4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb

Analysis

max time kernel
153s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
12-07-2022 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb.exe
Size

372KB
MD5

76dcea66375fd47b13e624efdd11d888
SHA1

6690c6f0c0f68a1da2b0fba75c25503ca9a9d1e0
SHA256

4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb
SHA512

73b686abde3a0e6260e13e6921b75377ab8fa15739f959160dfb82a4b7ced928d01cf7e45d97727046bf8075b233d16c13756bf422f9e95cc35c4ec81453a619

Score

10^/10

persistence ransomware spyware stealer suricata

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1809750270-3141839489-3074374771-1000\Recovery+mhxrt.txt

Ransom Note

__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/D3BFEB03B997036 2. http://b4youfred5485jgsa3453f.italazudda.com/D3BFEB03B997036 3. http://5rport45vcdef345adfkksawe.bematvocal.at/D3BFEB03B997036 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization 3. Type in the address bar: fwgrhsao3aoml7ej.onion/D3BFEB03B997036 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/D3BFEB03B997036 http://b4youfred5485jgsa3453f.italazudda.com/D3BFEB03B997036 http://5rport45vcdef345adfkksawe.bematvocal.at/D3BFEB03B997036 *-*-* Your personal page Tor-Browser: fwgrhsao3aoml7ej.ONION/D3BFEB03B997036 *-*-* Your personal identification ID: D3BFEB03B997036

URLs

http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/D3BFEB03B997036

http://b4youfred5485jgsa3453f.italazudda.com/D3BFEB03B997036

http://5rport45vcdef345adfkksawe.bematvocal.at/D3BFEB03B997036

http://fwgrhsao3aoml7ej.onion/D3BFEB03B997036

http://fwgrhsao3aoml7ej.ONION/D3BFEB03B997036

Signatures

suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
3616	vovykeqslhod.exe
4436	vovykeqslhod.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	vovykeqslhod.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kvorittkesdw = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\vovykeqslhod.exe\""	vovykeqslhod.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run	vovykeqslhod.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3264 set thread context of 2776	3264	4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb.exe	88
PID 3616 set thread context of 4436	3616	vovykeqslhod.exe	92

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-150_contrast-white.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeWideTile.scale-200.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Recovery+mhxrt.txt	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-64.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_ReptileEye.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-100.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\Recovery+mhxrt.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Notification.m4a	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+mhxrt.txt	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_contrast-white.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\Recovery+mhxrt.html	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+mhxrt.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\Recovery+mhxrt.txt	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\29.jpg	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\Recovery+mhxrt.html	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-100_contrast-white.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosWideTile.scale-125.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\SplashScreen\PaintSplashScreen.scale-400.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-60_altform-unplated.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-80_altform-unplated.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-256_altform-lightunplated.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Views\Utilities\Recovery+mhxrt.txt	vovykeqslhod.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\Recovery+mhxrt.txt	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Recovery+mhxrt.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeMediumTile.scale-200.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+mhxrt.txt	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\LargeTile.scale-200.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Campfire.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Recovery+mhxrt.html	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GameBar_WideTile.scale-100.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-400.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\Recovery+mhxrt.txt	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+mhxrt.html	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailBadge.scale-125.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\WideTile.scale-100.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\Recovery+mhxrt.txt	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Video_Msg_Stop.m4a	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-150.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Recovery+mhxrt.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-32_contrast-white.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-125_contrast-white.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20_altform-unplated.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\Recovery+mhxrt.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\STARTUP\Recovery+mhxrt.txt	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-48_contrast-white.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_~_8wekyb3d8bbwe\Recovery+mhxrt.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Recovery+mhxrt.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-48_altform-unplated_contrast-white.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\Recovery+mhxrt.txt	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-20_altform-unplated.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notificationsUI\fabric.components.min.css	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\55.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_contrast-white.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\Recovery+mhxrt.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\Recovery+mhxrt.txt	vovykeqslhod.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\pt-BR.pak	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\SmallTile.scale-125.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\MoviesAnywhereLogoWithTextLight.scale-125.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-64_altform-unplated_contrast-black.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxAccountsLargeTile.scale-100.png	vovykeqslhod.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\MoviesAnywhereLogo.png	vovykeqslhod.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\vovykeqslhod.exe	4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb.exe
File created	C:\Windows\vovykeqslhod.exe	4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe
4436	vovykeqslhod.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb.exe
Token: SeDebugPrivilege	4436	vovykeqslhod.exe
Token: SeIncreaseQuotaPrivilege	4820	WMIC.exe
Token: SeSecurityPrivilege	4820	WMIC.exe
Token: SeTakeOwnershipPrivilege	4820	WMIC.exe
Token: SeLoadDriverPrivilege	4820	WMIC.exe
Token: SeSystemProfilePrivilege	4820	WMIC.exe
Token: SeSystemtimePrivilege	4820	WMIC.exe
Token: SeProfSingleProcessPrivilege	4820	WMIC.exe
Token: SeIncBasePriorityPrivilege	4820	WMIC.exe
Token: SeCreatePagefilePrivilege	4820	WMIC.exe
Token: SeBackupPrivilege	4820	WMIC.exe
Token: SeRestorePrivilege	4820	WMIC.exe
Token: SeShutdownPrivilege	4820	WMIC.exe
Token: SeDebugPrivilege	4820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4820	WMIC.exe
Token: SeRemoteShutdownPrivilege	4820	WMIC.exe
Token: SeUndockPrivilege	4820	WMIC.exe
Token: SeManageVolumePrivilege	4820	WMIC.exe
Token: 33	4820	WMIC.exe
Token: 34	4820	WMIC.exe
Token: 35	4820	WMIC.exe
Token: 36	4820	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4820	WMIC.exe
Token: SeSecurityPrivilege	4820	WMIC.exe
Token: SeTakeOwnershipPrivilege	4820	WMIC.exe
Token: SeLoadDriverPrivilege	4820	WMIC.exe
Token: SeSystemProfilePrivilege	4820	WMIC.exe
Token: SeSystemtimePrivilege	4820	WMIC.exe
Token: SeProfSingleProcessPrivilege	4820	WMIC.exe
Token: SeIncBasePriorityPrivilege	4820	WMIC.exe
Token: SeCreatePagefilePrivilege	4820	WMIC.exe
Token: SeBackupPrivilege	4820	WMIC.exe
Token: SeRestorePrivilege	4820	WMIC.exe
Token: SeShutdownPrivilege	4820	WMIC.exe
Token: SeDebugPrivilege	4820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4820	WMIC.exe
Token: SeRemoteShutdownPrivilege	4820	WMIC.exe
Token: SeUndockPrivilege	4820	WMIC.exe
Token: SeManageVolumePrivilege	4820	WMIC.exe
Token: 33	4820	WMIC.exe
Token: 34	4820	WMIC.exe
Token: 35	4820	WMIC.exe
Token: 36	4820	WMIC.exe
Token: SeBackupPrivilege	1704	vssvc.exe
Token: SeRestorePrivilege	1704	vssvc.exe
Token: SeAuditPrivilege	1704	vssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3264	4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb.exe
3616	vovykeqslhod.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3264 wrote to memory of 2776	3264	4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb.exe	88
PID 3264 wrote to memory of 2776	3264	4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb.exe	88
PID 3264 wrote to memory of 2776	3264	4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb.exe	88
PID 3264 wrote to memory of 2776	3264	4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb.exe	88
PID 3264 wrote to memory of 2776	3264	4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb.exe	88
PID 3264 wrote to memory of 2776	3264	4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb.exe	88
PID 3264 wrote to memory of 2776	3264	4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb.exe	88
PID 3264 wrote to memory of 2776	3264	4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb.exe	88
PID 3264 wrote to memory of 2776	3264	4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb.exe	88
PID 3264 wrote to memory of 2776	3264	4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb.exe	88
PID 2776 wrote to memory of 3616	2776	4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb.exe	89
PID 2776 wrote to memory of 3616	2776	4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb.exe	89
PID 2776 wrote to memory of 3616	2776	4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb.exe	89
PID 2776 wrote to memory of 3160	2776	4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb.exe	90
PID 2776 wrote to memory of 3160	2776	4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb.exe	90
PID 2776 wrote to memory of 3160	2776	4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb.exe	90
PID 3616 wrote to memory of 4436	3616	vovykeqslhod.exe	92
PID 3616 wrote to memory of 4436	3616	vovykeqslhod.exe	92
PID 3616 wrote to memory of 4436	3616	vovykeqslhod.exe	92
PID 3616 wrote to memory of 4436	3616	vovykeqslhod.exe	92
PID 3616 wrote to memory of 4436	3616	vovykeqslhod.exe	92
PID 3616 wrote to memory of 4436	3616	vovykeqslhod.exe	92
PID 3616 wrote to memory of 4436	3616	vovykeqslhod.exe	92
PID 3616 wrote to memory of 4436	3616	vovykeqslhod.exe	92
PID 3616 wrote to memory of 4436	3616	vovykeqslhod.exe	92
PID 3616 wrote to memory of 4436	3616	vovykeqslhod.exe	92
PID 4436 wrote to memory of 4820	4436	vovykeqslhod.exe	93
PID 4436 wrote to memory of 4820	4436	vovykeqslhod.exe	93

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	vovykeqslhod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vovykeqslhod.exe

C:\Users\Admin\AppData\Local\Temp\4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb.exe
"C:\Users\Admin\AppData\Local\Temp\4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Users\Admin\AppData\Local\Temp\4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb.exe
  "C:\Users\Admin\AppData\Local\Temp\4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\vovykeqslhod.exe
    C:\Windows\vovykeqslhod.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3616
  - - C:\Windows\vovykeqslhod.exe
      C:\Windows\vovykeqslhod.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4436
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4820
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\4A9721~1.EXE
    3⤵
    PID:3160

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\vovykeqslhod.exe

Filesize
372KB

MD5
76dcea66375fd47b13e624efdd11d888

SHA1
6690c6f0c0f68a1da2b0fba75c25503ca9a9d1e0

SHA256
4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb

SHA512
73b686abde3a0e6260e13e6921b75377ab8fa15739f959160dfb82a4b7ced928d01cf7e45d97727046bf8075b233d16c13756bf422f9e95cc35c4ec81453a619

Download Submit
C:\Windows\vovykeqslhod.exe

Filesize
372KB

MD5
76dcea66375fd47b13e624efdd11d888

SHA1
6690c6f0c0f68a1da2b0fba75c25503ca9a9d1e0

SHA256
4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb

SHA512
73b686abde3a0e6260e13e6921b75377ab8fa15739f959160dfb82a4b7ced928d01cf7e45d97727046bf8075b233d16c13756bf422f9e95cc35c4ec81453a619

Download Submit
C:\Windows\vovykeqslhod.exe

Filesize
372KB

MD5
76dcea66375fd47b13e624efdd11d888

SHA1
6690c6f0c0f68a1da2b0fba75c25503ca9a9d1e0

SHA256
4a972144600d364684e75cdb6e34d74cba51661f6872bbc3e41c25425fff3ebb

SHA512
73b686abde3a0e6260e13e6921b75377ab8fa15739f959160dfb82a4b7ced928d01cf7e45d97727046bf8075b233d16c13756bf422f9e95cc35c4ec81453a619

Download Submit
memory/2776-132-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2776-133-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2776-135-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2776-136-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2776-141-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3264-134-0x0000000000760000-0x0000000000763000-memory.dmp

Filesize
12KB

Download
memory/3264-130-0x0000000000760000-0x0000000000763000-memory.dmp

Filesize
12KB

Download
memory/4436-145-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4436-146-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4436-147-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4436-149-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download