4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2

General

Target

4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe
Size

554KB
MD5

599b93918efa98ba6cea5e14cc47fa80
SHA1

94c7c7c89be2e3c866b81fb352586a70f91414c3
SHA256

4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2
SHA512

d98fbee1d19c46aa8297065b2f7b4690033534d07deb156962f0d42b9d7ad20aca44a1fca1666fd624c2e5f3320e4ab891c519a6d1e057c89b4cd5afecd5279c

Score

9^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ynivawov = "\"C:\\Windows\\wcyhalir.exe\""	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe

description	pid	process	target process
PID 1016 set thread context of 1364	1016	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe
PID 1364 set thread context of 1084	1364	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description ioc process

File created C:\Windows\wcyhalir.exe explorer.exe
File opened for modification C:\Windows\wcyhalir.exe explorer.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

888 vssadmin.exe

description	ioc	process
File created	C:\Windows\wcyhalir.exe	explorer.exe
File opened for modification	C:\Windows\wcyhalir.exe	explorer.exe

pid	process
888	vssadmin.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PhishingFilter	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe

pid process

1016 4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1316 vssvc.exe
Token: SeRestorePrivilege 1316 vssvc.exe
Token: SeAuditPrivilege 1316 vssvc.exe

pid	process
1016	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe

description	pid	process
Token: SeBackupPrivilege	1316	vssvc.exe
Token: SeRestorePrivilege	1316	vssvc.exe
Token: SeAuditPrivilege	1316	vssvc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exeexplorer.exe

description	pid	process	target process
PID 1016 wrote to memory of 1364	1016	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe
PID 1016 wrote to memory of 1364	1016	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe
PID 1016 wrote to memory of 1364	1016	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe
PID 1016 wrote to memory of 1364	1016	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe
PID 1016 wrote to memory of 1364	1016	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe
PID 1016 wrote to memory of 1364	1016	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe
PID 1016 wrote to memory of 1364	1016	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe
PID 1016 wrote to memory of 1364	1016	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe
PID 1016 wrote to memory of 1364	1016	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe
PID 1016 wrote to memory of 1364	1016	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe
PID 1016 wrote to memory of 1364	1016	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe
PID 1364 wrote to memory of 1084	1364	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe	explorer.exe
PID 1364 wrote to memory of 1084	1364	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe	explorer.exe
PID 1364 wrote to memory of 1084	1364	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe	explorer.exe
PID 1364 wrote to memory of 1084	1364	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe	explorer.exe
PID 1364 wrote to memory of 1084	1364	4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe	explorer.exe
PID 1084 wrote to memory of 888	1084	explorer.exe	vssadmin.exe
PID 1084 wrote to memory of 888	1084	explorer.exe	vssadmin.exe
PID 1084 wrote to memory of 888	1084	explorer.exe	vssadmin.exe
PID 1084 wrote to memory of 888	1084	explorer.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe
"C:\Users\Admin\AppData\Local\Temp\4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1016

C:\Users\Admin\AppData\Local\Temp\4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe
"C:\Users\Admin\AppData\Local\Temp\4f8a51b563e832c4660a2e674580d91dc46294447f6971b9916285dab28bd4b2.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:888

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ywynugoxasijikec\01000000
Filesize
554KB

MD5
84f95ae4f57406b842d22518aaf5186a

SHA1
ad888ec5dfc94e07914dd31de150bffc64af3ee3

SHA256
fd375853a25a1173838b91c665ab8f8650e9695f6ea6549e60e1be26b61410e8

SHA512
52648345db13fc987ba39042e449405d0944cd3608eae708dd26b66f433d58f01576ad97f6875f7c28fd091666ebacad674c93cac6ebaae57ca74154a65d21f2

Download Submit
memory/888-79-0x0000000000000000-mapping.dmp

Download
memory/1016-54-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/1084-69-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/1084-80-0x00000000721A1000-0x00000000721A3000-memory.dmp

Filesize
8KB

Download
memory/1084-78-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/1084-75-0x0000000074781000-0x0000000074783000-memory.dmp

Filesize
8KB

Download
memory/1084-73-0x000000000009A160-mapping.dmp

Download
memory/1084-71-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/1364-61-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1364-68-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1364-66-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1364-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1364-65-0x000000000040A61E-mapping.dmp

Download
memory/1364-77-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1364-62-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1364-60-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1364-58-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1364-55-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads