05fbedef56f8cf1b12e719ffca3136ef15d8d3696009ecf884d2b71fd8094953

Analysis

max time kernel
135s
max time network
133s
platform
windows7_x64
resource
win7v20201028
submitted
30-01-2021 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe
Size

31.3MB
MD5

fa9649ba7f76190701b2f1ffaaf4d0df
SHA1

dac66a285e89ee98cb84488df21f8c43c4acb5d3
SHA256

772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae
SHA512

9868a1cc7e9bf361c1d93bad871b88fae0f3c3fa1f15dce1d386f1e78fbda913d30ffd3d407706a34043357727e7db560924ffbd7e1ec4bc5dada7c9e74f6c11

Score

8^/10

discovery evasion ransomware upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

vgf5XHUcCaEzeQun.tmp

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts vgf5XHUcCaEzeQun.tmp
Executes dropped EXE 3 IoCs

Processes:

vgf5XHUcCaEzeQun.exevgf5XHUcCaEzeQun.tmpuTorrent.exe

pid process

1716 vgf5XHUcCaEzeQun.exe
916 vgf5XHUcCaEzeQun.tmp
612 uTorrent.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	vgf5XHUcCaEzeQun.tmp

pid	process
1716	vgf5XHUcCaEzeQun.exe
916	vgf5XHUcCaEzeQun.tmp
612	uTorrent.exe

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\CompressStop.tif.vovalex	772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe
File created	C:\Users\Admin\Pictures\PushMount.crw.vovalex	772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe
File created	C:\Users\Admin\Pictures\RemoveStop.tiff.vovalex	772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe
File created	C:\Users\Admin\Pictures\SetConvertFrom.raw.vovalex	772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe
File created	C:\Users\Admin\Pictures\UninstallReceive.raw.vovalex	772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe
File created	C:\Users\Admin\Pictures\WaitFind.tif.vovalex	772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe
File created	C:\Users\Admin\Pictures\AddUnlock.tif.vovalex	772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe
File created	C:\Users\Admin\Pictures\BackupInvoke.tiff.vovalex	772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe	upx
\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe	upx
C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe	upx
C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe	upx

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

uTorrent.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine	uTorrent.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	uTorrent.exe

Loads dropped DLL 3 IoCs

Processes:

vgf5XHUcCaEzeQun.exevgf5XHUcCaEzeQun.tmp

pid process

1716 vgf5XHUcCaEzeQun.exe
916 vgf5XHUcCaEzeQun.tmp
916 vgf5XHUcCaEzeQun.tmp
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

pid	process
1716	vgf5XHUcCaEzeQun.exe
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

uTorrent.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	uTorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\utorrentie.exe = "1"	uTorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CROSS_DOMAIN_REDIRECT_MITIGATION\utorrentie.exe = "0"	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	uTorrent.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\utorrentie.exe = "11000"	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CROSS_DOMAIN_REDIRECT_MITIGATION	uTorrent.exe

Modifies registry class 124 IoCs

Processes:

vgf5XHUcCaEzeQun.tmpuTorrent.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.torrent	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Magnet\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\maindoc.ico"	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btskin\uTorrent\shell\ = "open"	vgf5XHUcCaEzeQun.tmp
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btsearch\uTorrent\Content Type	vgf5XHUcCaEzeQun.tmp
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\MIME\Database\Content Type\application/x-bittorrent-app	vgf5XHUcCaEzeQun.tmp
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btkey\uTorrent\shell\open	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btapp\uTorrent\shell\open\command = "\"C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\uTorrent.exe\" \"%1\""	vgf5XHUcCaEzeQun.tmp
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\bittorrent\DefaultIcon	vgf5XHUcCaEzeQun.tmp
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Magnet\DefaultIcon	vgf5XHUcCaEzeQun.tmp
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Magnet\shell\open\command	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\utorrent\Content Type\ = "application/x-bittorrent"	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btapp\uTorrent\DefaultIcon = "C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\uTorrent.exe,0"	vgf5XHUcCaEzeQun.tmp
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\MIME\Database\Content Type\application/x-bittorrent	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\utorrent\ = "bittorrent URI"	vgf5XHUcCaEzeQun.tmp
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btkey\uTorrent\shell	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btinstall\Content Type = "application/x-bittorrent-appinst"	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btkey\ = "uTorrent"	vgf5XHUcCaEzeQun.tmp
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btskin\uTorrent\Content Type	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\utorrent\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\maindoc.ico"	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btapp\uTorrent\shell\ = "open"	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btkey\uTorrent\Content Type\ = "application/x-bittorrent-key"	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\bittorrent\Content Type = "application/x-bittorrent-protocol"	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btinstall\uTorrent\Content Type\ = "application/x-bittorrent-appinst"	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btsearch\uTorrent\shell\ = "open"	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btsearch\uTorrent\shell\open\command = "\"C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\uTorrent.exe\" \"%1\""	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btskin\uTorrent\shell\open\command = "\"C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\uTorrent.exe\" \"%1\""	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btinstall\uTorrent\shell\ = "open"	vgf5XHUcCaEzeQun.tmp
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btapp\uTorrent\shell	vgf5XHUcCaEzeQun.tmp
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\MIME\Database\Content Type	vgf5XHUcCaEzeQun.tmp
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\FalconBetaAccount	uTorrent.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btapp\uTorrent\Content Type	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\bittorrent\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\maindoc.ico"	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btkey\uTorrent\shell\open\command = "\"C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\uTorrent.exe\" \"%1\""	vgf5XHUcCaEzeQun.tmp
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btsearch	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Applications\uTorrent.exe\shell\open = "\"C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\uTorrent.exe\" \"%1\""	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Magnet\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\uTorrent.exe\" \"%1\" /SHELLASSOC"	vgf5XHUcCaEzeQun.tmp
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\utorrent\shell\open\command	vgf5XHUcCaEzeQun.tmp
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btinstall\uTorrent\Content Type	vgf5XHUcCaEzeQun.tmp
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\utorrent	vgf5XHUcCaEzeQun.tmp
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Applications\uTorrent.exe\shell\open\command	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btsearch\uTorrent\DefaultIcon = "C:\\Users\\Admin\\AppData\\Roaming\\uTorrent\\uTorrent.exe,0"	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.torrent\ = "uTorrent"	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\bittorrent\Content Type\ = "application/x-bittorrent"	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\MIME\Database\Content Type\application/x-bittorrent-key\Extension = ".btkey"	vgf5XHUcCaEzeQun.tmp
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btinstall	vgf5XHUcCaEzeQun.tmp
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\utorrent\Content Type	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.torrent\Content Type = "application/x-bittorrent"	vgf5XHUcCaEzeQun.tmp
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\utorrent\shell\open	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btapp\Content Type = "application/x-bittorrent-app"	vgf5XHUcCaEzeQun.tmp
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\bittorrent	vgf5XHUcCaEzeQun.tmp
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\MIME\Database	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\utorrent\Content Type = "application/x-bittorrent"	vgf5XHUcCaEzeQun.tmp
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\utorrent\shell	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btapp\ = "uTorrent"	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btskin\Content Type = "application/x-bittorrent-skin"	vgf5XHUcCaEzeQun.tmp
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btskin\uTorrent\shell	vgf5XHUcCaEzeQun.tmp
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Magnet	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Magnet\Content Type = "application/x-magnet"	vgf5XHUcCaEzeQun.tmp
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btsearch\uTorrent\shell	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btkey\uTorrent\shell\ = "open"	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Magnet\URL Protocol	vgf5XHUcCaEzeQun.tmp
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\.btinstall\uTorrent\shell\open	vgf5XHUcCaEzeQun.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Magnet\ = "Magnet URI"	vgf5XHUcCaEzeQun.tmp

Opens file in notepad (likely ransom note) 3 IoCs
ransomware

Processes:

NOTEPAD.EXEnotepad.exeNOTEPAD.EXE

pid process

1920 NOTEPAD.EXE
1992 notepad.exe
1644 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vgf5XHUcCaEzeQun.tmp

pid process

916 vgf5XHUcCaEzeQun.tmp
916 vgf5XHUcCaEzeQun.tmp
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

uTorrent.exe

pid process

612 uTorrent.exe

pid	process
1920	NOTEPAD.EXE
1992	notepad.exe
1644	NOTEPAD.EXE

pid	process
612	uTorrent.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

uTorrent.exeAUDIODG.EXE

description	pid	process
Token: SeManageVolumePrivilege	612	uTorrent.exe
Token: 33	1100	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1100	AUDIODG.EXE
Token: 33	1100	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1100	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 60 IoCs

Processes:

vgf5XHUcCaEzeQun.tmpuTorrent.exenotepad.exe

pid	process
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
916	vgf5XHUcCaEzeQun.tmp
612	uTorrent.exe
612	uTorrent.exe
612	uTorrent.exe
612	uTorrent.exe
1992	notepad.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

uTorrent.exe

pid process

612 uTorrent.exe
612 uTorrent.exe
612 uTorrent.exe
612 uTorrent.exe

pid	process
612	uTorrent.exe
612	uTorrent.exe
612	uTorrent.exe
612	uTorrent.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exevgf5XHUcCaEzeQun.exevgf5XHUcCaEzeQun.tmp

description	pid	process	target process
PID 2028 wrote to memory of 1716	2028	772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe	vgf5XHUcCaEzeQun.exe
PID 2028 wrote to memory of 1716	2028	772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe	vgf5XHUcCaEzeQun.exe
PID 2028 wrote to memory of 1716	2028	772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe	vgf5XHUcCaEzeQun.exe
PID 2028 wrote to memory of 1716	2028	772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe	vgf5XHUcCaEzeQun.exe
PID 1716 wrote to memory of 916	1716	vgf5XHUcCaEzeQun.exe	vgf5XHUcCaEzeQun.tmp
PID 1716 wrote to memory of 916	1716	vgf5XHUcCaEzeQun.exe	vgf5XHUcCaEzeQun.tmp
PID 1716 wrote to memory of 916	1716	vgf5XHUcCaEzeQun.exe	vgf5XHUcCaEzeQun.tmp
PID 1716 wrote to memory of 916	1716	vgf5XHUcCaEzeQun.exe	vgf5XHUcCaEzeQun.tmp
PID 1716 wrote to memory of 916	1716	vgf5XHUcCaEzeQun.exe	vgf5XHUcCaEzeQun.tmp
PID 1716 wrote to memory of 916	1716	vgf5XHUcCaEzeQun.exe	vgf5XHUcCaEzeQun.tmp
PID 1716 wrote to memory of 916	1716	vgf5XHUcCaEzeQun.exe	vgf5XHUcCaEzeQun.tmp
PID 2028 wrote to memory of 1992	2028	772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe	notepad.exe
PID 2028 wrote to memory of 1992	2028	772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe	notepad.exe
PID 2028 wrote to memory of 1992	2028	772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe	notepad.exe
PID 916 wrote to memory of 760	916	vgf5XHUcCaEzeQun.tmp	netsh.exe
PID 916 wrote to memory of 760	916	vgf5XHUcCaEzeQun.tmp	netsh.exe
PID 916 wrote to memory of 760	916	vgf5XHUcCaEzeQun.tmp	netsh.exe
PID 916 wrote to memory of 760	916	vgf5XHUcCaEzeQun.tmp	netsh.exe
PID 916 wrote to memory of 1540	916	vgf5XHUcCaEzeQun.tmp	netsh.exe
PID 916 wrote to memory of 1540	916	vgf5XHUcCaEzeQun.tmp	netsh.exe
PID 916 wrote to memory of 1540	916	vgf5XHUcCaEzeQun.tmp	netsh.exe
PID 916 wrote to memory of 1540	916	vgf5XHUcCaEzeQun.tmp	netsh.exe
PID 916 wrote to memory of 1648	916	vgf5XHUcCaEzeQun.tmp	netsh.exe
PID 916 wrote to memory of 1648	916	vgf5XHUcCaEzeQun.tmp	netsh.exe
PID 916 wrote to memory of 1648	916	vgf5XHUcCaEzeQun.tmp	netsh.exe
PID 916 wrote to memory of 1648	916	vgf5XHUcCaEzeQun.tmp	netsh.exe
PID 916 wrote to memory of 1604	916	vgf5XHUcCaEzeQun.tmp	netsh.exe
PID 916 wrote to memory of 1604	916	vgf5XHUcCaEzeQun.tmp	netsh.exe
PID 916 wrote to memory of 1604	916	vgf5XHUcCaEzeQun.tmp	netsh.exe
PID 916 wrote to memory of 1604	916	vgf5XHUcCaEzeQun.tmp	netsh.exe
PID 916 wrote to memory of 612	916	vgf5XHUcCaEzeQun.tmp	uTorrent.exe
PID 916 wrote to memory of 612	916	vgf5XHUcCaEzeQun.tmp	uTorrent.exe
PID 916 wrote to memory of 612	916	vgf5XHUcCaEzeQun.tmp	uTorrent.exe
PID 916 wrote to memory of 612	916	vgf5XHUcCaEzeQun.tmp	uTorrent.exe

C:\Users\Admin\AppData\Local\Temp\772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe
"C:\Users\Admin\AppData\Local\Temp\772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe"
1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\vgf5XHUcCaEzeQun.exe
C:\Users\Admin\AppData\Local\Temp\vgf5XHUcCaEzeQun.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Local\Temp\is-3DVSF.tmp\vgf5XHUcCaEzeQun.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3DVSF.tmp\vgf5XHUcCaEzeQun.tmp" /SL5="$40156,31402076,326656,C:\Users\Admin\AppData\Local\Temp\vgf5XHUcCaEzeQun.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule protocol=TCP name="uTorrent" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe" enable=yes profile=public
4⤵
PID:760

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule protocol=UDP name="uTorrent" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe" enable=yes profile=public
4⤵
PID:1540

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule protocol=TCP name="uTorrent (TCP-In)" program="C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe" dir=in action=allow
4⤵
PID:1648

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule protocol=UDP name="uTorrent (UDP-In)" program="C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe" dir=in action=allow
4⤵
PID:1604

C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe
"C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe"
4⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:612

C:\Windows\system32\notepad.exe
notepad C:\Users\Admin\Desktop\README.VOVALEX.txt
2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:1992

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
1⤵
PID:1028

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
1⤵
PID:1632

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\SendSelect.mpeg.vovalex
1⤵
- Modifies registry class
PID:1620

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\SelectTrace.sql.vovalex
1⤵
PID:1208

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.VOVALEX.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1644

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.VOVALEX.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1920

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5b0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-3DVSF.tmp\vgf5XHUcCaEzeQun.tmp
MD5
3a7636d874b391801839c0bee90bed21

SHA1
7a5fedd3653e8240739b4ae4490a9872b813ee6c

SHA256
2f7bba5e7d5c127d9372d7e7f1dabb83c077f547fe15ad15431b7a686a079fe8

SHA512
ed993f0a19d11afa0a821659462ed205bc990c3637a0e4d2292f0fb85c0c1491006966bdd32aefd2567ec8f86e8e579c3b8c40721e87d5ea62fdb16e0f6f0314

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3DVSF.tmp\vgf5XHUcCaEzeQun.tmp
MD5
3a7636d874b391801839c0bee90bed21

SHA1
7a5fedd3653e8240739b4ae4490a9872b813ee6c

SHA256
2f7bba5e7d5c127d9372d7e7f1dabb83c077f547fe15ad15431b7a686a079fe8

SHA512
ed993f0a19d11afa0a821659462ed205bc990c3637a0e4d2292f0fb85c0c1491006966bdd32aefd2567ec8f86e8e579c3b8c40721e87d5ea62fdb16e0f6f0314

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgf5XHUcCaEzeQun.exe
MD5
70ed5e8a31519ec2fd1131020fe8421b

SHA1
1fb74d8d39e7c8a36113ab51f14422930c3b9128

SHA256
7f329d5a3d12b3b9584c98a4d0e40e6ccff21a12bf57cade16820557c45aba13

SHA512
59650f55738281d6421723e1c04976f6602f6431fa7e804992bd6ed485bf8415518c8b3d01c0aec186325ef1fb6ff6a0fb82e1d2ec31506f4529a17f940e277b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgf5XHUcCaEzeQun.exe
MD5
70ed5e8a31519ec2fd1131020fe8421b

SHA1
1fb74d8d39e7c8a36113ab51f14422930c3b9128

SHA256
7f329d5a3d12b3b9584c98a4d0e40e6ccff21a12bf57cade16820557c45aba13

SHA512
59650f55738281d6421723e1c04976f6602f6431fa7e804992bd6ed485bf8415518c8b3d01c0aec186325ef1fb6ff6a0fb82e1d2ec31506f4529a17f940e277b

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent\current.btskin
MD5
341385c9f53163f68c0fba11344bde43

SHA1
0757dccbb2df7e4566f7fcaf4c7e4aaa72575f65

SHA256
7da8e5f181f9ef4cbec372c81b6280e920cf774cb2b309446353fdb3f61dc2c7

SHA512
9ac062b6cbf65def8281c7646c54970689e03bc0c0d0c472165adddffdfe70412de6593445d6e0dc3bec52947e86ca40b056e4f2d5c234019593cba3587b31f3

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent\flags.bmp
MD5
fc81728512003bfe92d66a49202a98e4

SHA1
1771bc0542261e1bb4a8f1fb5b0f1d498e02e8bb

SHA256
67c035aadf04108c8793851e07c5e1bd0c724646adaeb2242b015dae55669046

SHA512
8ba4dcbaf2297dcedc17a66c122d9df6737b6b710cb933e50f6d8266953758093e278468ed8de11cb8dfdbcb79423bf444cea9cff269fb20bc3e70ae9c523608

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent\flags.conf
MD5
b45ca5d0ee1707b376f7a66471713379

SHA1
0a3f2b33962d310b0efa40ca79617154d042ffc4

SHA256
2c31a8c896428b20748fe3590385fecd126135d2338b8b1f2207ae6c5e0dc2b0

SHA512
f23633d40a53683427a1ebc369d79b8ad9df06825409f0b538b8cc2d4254fa6efed537f0c3fe80713e45827256477f5927686c0f4ac9ff83de5218e2eee39d99

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent\settings.dat
MD5
a3946a20d02dcd076be66edaeb75df51

SHA1
718d2ee55a0f17283c2f0ff20520c4a5a44f1412

SHA256
93925c9d0704c7a02d05bdf8f1430cfc9a72e53b54f589d92fe7f1f6493fd5a4

SHA512
6316ab836e0eea3a9feda65ad652f143ccc2f06d45866343660aaaa1e7e1e905d58019fb62974457c0ae08ea51ec3f492797d589847376caaf31fd4864afae94

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe
MD5
4939d280485bdc0ac67b49012bdcec08

SHA1
fc7d1d37b82e126d999ac8a6c5c9343363925fe6

SHA256
30b6a34230e15d9941fd4d37fe392c3306c8ef4c1de59c5c87d80068514565df

SHA512
6a175d3f71d7430479b7e21b92db07f1758a9ea63a341375107bb002df4cbfe90031a04705b560a130ce02e9eae1b51c189d93a864b0f253cdfc03ae652b1868

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe
MD5
4939d280485bdc0ac67b49012bdcec08

SHA1
fc7d1d37b82e126d999ac8a6c5c9343363925fe6

SHA256
30b6a34230e15d9941fd4d37fe392c3306c8ef4c1de59c5c87d80068514565df

SHA512
6a175d3f71d7430479b7e21b92db07f1758a9ea63a341375107bb002df4cbfe90031a04705b560a130ce02e9eae1b51c189d93a864b0f253cdfc03ae652b1868

Download Submit
C:\Users\Admin\AppData\Roaming\uTorrent\utorrent.lng
MD5
80e85e634b7772686655f1be930da07d

SHA1
33327e9006450eac668bb72653f886ac304b1fed

SHA256
7b879aa4253676a4d7cb3f5d5dd1af93f8d2756276de72130aec06fe96828ed5

SHA512
e2df3e2f41c5410642f0cc91052b9e016ffde7755a5fca6f2b17640446260e5f4953f564e6b2de20e74632078d87de47b3d4fec34e3ecca7fa1475cec8ae3270

Download Submit
C:\Users\Admin\Desktop\README.VOVALEX.txt
MD5
5de7a461e4e950b78e7b1eaefd878586

SHA1
d18e133da877744b4d5840cfd18463e38cc10da8

SHA256
bfb864e40e17252fe05010f7ff3f2c22d23dd0206bf1ac6b287831a0c9fd9406

SHA512
efd296b54852df2cd65bf08072787cc1a30c25ba954cf2f48cb91d68fadfff846ac071a788dfae46f7e7fb193d3f9bf7159bd37dd0bdf1ca31a819f4c62eae91

Download Submit
\Users\Admin\AppData\Local\Temp\is-3DVSF.tmp\vgf5XHUcCaEzeQun.tmp
MD5
3a7636d874b391801839c0bee90bed21

SHA1
7a5fedd3653e8240739b4ae4490a9872b813ee6c

SHA256
2f7bba5e7d5c127d9372d7e7f1dabb83c077f547fe15ad15431b7a686a079fe8

SHA512
ed993f0a19d11afa0a821659462ed205bc990c3637a0e4d2292f0fb85c0c1491006966bdd32aefd2567ec8f86e8e579c3b8c40721e87d5ea62fdb16e0f6f0314

Download Submit
\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe
MD5
4939d280485bdc0ac67b49012bdcec08

SHA1
fc7d1d37b82e126d999ac8a6c5c9343363925fe6

SHA256
30b6a34230e15d9941fd4d37fe392c3306c8ef4c1de59c5c87d80068514565df

SHA512
6a175d3f71d7430479b7e21b92db07f1758a9ea63a341375107bb002df4cbfe90031a04705b560a130ce02e9eae1b51c189d93a864b0f253cdfc03ae652b1868

Download Submit
\Users\Admin\AppData\Roaming\uTorrent\uTorrent.exe
MD5
4939d280485bdc0ac67b49012bdcec08

SHA1
fc7d1d37b82e126d999ac8a6c5c9343363925fe6

SHA256
30b6a34230e15d9941fd4d37fe392c3306c8ef4c1de59c5c87d80068514565df

SHA512
6a175d3f71d7430479b7e21b92db07f1758a9ea63a341375107bb002df4cbfe90031a04705b560a130ce02e9eae1b51c189d93a864b0f253cdfc03ae652b1868

Download Submit
memory/612-28-0x0000000000000000-mapping.dmp

Download
memory/612-38-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/760-20-0x0000000000000000-mapping.dmp

Download
memory/916-12-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/916-16-0x00000000750A1000-0x00000000750A3000-memory.dmp

Filesize
8KB

Download
memory/916-9-0x0000000000000000-mapping.dmp

Download
memory/1540-22-0x0000000000000000-mapping.dmp

Download
memory/1604-26-0x0000000000000000-mapping.dmp

Download
memory/1648-24-0x0000000000000000-mapping.dmp

Download
memory/1716-7-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/1716-5-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1716-3-0x0000000000000000-mapping.dmp

Download
memory/1908-34-0x000007FEF6AB0000-0x000007FEF6D2A000-memory.dmp

Filesize
2.5MB

Download
memory/1992-13-0x0000000000000000-mapping.dmp

Download
memory/1992-14-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download
memory/2028-2-0x0000000000610000-0x0000000000621000-memory.dmp

Filesize
68KB

Download