aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc

General

Target

aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc.exe
Size

295KB
MD5

35e2bdf8ec69f9ca0bca535197a729de
SHA1

6992f51d8e4e8dae62bc2f6478a4adae7f9eba34
SHA256

aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc
SHA512

7232e43463649487cae4a06ead56edc548563630f325e450a5681fe5cc39ffd1a2a6ae6ead666d0bf3d3f7263456f641912cf4fe7aea04e2478eaef534844038

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

lkqovoiq.exe

pid process

1792 lkqovoiq.exe

pid	process
1792	lkqovoiq.exe

Drops file in Windows directory 62 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\Download\d341f4322500ef92547a141039af2d20\o\egfDu3QHOC\BITF768.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\6e15245aed25ee83b027521f9cf9ea812c9d016d	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\c3ca3df6b0660cc02fa0c60992eb1164c186b223	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\Cmn5TH6S2lFFnfMN8MLr2EoNUIAGzQo2UUjHGMEC99A=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\af66e12c1bb9d8519da21259d0fcd88c247cb4f1	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\Jda7di8befpfPWz3DrhkMwwJL9XbuL8\fDFnweOZvFE=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\YZBnsYBVNBTl3Isrrjy7P0\FTTOLXxEZk0li+ZNE2Uo=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\BITD072.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\6\BITD6EC.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\BITD8A2.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\BITEDA2.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\0773690a1a8f21e8764e9177015857ad\a3f602ea4d534d006919a2613d91f9506b383314	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\0773690a1a8f21e8764e9177015857ad\BIT4FEA.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d341f4322500ef92547a141039af2d20\o\egfDu3QHOC\Xbfe7KpvVnvJHxQ2cRDBmUlnoMnpDY=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d341f4322500ef92547a141039af2d20\BITFB92.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\BIT2A26.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\d9f2a302574bf135efc9dbd1a8083a336f7f52f0	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT394A.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT39E7.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\Jda7di8befpfPWz3DrhkMwwJL9XbuL8\BITA043.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\BITA0B2.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\6\BITCF66.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\BITD013.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d341f4322500ef92547a141039af2d20\BITF92E.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\f3535a3b47819a04c6d5ee18905493be086e801e	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BIT8831.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\F2WKV54ysEMEW9U+EfiUeJcNcgfNL4pMC5NmE0a3mAg=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d341f4322500ef92547a141039af2d20\2cd32031792245e69c7777193005916861cbbe94	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\0773690a1a8f21e8764e9177015857ad\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\LZOCjtiHKk8=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\612ad442b8740f4c57b8c84e6bf465ba4699118c	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT49FB.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BIT88DE.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\BIT9776.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\BIT993E.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\BIT1BF8.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT4A79.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\fbaaae7103d0f0a1303a40d280aa18bafcd08dcf	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\BIT29B7.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BIT474B.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\0773690a1a8f21e8764e9177015857ad\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\BIT4F1E.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d1d4bb0c910695f4fcf53d8f91faafa7\Jda7di8befpfPWz3DrhkMwwJL9XbuL8\BIT96D9.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d341f4322500ef92547a141039af2d20\o\egfDu3QHOC\BIT816.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT1D42.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\cb9f14b7916e97a31f1e53948ed1b67f\6\v9GXr9MSfUt92b0dEpOsHH2H0TwcnvKmtIW8g3ovM=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\YZBnsYBVNBTl3Isrrjy7P0\BIT9804.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\e1a85885fd4453165061351651289cce8f8590c4	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\BIT1CE3.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT2234.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT44B8.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BIT468E.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\BITEE20.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\5ondRmJ90JlkPETuN535TWk=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\YZBnsYBVNBTl3Isrrjy7P0\BITBD63.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\daNJ9YVgpN191GzoPynRDpTEDO9uUytOK6Ln7xcN8To=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\26794b1631618c81e2caec277357b370\BITD092.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d341f4322500ef92547a141039af2d20\o\egfDu3QHOC\BITFA97.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\9+dL4Puh6FM8puPxsBEX86BMeGqpuC0b7gf2fD9DLLo=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\0773690a1a8f21e8764e9177015857ad\BIT434F.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT4564.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\2ef09e08315a593ec3af8ec57ab6a31e\BITBEDB.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d341f4322500ef92547a141039af2d20\BIT8C3.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\0773690a1a8f21e8764e9177015857ad\pj5OoD7hJ+dBGy+3XOjLT8WsuYwervv\BIT4245.tmp	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc.exelkqovoiq.exe

description	pid	process	target process
PID 1512 wrote to memory of 1792	1512	aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc.exe	lkqovoiq.exe
PID 1512 wrote to memory of 1792	1512	aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc.exe	lkqovoiq.exe
PID 1512 wrote to memory of 1792	1512	aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc.exe	lkqovoiq.exe
PID 1792 wrote to memory of 1824	1792	lkqovoiq.exe	lkqovoiq.exe
PID 1792 wrote to memory of 1824	1792	lkqovoiq.exe	lkqovoiq.exe
PID 1792 wrote to memory of 1824	1792	lkqovoiq.exe	lkqovoiq.exe

C:\Users\Admin\AppData\Local\Temp\aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc.exe
"C:\Users\Admin\AppData\Local\Temp\aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Users\Admin\AppData\Local\Temp\lkqovoiq.exe
C:\Users\Admin\AppData\Local\Temp\lkqovoiq.exe C:\Users\Admin\AppData\Local\Temp\ruskol
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\AppData\Local\Temp\lkqovoiq.exe
C:\Users\Admin\AppData\Local\Temp\lkqovoiq.exe C:\Users\Admin\AppData\Local\Temp\ruskol
3⤵
PID:1824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Drops file in Windows directory
PID:4784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3140

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lkqovoiq.exe
MD5
c9181542b3c1392a8d68f14e677ccd42

SHA1
4b470322716c69aa8bf8bef98f3a73f90921c972

SHA256
9a66c5f412ffb74f4c9ad4954f74001ae241a225a3bc591aeb854c1296eed056

SHA512
2c12c2dc1861bd8d2b611d8ddeb6a92f9cadd93f5fed27042760a8dc9fe8fb08b6a7b7562ebff729c86f5a1b2f8d813ddce95476ac7ea87d4a54199199b4d621

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkqovoiq.exe
MD5
c9181542b3c1392a8d68f14e677ccd42

SHA1
4b470322716c69aa8bf8bef98f3a73f90921c972

SHA256
9a66c5f412ffb74f4c9ad4954f74001ae241a225a3bc591aeb854c1296eed056

SHA512
2c12c2dc1861bd8d2b611d8ddeb6a92f9cadd93f5fed27042760a8dc9fe8fb08b6a7b7562ebff729c86f5a1b2f8d813ddce95476ac7ea87d4a54199199b4d621

Download Submit
C:\Users\Admin\AppData\Local\Temp\od8kuhrmmzrp1u52np5i
MD5
10ca7fc53a9ebf555f4d2110d9e24249

SHA1
0ee055b5812d098634f607742137eec9100274c5

SHA256
602043eb658596d7531f615fe24f346bf9c81ed16c9dda45359c95ff1e7ef5a8

SHA512
5647279d8b96266dee1fbb3396ddd9c3599afa993e85ca42a66b5182d063469d30efe28a6d5536be2b20d86d69aa9dbd1391ffde8854fc8bf2c20c6b1719ad8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ruskol
MD5
2a88e12b7471b4dd42f31e0aed15e05d

SHA1
6c5cc2242d9fb1b77f426b8495c98273326819dc

SHA256
cbfb83205cefb664bf19e3908137002c06c60d49520812e085e9ee8b402bae49

SHA512
77f6b0f29cf0e497730d62b6ec987496e9f02f36427e64f109e319f7534eb43f37314c63fbaa07ff721e9920a751097d577f6c729bccfc537885821e55da14d2

Download Submit
memory/4784-140-0x000002ABC8220000-0x000002ABC8224000-memory.dmp

Filesize
16KB

Download
memory/4784-139-0x000002ABC5C60000-0x000002ABC5C70000-memory.dmp

Filesize
64KB

Download
memory/4784-138-0x000002ABC53A0000-0x000002ABC53B0000-memory.dmp

Filesize
64KB

Download
memory/4784-141-0x000002ABC85C0000-0x000002ABC85C4000-memory.dmp

Filesize
16KB

Download
memory/4784-142-0x000002ABC85C0000-0x000002ABC85C4000-memory.dmp

Filesize
16KB

Download
memory/4784-143-0x000002ABC8690000-0x000002ABC8694000-memory.dmp

Filesize
16KB

Download
memory/4784-144-0x000002ABC8690000-0x000002ABC8694000-memory.dmp

Filesize
16KB

Download
memory/4784-145-0x000002ABC8760000-0x000002ABC8764000-memory.dmp

Filesize
16KB

Download
memory/4784-146-0x000002ABC8500000-0x000002ABC8504000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing