5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8

General

Target

5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe
Size

368KB
MD5

65440340932ca8194b58ab27a078d4b5
SHA1

3c8690d9c4b8de49ba2ed4ceae26468a3b4220fe
SHA256

5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8
SHA512

23934b41dadc45710bf8c598923c481af643416c0f3cc9e71f7314204fa80bd1a90afe58933911ec03b5cd9cbef93b4328404564a40793de2e75f34c02451410

Score

10^/10

persistence ransomware suricata

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-4084403625-2215941253-1760665084-1000\Recovery+fvssi.txt

Ransom Note

__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/24226F9885EA5C9 2. http://b4youfred5485jgsa3453f.italazudda.com/24226F9885EA5C9 3. http://5rport45vcdef345adfkksawe.bematvocal.at/24226F9885EA5C9 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization 3. Type in the address bar: fwgrhsao3aoml7ej.onion/24226F9885EA5C9 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/24226F9885EA5C9 http://b4youfred5485jgsa3453f.italazudda.com/24226F9885EA5C9 http://5rport45vcdef345adfkksawe.bematvocal.at/24226F9885EA5C9 *-*-* Your personal page Tor-Browser: fwgrhsao3aoml7ej.ONION/24226F9885EA5C9 *-*-* Your personal identification ID: 24226F9885EA5C9

URLs

http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/24226F9885EA5C9

http://b4youfred5485jgsa3453f.italazudda.com/24226F9885EA5C9

http://5rport45vcdef345adfkksawe.bematvocal.at/24226F9885EA5C9

http://fwgrhsao3aoml7ej.onion/24226F9885EA5C9

http://fwgrhsao3aoml7ej.ONION/24226F9885EA5C9

Signatures

suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

roveddixelms.exeroveddixelms.exe

pid process

1360 roveddixelms.exe
268 roveddixelms.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1788 cmd.exe

pid	process
1360	roveddixelms.exe
268	roveddixelms.exe

pid	process
1788	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

roveddixelms.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run	roveddixelms.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\klghisbqncdh = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\roveddixelms.exe\""	roveddixelms.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exeroveddixelms.exe

description	pid	process	target process
PID 1976 set thread context of 1408	1976	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe
PID 1360 set thread context of 268	1360	roveddixelms.exe	roveddixelms.exe

Drops file in Program Files directory 64 IoCs

Processes:

roveddixelms.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Mail\fr-FR\Recovery+fvssi.png	roveddixelms.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\Recovery+fvssi.png	roveddixelms.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png	roveddixelms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\Recovery+fvssi.html	roveddixelms.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\Recovery+fvssi.html	roveddixelms.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\Recovery+fvssi.html	roveddixelms.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\Recovery+fvssi.html	roveddixelms.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\Recovery+fvssi.txt	roveddixelms.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\Recovery+fvssi.png	roveddixelms.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\Recovery+fvssi.txt	roveddixelms.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Recovery+fvssi.png	roveddixelms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\Recovery+fvssi.png	roveddixelms.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png	roveddixelms.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\Recovery+fvssi.txt	roveddixelms.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ckb\Recovery+fvssi.png	roveddixelms.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\Recovery+fvssi.html	roveddixelms.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\Recovery+fvssi.png	roveddixelms.exe
File opened for modification	C:\Program Files\Windows Media Player\Skins\Recovery+fvssi.html	roveddixelms.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\Recovery+fvssi.html	roveddixelms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\Recovery+fvssi.txt	roveddixelms.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\Recovery+fvssi.txt	roveddixelms.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\Recovery+fvssi.html	roveddixelms.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\Recovery+fvssi.html	roveddixelms.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\Recovery+fvssi.png	roveddixelms.exe
File opened for modification	C:\Program Files\Windows Portable Devices\Recovery+fvssi.html	roveddixelms.exe
File opened for modification	C:\Program Files\Common Files\Services\Recovery+fvssi.html	roveddixelms.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png	roveddixelms.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_bkg.png	roveddixelms.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\cpu.css	roveddixelms.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\init.js	roveddixelms.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\Recovery+fvssi.html	roveddixelms.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png	roveddixelms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\Recovery+fvssi.png	roveddixelms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png	roveddixelms.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\Recovery+fvssi.txt	roveddixelms.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\Recovery+fvssi.html	roveddixelms.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\Recovery+fvssi.html	roveddixelms.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv	roveddixelms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\Recovery+fvssi.png	roveddixelms.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\Recovery+fvssi.txt	roveddixelms.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\Recovery+fvssi.png	roveddixelms.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png	roveddixelms.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\Recovery+fvssi.txt	roveddixelms.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\Recovery+fvssi.html	roveddixelms.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png	roveddixelms.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\Recovery+fvssi.html	roveddixelms.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\Recovery+fvssi.txt	roveddixelms.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png	roveddixelms.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\es-ES\Recovery+fvssi.png	roveddixelms.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\Recovery+fvssi.png	roveddixelms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt	roveddixelms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt	roveddixelms.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_s.png	roveddixelms.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\localizedStrings.js	roveddixelms.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\Recovery+fvssi.txt	roveddixelms.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png	roveddixelms.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt	roveddixelms.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\Recovery+fvssi.png	roveddixelms.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\Recovery+fvssi.png	roveddixelms.exe
File opened for modification	C:\Program Files\Common Files\System\ado\Recovery+fvssi.txt	roveddixelms.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\Recovery+fvssi.html	roveddixelms.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\Recovery+fvssi.png	roveddixelms.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\Recovery+fvssi.png	roveddixelms.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\Recovery+fvssi.txt	roveddixelms.exe

Drops file in Windows directory 2 IoCs

Processes:

5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe

description	ioc	process
File opened for modification	C:\Windows\roveddixelms.exe	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe
File created	C:\Windows\roveddixelms.exe	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

roveddixelms.exe

pid	process
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe
268	roveddixelms.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exeroveddixelms.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1408	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe
Token: SeDebugPrivilege	268	roveddixelms.exe
Token: SeIncreaseQuotaPrivilege	1676	WMIC.exe
Token: SeSecurityPrivilege	1676	WMIC.exe
Token: SeTakeOwnershipPrivilege	1676	WMIC.exe
Token: SeLoadDriverPrivilege	1676	WMIC.exe
Token: SeSystemProfilePrivilege	1676	WMIC.exe
Token: SeSystemtimePrivilege	1676	WMIC.exe
Token: SeProfSingleProcessPrivilege	1676	WMIC.exe
Token: SeIncBasePriorityPrivilege	1676	WMIC.exe
Token: SeCreatePagefilePrivilege	1676	WMIC.exe
Token: SeBackupPrivilege	1676	WMIC.exe
Token: SeRestorePrivilege	1676	WMIC.exe
Token: SeShutdownPrivilege	1676	WMIC.exe
Token: SeDebugPrivilege	1676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1676	WMIC.exe
Token: SeRemoteShutdownPrivilege	1676	WMIC.exe
Token: SeUndockPrivilege	1676	WMIC.exe
Token: SeManageVolumePrivilege	1676	WMIC.exe
Token: 33	1676	WMIC.exe
Token: 34	1676	WMIC.exe
Token: 35	1676	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1676	WMIC.exe
Token: SeSecurityPrivilege	1676	WMIC.exe
Token: SeTakeOwnershipPrivilege	1676	WMIC.exe
Token: SeLoadDriverPrivilege	1676	WMIC.exe
Token: SeSystemProfilePrivilege	1676	WMIC.exe
Token: SeSystemtimePrivilege	1676	WMIC.exe
Token: SeProfSingleProcessPrivilege	1676	WMIC.exe
Token: SeIncBasePriorityPrivilege	1676	WMIC.exe
Token: SeCreatePagefilePrivilege	1676	WMIC.exe
Token: SeBackupPrivilege	1676	WMIC.exe
Token: SeRestorePrivilege	1676	WMIC.exe
Token: SeShutdownPrivilege	1676	WMIC.exe
Token: SeDebugPrivilege	1676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1676	WMIC.exe
Token: SeRemoteShutdownPrivilege	1676	WMIC.exe
Token: SeUndockPrivilege	1676	WMIC.exe
Token: SeManageVolumePrivilege	1676	WMIC.exe
Token: 33	1676	WMIC.exe
Token: 34	1676	WMIC.exe
Token: 35	1676	WMIC.exe
Token: SeBackupPrivilege	1772	vssvc.exe
Token: SeRestorePrivilege	1772	vssvc.exe
Token: SeAuditPrivilege	1772	vssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exeroveddixelms.exe

pid process

1976 5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe
1360 roveddixelms.exe

pid	process
1976	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe
1360	roveddixelms.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exeroveddixelms.exeroveddixelms.exe

description	pid	process	target process
PID 1976 wrote to memory of 1408	1976	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe
PID 1976 wrote to memory of 1408	1976	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe
PID 1976 wrote to memory of 1408	1976	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe
PID 1976 wrote to memory of 1408	1976	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe
PID 1976 wrote to memory of 1408	1976	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe
PID 1976 wrote to memory of 1408	1976	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe
PID 1976 wrote to memory of 1408	1976	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe
PID 1976 wrote to memory of 1408	1976	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe
PID 1976 wrote to memory of 1408	1976	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe
PID 1976 wrote to memory of 1408	1976	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe
PID 1976 wrote to memory of 1408	1976	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe
PID 1408 wrote to memory of 1360	1408	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe	roveddixelms.exe
PID 1408 wrote to memory of 1360	1408	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe	roveddixelms.exe
PID 1408 wrote to memory of 1360	1408	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe	roveddixelms.exe
PID 1408 wrote to memory of 1360	1408	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe	roveddixelms.exe
PID 1408 wrote to memory of 1788	1408	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe	cmd.exe
PID 1408 wrote to memory of 1788	1408	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe	cmd.exe
PID 1408 wrote to memory of 1788	1408	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe	cmd.exe
PID 1408 wrote to memory of 1788	1408	5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe	cmd.exe
PID 1360 wrote to memory of 268	1360	roveddixelms.exe	roveddixelms.exe
PID 1360 wrote to memory of 268	1360	roveddixelms.exe	roveddixelms.exe
PID 1360 wrote to memory of 268	1360	roveddixelms.exe	roveddixelms.exe
PID 1360 wrote to memory of 268	1360	roveddixelms.exe	roveddixelms.exe
PID 1360 wrote to memory of 268	1360	roveddixelms.exe	roveddixelms.exe
PID 1360 wrote to memory of 268	1360	roveddixelms.exe	roveddixelms.exe
PID 1360 wrote to memory of 268	1360	roveddixelms.exe	roveddixelms.exe
PID 1360 wrote to memory of 268	1360	roveddixelms.exe	roveddixelms.exe
PID 1360 wrote to memory of 268	1360	roveddixelms.exe	roveddixelms.exe
PID 1360 wrote to memory of 268	1360	roveddixelms.exe	roveddixelms.exe
PID 1360 wrote to memory of 268	1360	roveddixelms.exe	roveddixelms.exe
PID 268 wrote to memory of 1676	268	roveddixelms.exe	WMIC.exe
PID 268 wrote to memory of 1676	268	roveddixelms.exe	WMIC.exe
PID 268 wrote to memory of 1676	268	roveddixelms.exe	WMIC.exe
PID 268 wrote to memory of 1676	268	roveddixelms.exe	WMIC.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

roveddixelms.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	roveddixelms.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	roveddixelms.exe

C:\Users\Admin\AppData\Local\Temp\5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe
"C:\Users\Admin\AppData\Local\Temp\5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Local\Temp\5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe
"C:\Users\Admin\AppData\Local\Temp\5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\roveddixelms.exe
C:\Windows\roveddixelms.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\roveddixelms.exe
C:\Windows\roveddixelms.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:268

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\571946~1.EXE
3⤵
- Deletes itself
PID:1788

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

1

T1107

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\roveddixelms.exe
Filesize
368KB

MD5
65440340932ca8194b58ab27a078d4b5

SHA1
3c8690d9c4b8de49ba2ed4ceae26468a3b4220fe

SHA256
5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8

SHA512
23934b41dadc45710bf8c598923c481af643416c0f3cc9e71f7314204fa80bd1a90afe58933911ec03b5cd9cbef93b4328404564a40793de2e75f34c02451410

Download Submit
C:\Windows\roveddixelms.exe
Filesize
368KB

MD5
65440340932ca8194b58ab27a078d4b5

SHA1
3c8690d9c4b8de49ba2ed4ceae26468a3b4220fe

SHA256
5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8

SHA512
23934b41dadc45710bf8c598923c481af643416c0f3cc9e71f7314204fa80bd1a90afe58933911ec03b5cd9cbef93b4328404564a40793de2e75f34c02451410

Download Submit
C:\Windows\roveddixelms.exe
Filesize
368KB

MD5
65440340932ca8194b58ab27a078d4b5

SHA1
3c8690d9c4b8de49ba2ed4ceae26468a3b4220fe

SHA256
5719460c6ef7567bb9481de8d0fadd3b54bcf9202ad16279975c5fa99d3c93c8

SHA512
23934b41dadc45710bf8c598923c481af643416c0f3cc9e71f7314204fa80bd1a90afe58933911ec03b5cd9cbef93b4328404564a40793de2e75f34c02451410

Download Submit
memory/268-96-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/268-95-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/268-94-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/268-90-0x0000000000417D60-mapping.dmp

Download
memory/1360-73-0x0000000000000000-mapping.dmp

Download
memory/1408-71-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1408-77-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1408-56-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1408-72-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1408-67-0x0000000000417D60-mapping.dmp

Download
memory/1408-66-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1408-57-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1408-59-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1408-63-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1408-61-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1676-97-0x0000000000000000-mapping.dmp

Download
memory/1788-76-0x0000000000000000-mapping.dmp

Download
memory/1976-69-0x00000000003E0000-0x00000000003E3000-memory.dmp

Filesize
12KB

Download
memory/1976-54-0x0000000075301000-0x0000000075303000-memory.dmp

Filesize
8KB

Download
memory/1976-55-0x00000000003E0000-0x00000000003E3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads