af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2

General

Target

af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2.sample.exe
Size

200KB
MD5

f5ae9882f079c34f21eb9649b6f79724
SHA1

78f92938f0f9e5f5e1470eeaea9841e8e53c3fda
SHA256

af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2
SHA512

ca92229a2ad7234276cdb8aa8df1d1349560af47607660089bdeffcf53e06be52d2657887e85cbfc70ecf12d4782699eaa009f2b6c86f0c09af80a97481ee13c

Score

10^/10

evasion persistence ransomware suricata trojan

Malware Config

Signatures

suricata: ET MALWARE TorrentLocker DNS Lookup
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upygubah = "C:\\Windows\\uqimasar.exe"	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2.sample.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2.sample.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2.sample.exe

description	pid	process	target process
PID 1848 set thread context of 1252	1848	af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2.sample.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\Windows\uqimasar.exe explorer.exe
File created C:\Windows\uqimasar.exe explorer.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

564 vssadmin.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1372 vssvc.exe
Token: SeRestorePrivilege 1372 vssvc.exe
Token: SeAuditPrivilege 1372 vssvc.exe

description	ioc	process
File opened for modification	C:\Windows\uqimasar.exe	explorer.exe
File created	C:\Windows\uqimasar.exe	explorer.exe

pid	process
564	vssadmin.exe

description	pid	process
Token: SeBackupPrivilege	1372	vssvc.exe
Token: SeRestorePrivilege	1372	vssvc.exe
Token: SeAuditPrivilege	1372	vssvc.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2.sample.exeexplorer.exe

description	pid	process	target process
PID 1848 wrote to memory of 1252	1848	af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2.sample.exe	explorer.exe
PID 1848 wrote to memory of 1252	1848	af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2.sample.exe	explorer.exe
PID 1848 wrote to memory of 1252	1848	af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2.sample.exe	explorer.exe
PID 1848 wrote to memory of 1252	1848	af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2.sample.exe	explorer.exe
PID 1848 wrote to memory of 1252	1848	af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2.sample.exe	explorer.exe
PID 1252 wrote to memory of 564	1252	explorer.exe	vssadmin.exe
PID 1252 wrote to memory of 564	1252	explorer.exe	vssadmin.exe
PID 1252 wrote to memory of 564	1252	explorer.exe	vssadmin.exe
PID 1252 wrote to memory of 564	1252	explorer.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2.sample.exe
"C:\Users\Admin\AppData\Local\Temp\af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2.sample.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:564

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\uxejaxegugacufud\01000000
MD5
f5ae9882f079c34f21eb9649b6f79724

SHA1
78f92938f0f9e5f5e1470eeaea9841e8e53c3fda

SHA256
af48e55bb79caba8acccaa8a9498874db7cbf46d3ed696e7b0ce32ad157abbc2

SHA512
ca92229a2ad7234276cdb8aa8df1d1349560af47607660089bdeffcf53e06be52d2657887e85cbfc70ecf12d4782699eaa009f2b6c86f0c09af80a97481ee13c

Download Submit
memory/564-66-0x0000000000000000-mapping.dmp

Download
memory/1252-62-0x000000000009A3B0-mapping.dmp

Download
memory/1252-61-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/1252-64-0x0000000074EE1000-0x0000000074EE3000-memory.dmp

Filesize
8KB

Download
memory/1252-67-0x0000000072B51000-0x0000000072B53000-memory.dmp

Filesize
8KB

Download
memory/1848-60-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads