fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd

General

Target

fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe
Size

446KB
MD5

d781e9d11bd90edc0a29f379e56e39e1
SHA1

d2fc29b258e8307a219ba33c3cbbbef4959055b3
SHA256

fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd
SHA512

55c50e1ac3f77c36995d2753ee64c03dad21720e40bff1e460317cdb965a13c25780f3154d5d49e2e6aea5777a905f442e0e13b6b2489dad3f987064137d137e

Score

9^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ofelfwil = "C:\\Windows\\ykaxifyq.exe"	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exefbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe

description	pid	process	target process
PID 1668 set thread context of 1748	1668	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe
PID 1748 set thread context of 828	1748	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\Windows\ykaxifyq.exe explorer.exe
File created C:\Windows\ykaxifyq.exe explorer.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1288 vssadmin.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1708 vssvc.exe
Token: SeRestorePrivilege 1708 vssvc.exe
Token: SeAuditPrivilege 1708 vssvc.exe

description	ioc	process
File opened for modification	C:\Windows\ykaxifyq.exe	explorer.exe
File created	C:\Windows\ykaxifyq.exe	explorer.exe

pid	process
1288	vssadmin.exe

description	pid	process
Token: SeBackupPrivilege	1708	vssvc.exe
Token: SeRestorePrivilege	1708	vssvc.exe
Token: SeAuditPrivilege	1708	vssvc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exefbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exeexplorer.exe

description	pid	process	target process
PID 1668 wrote to memory of 1748	1668	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe
PID 1668 wrote to memory of 1748	1668	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe
PID 1668 wrote to memory of 1748	1668	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe
PID 1668 wrote to memory of 1748	1668	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe
PID 1668 wrote to memory of 1748	1668	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe
PID 1668 wrote to memory of 1748	1668	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe
PID 1668 wrote to memory of 1748	1668	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe
PID 1668 wrote to memory of 1748	1668	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe
PID 1668 wrote to memory of 1748	1668	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe
PID 1668 wrote to memory of 1748	1668	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe
PID 1668 wrote to memory of 1748	1668	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe
PID 1748 wrote to memory of 828	1748	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe	explorer.exe
PID 1748 wrote to memory of 828	1748	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe	explorer.exe
PID 1748 wrote to memory of 828	1748	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe	explorer.exe
PID 1748 wrote to memory of 828	1748	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe	explorer.exe
PID 1748 wrote to memory of 828	1748	fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe	explorer.exe
PID 828 wrote to memory of 1288	828	explorer.exe	vssadmin.exe
PID 828 wrote to memory of 1288	828	explorer.exe	vssadmin.exe
PID 828 wrote to memory of 1288	828	explorer.exe	vssadmin.exe
PID 828 wrote to memory of 1288	828	explorer.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe
"C:\Users\Admin\AppData\Local\Temp\fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe
"C:\Users\Admin\AppData\Local\Temp\fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe"ÎC:\Users\Admin\AppData\Local\Temp\fbc55a603c1daf716b2b12c2074c694afb73979f8a266b763301e2e42230edfd.sample.exe
2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1288

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1708

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\uwiryzenebaxoxoc\01000000
MD5
887a9423bc33561f7a3fc4f3cf626800

SHA1
053285c812abcd42d424677de18f5976255632e6

SHA256
62f97a8743d0890f937a2354b1b009732a906ccaf10f4725685f16fd45b33c2e

SHA512
d5432a743923f6b5e9aa1af4078d114e6ecd69bfb39e2ddd7aaeb309e2de61d588531db34eb721a37cf382400618d758280c926947b41e990b576adab8b37c06

Download Submit
memory/828-65-0x0000000000080000-0x00000000000BD000-memory.dmp

Filesize
244KB

Download
memory/828-66-0x000000000009BB10-mapping.dmp

Download
memory/828-68-0x0000000075231000-0x0000000075233000-memory.dmp

Filesize
8KB

Download
memory/828-71-0x0000000072E81000-0x0000000072E83000-memory.dmp

Filesize
8KB

Download
memory/1288-70-0x0000000000000000-mapping.dmp

Download
memory/1668-60-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/1748-61-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1748-62-0x000000000040B4D3-mapping.dmp

Download
memory/1748-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads