B4AA-5A04DDDE1864} = "0"	1572	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	1572	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	1572	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	1572	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	1572	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	1496	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	1572	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009aa4f4faf1a8e341b8de4356d522d0ee000000000200000000001066000000010000200000007f86c47a31e67cb807ee84d6c5165e462bb00045aa676a90a0ffc248e9beaa30000000000e800000000200002000000087de06a0c8e57593dee84927bcac8020613bd4c9873b71bcb6f1b3c0801d20eb20000000c468b887befea0b4f76a6cdd0fcfbe71626202f5f8066a89daa345fde3004e7e40000000fc171a12b2d2baa1d6ae5012d7e81efe2a45c7e57d1832be859aac28514cebce32efaf9cae626faa949e9645718db71bceae6673d121e303e3d6e6005a348b70	1572	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9072c0e4368bd501	1572	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009aa4f4faf1a8e341b8de4356d522d0ee000000000200000000001066000000010000200000003922855b7d95c7bdcfd1cbee3d096ea0bac360f0bf318c63886cdb9a5a727ea8000000000e80000000020000200000009139d57df0a1c695d6c4f67194d8b8a488da14f12b37c853c9cc180968c12ccd9000000032f03e16f4c212a63cb133c347b19e08324e95fb0fb4b5c34b5be2a13c8b7bd65c39feaac55a1d5e020fc77f6ab23a5722a705fb54d6a5ea2689fc1b305051287c860bcfe1dc424ad7772135de1da581467a13770fa31376f79129db05eff9dcc5590e6e6d9e16ed0faff21d01c366d1a787fd7a5e746792a2213a45fe92c31d060e6495a2f16ff0140503a9a304f78a40000000eaad03aacdcb71f57785368bab8c13c7a25a5f568e1ed79eb5d128873925cbff96ce1f2e910d87a07dd908834528f864a7ab3d5d7c072e891b59388443495fe8	1572	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	1572	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "278774535"	1572	iexplore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1572	iexplore.exe
1668	DllHost.exe

C:\Users\Admin\AppData\Local\Temp\e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4.exe
"C:\Users\Admin\AppData\Local\Temp\e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4.exe"
1⤵
- Drops Office document
- Suspicious use of WriteProcessMemory
- Modifies control panel
- Sets desktop wallpaper using registry
PID:2024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\system32\taskeng.exe
taskeng.exe {59FFE777-90C9-49B9-B7C1-E1679627E154} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
1⤵
- Deletes shadow copies
PID:1456

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1138213463-1895528116-1008379782-1151265992-62393745-14787800111541998338-1334743294"
1⤵
- Suspicious use of SetWindowsHookEx
PID:848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
1⤵
PID:2028

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ykcol.htm
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:1572

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Drops file in system dir
- Suspicious use of FindShellTrayWindow
PID:1668

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\e5bafdd9d27defccb5c62db15a0374ccdeedb6a279b33776e8fc1ecb728d70e4.exe"
1⤵
- Deletes itself
PID:1952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "170567490699066284820195978591905946548-1324181297-6827939461883015892416655494"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1664

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1572 CREDAT:275457 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
- Modifies Internet Explorer settings
PID:1496

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

1

T1490

MITRE ATT&CK Additional techniques

T1107

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

MITRE ATT&CK Additional techniques

Replay Monitor

Loading Replay Monitor...

Downloads