05fbedef56f8cf1b12e719ffca3136ef15d8d3696009ecf884d2b71fd8094953

General

Target

772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe
Size

31.3MB
MD5

fa9649ba7f76190701b2f1ffaaf4d0df
SHA1

dac66a285e89ee98cb84488df21f8c43c4acb5d3
SHA256

772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae
SHA512

9868a1cc7e9bf361c1d93bad871b88fae0f3c3fa1f15dce1d386f1e78fbda913d30ffd3d407706a34043357727e7db560924ffbd7e1ec4bc5dada7c9e74f6c11

Score

8^/10

ransomware

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

VSQ4v5aFgqPyUD8B.exeVSQ4v5aFgqPyUD8B.tmp

pid process

2456 VSQ4v5aFgqPyUD8B.exe
1764 VSQ4v5aFgqPyUD8B.tmp

pid	process
2456	VSQ4v5aFgqPyUD8B.exe
1764	VSQ4v5aFgqPyUD8B.tmp

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\BackupMeasure.tiff.vovalex	772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe
File created	C:\Users\Admin\Pictures\EnableWait.crw.vovalex	772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe
File created	C:\Users\Admin\Pictures\RequestTest.raw.vovalex	772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe
File created	C:\Users\Admin\Pictures\SubmitCopy.crw.vovalex	772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe
File created	C:\Users\Admin\Pictures\SwitchProtect.png.vovalex	772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

4060 notepad.exe

pid	process
4060	notepad.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exeVSQ4v5aFgqPyUD8B.exe

description	pid	process	target process
PID 864 wrote to memory of 2456	864	772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe	VSQ4v5aFgqPyUD8B.exe
PID 864 wrote to memory of 2456	864	772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe	VSQ4v5aFgqPyUD8B.exe
PID 864 wrote to memory of 2456	864	772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe	VSQ4v5aFgqPyUD8B.exe
PID 2456 wrote to memory of 1764	2456	VSQ4v5aFgqPyUD8B.exe	VSQ4v5aFgqPyUD8B.tmp
PID 2456 wrote to memory of 1764	2456	VSQ4v5aFgqPyUD8B.exe	VSQ4v5aFgqPyUD8B.tmp
PID 2456 wrote to memory of 1764	2456	VSQ4v5aFgqPyUD8B.exe	VSQ4v5aFgqPyUD8B.tmp
PID 864 wrote to memory of 4060	864	772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe	notepad.exe
PID 864 wrote to memory of 4060	864	772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe
"C:\Users\Admin\AppData\Local\Temp\772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe"
1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:864

C:\Users\Admin\AppData\Local\Temp\VSQ4v5aFgqPyUD8B.exe
C:\Users\Admin\AppData\Local\Temp\VSQ4v5aFgqPyUD8B.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456

C:\Users\Admin\AppData\Local\Temp\is-PC30D.tmp\VSQ4v5aFgqPyUD8B.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PC30D.tmp\VSQ4v5aFgqPyUD8B.tmp" /SL5="$60030,31402076,326656,C:\Users\Admin\AppData\Local\Temp\VSQ4v5aFgqPyUD8B.exe"
3⤵
- Executes dropped EXE
PID:1764

C:\Windows\SYSTEM32\notepad.exe
notepad C:\Users\Admin\Desktop\README.VOVALEX.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:4060

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VSQ4v5aFgqPyUD8B.exe
MD5
70ed5e8a31519ec2fd1131020fe8421b

SHA1
1fb74d8d39e7c8a36113ab51f14422930c3b9128

SHA256
7f329d5a3d12b3b9584c98a4d0e40e6ccff21a12bf57cade16820557c45aba13

SHA512
59650f55738281d6421723e1c04976f6602f6431fa7e804992bd6ed485bf8415518c8b3d01c0aec186325ef1fb6ff6a0fb82e1d2ec31506f4529a17f940e277b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VSQ4v5aFgqPyUD8B.exe
MD5
70ed5e8a31519ec2fd1131020fe8421b

SHA1
1fb74d8d39e7c8a36113ab51f14422930c3b9128

SHA256
7f329d5a3d12b3b9584c98a4d0e40e6ccff21a12bf57cade16820557c45aba13

SHA512
59650f55738281d6421723e1c04976f6602f6431fa7e804992bd6ed485bf8415518c8b3d01c0aec186325ef1fb6ff6a0fb82e1d2ec31506f4529a17f940e277b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PC30D.tmp\VSQ4v5aFgqPyUD8B.tmp
MD5
3a7636d874b391801839c0bee90bed21

SHA1
7a5fedd3653e8240739b4ae4490a9872b813ee6c

SHA256
2f7bba5e7d5c127d9372d7e7f1dabb83c077f547fe15ad15431b7a686a079fe8

SHA512
ed993f0a19d11afa0a821659462ed205bc990c3637a0e4d2292f0fb85c0c1491006966bdd32aefd2567ec8f86e8e579c3b8c40721e87d5ea62fdb16e0f6f0314

Download Submit
C:\Users\Admin\Desktop\README.VOVALEX.txt
MD5
5de7a461e4e950b78e7b1eaefd878586

SHA1
d18e133da877744b4d5840cfd18463e38cc10da8

SHA256
bfb864e40e17252fe05010f7ff3f2c22d23dd0206bf1ac6b287831a0c9fd9406

SHA512
efd296b54852df2cd65bf08072787cc1a30c25ba954cf2f48cb91d68fadfff846ac071a788dfae46f7e7fb193d3f9bf7159bd37dd0bdf1ca31a819f4c62eae91

Download Submit
memory/864-2-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/1764-6-0x0000000000000000-mapping.dmp

Download
memory/1764-9-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2456-3-0x0000000000000000-mapping.dmp

Download
memory/2456-8-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/4060-10-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing