5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b

General

Target

5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
Size

416KB
MD5

121e0d2c092d76e599e925f0b96746a3
SHA1

6b0311750c7e712b4de156dda496bb88705c8e1b
SHA256

5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b
SHA512

b9fd5ceb2b8ef2375dbd6698fa12e98e8ce184801dcbfa7bcf9196aaf91ac875b3b8972f686801c9988d543d423adbd46bd8a6dd616238db47aeb9a96ba324a4

Score

10^/10

persistence ransomware suricata

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-4084403625-2215941253-1760665084-1000\Recovery+oetxw.txt

Ransom Note

__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://p57gest54celltraf743knjf.mottesapo.com/BF6A638F93F05150 2. http://k4restportgonst34d23r.oftpony.at/BF6A638F93F05150 3. http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/BF6A638F93F05150 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization 3. Type in the address bar: fwgrhsao3aoml7ej.onion/BF6A638F93F05150 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *** Your personal pages: http://p57gest54celltraf743knjf.mottesapo.com/BF6A638F93F05150 http://k4restportgonst34d23r.oftpony.at/BF6A638F93F05150 http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/BF6A638F93F05150 *** Your personal page Tor-Browser: fwgrhsao3aoml7ej.ONION/BF6A638F93F05150 *** Your personal identification ID: BF6A638F93F05150

URLs

http://p57gest54celltraf743knjf.mottesapo.com/BF6A638F93F05150

http://k4restportgonst34d23r.oftpony.at/BF6A638F93F05150

http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/BF6A638F93F05150

http://fwgrhsao3aoml7ej.onion/BF6A638F93F05150

http://fwgrhsao3aoml7ej.ONION/BF6A638F93F05150

Signatures

suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 3 IoCs

Processes:

gfuvlpmofebw.exegfuvlpmofebw.exehebtt.exe

pid process

1208 gfuvlpmofebw.exe
1632 gfuvlpmofebw.exe
1508 hebtt.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1288 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

gfuvlpmofebw.exe

pid process

1632 gfuvlpmofebw.exe

pid	process
1208	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1508	hebtt.exe

pid	process
1288	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

gfuvlpmofebw.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run	gfuvlpmofebw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\12_23-dst = "C:\\Windows\\gfuvlpmofebw.exe"	gfuvlpmofebw.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exegfuvlpmofebw.exe

description	pid	process	target process
PID 1360 set thread context of 2004	1360	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
PID 1208 set thread context of 1632	1208	gfuvlpmofebw.exe	gfuvlpmofebw.exe

Drops file in Program Files directory 64 IoCs

Processes:

gfuvlpmofebw.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\License.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\Recovery+oetxw.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\Recovery+oetxw.html	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\Recovery+oetxw.png	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\Recovery+oetxw.html	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\Recovery+oetxw.png	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\Recovery+oetxw.html	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\Recovery+oetxw.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\Recovery+oetxw.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\Recovery+oetxw.png	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\Recovery+oetxw.html	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\Recovery+oetxw.html	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\Recovery+oetxw.html	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\Recovery+oetxw.png	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\Recovery+oetxw.png	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\Recovery+oetxw.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\Recovery+oetxw.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Recovery+oetxw.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\Recovery+oetxw.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\Recovery+oetxw.html	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\Recovery+oetxw.png	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\Recovery+oetxw.png	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Recovery+oetxw.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\Recovery+oetxw.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\System\ado\Recovery+oetxw.png	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\Recovery+oetxw.png	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\Recovery+oetxw.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\Recovery+oetxw.png	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\Recovery+oetxw.png	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\Recovery+oetxw.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\Recovery+oetxw.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\Recovery+oetxw.html	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\Recovery+oetxw.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\Recovery+oetxw.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\Recovery+oetxw.html	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\Recovery+oetxw.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Recovery+oetxw.html	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\Recovery+oetxw.html	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\Recovery+oetxw.html	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\Recovery+oetxw.html	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Recovery+oetxw.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Recovery+oetxw.png	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\Recovery+oetxw.png	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\Recovery+oetxw.html	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\Recovery+oetxw.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\Recovery+oetxw.png	gfuvlpmofebw.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\Recovery+oetxw.html	gfuvlpmofebw.exe

Drops file in Windows directory 2 IoCs

Processes:

5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe

description	ioc	process
File created	C:\Windows\gfuvlpmofebw.exe	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
File opened for modification	C:\Windows\gfuvlpmofebw.exe	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2044 vssadmin.exe

pid	process
2044	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

gfuvlpmofebw.exe

pid	process
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe
1632	gfuvlpmofebw.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exegfuvlpmofebw.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2004	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
Token: SeDebugPrivilege	1632	gfuvlpmofebw.exe
Token: SeBackupPrivilege	1700	vssvc.exe
Token: SeRestorePrivilege	1700	vssvc.exe
Token: SeAuditPrivilege	1700	vssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exegfuvlpmofebw.exe

pid process

1360 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
1208 gfuvlpmofebw.exe

pid	process
1360	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
1208	gfuvlpmofebw.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exegfuvlpmofebw.exegfuvlpmofebw.exehebtt.exe

description	pid	process	target process
PID 1360 wrote to memory of 2004	1360	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
PID 1360 wrote to memory of 2004	1360	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
PID 1360 wrote to memory of 2004	1360	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
PID 1360 wrote to memory of 2004	1360	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
PID 1360 wrote to memory of 2004	1360	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
PID 1360 wrote to memory of 2004	1360	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
PID 1360 wrote to memory of 2004	1360	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
PID 1360 wrote to memory of 2004	1360	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
PID 1360 wrote to memory of 2004	1360	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
PID 1360 wrote to memory of 2004	1360	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
PID 1360 wrote to memory of 2004	1360	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
PID 2004 wrote to memory of 1208	2004	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	gfuvlpmofebw.exe
PID 2004 wrote to memory of 1208	2004	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	gfuvlpmofebw.exe
PID 2004 wrote to memory of 1208	2004	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	gfuvlpmofebw.exe
PID 2004 wrote to memory of 1208	2004	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	gfuvlpmofebw.exe
PID 2004 wrote to memory of 1288	2004	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	cmd.exe
PID 2004 wrote to memory of 1288	2004	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	cmd.exe
PID 2004 wrote to memory of 1288	2004	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	cmd.exe
PID 2004 wrote to memory of 1288	2004	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	cmd.exe
PID 1208 wrote to memory of 1632	1208	gfuvlpmofebw.exe	gfuvlpmofebw.exe
PID 1208 wrote to memory of 1632	1208	gfuvlpmofebw.exe	gfuvlpmofebw.exe
PID 1208 wrote to memory of 1632	1208	gfuvlpmofebw.exe	gfuvlpmofebw.exe
PID 1208 wrote to memory of 1632	1208	gfuvlpmofebw.exe	gfuvlpmofebw.exe
PID 1208 wrote to memory of 1632	1208	gfuvlpmofebw.exe	gfuvlpmofebw.exe
PID 1208 wrote to memory of 1632	1208	gfuvlpmofebw.exe	gfuvlpmofebw.exe
PID 1208 wrote to memory of 1632	1208	gfuvlpmofebw.exe	gfuvlpmofebw.exe
PID 1208 wrote to memory of 1632	1208	gfuvlpmofebw.exe	gfuvlpmofebw.exe
PID 1208 wrote to memory of 1632	1208	gfuvlpmofebw.exe	gfuvlpmofebw.exe
PID 1208 wrote to memory of 1632	1208	gfuvlpmofebw.exe	gfuvlpmofebw.exe
PID 1208 wrote to memory of 1632	1208	gfuvlpmofebw.exe	gfuvlpmofebw.exe
PID 1632 wrote to memory of 1508	1632	gfuvlpmofebw.exe	hebtt.exe
PID 1632 wrote to memory of 1508	1632	gfuvlpmofebw.exe	hebtt.exe
PID 1632 wrote to memory of 1508	1632	gfuvlpmofebw.exe	hebtt.exe
PID 1632 wrote to memory of 1508	1632	gfuvlpmofebw.exe	hebtt.exe
PID 1508 wrote to memory of 2044	1508	hebtt.exe	vssadmin.exe
PID 1508 wrote to memory of 2044	1508	hebtt.exe	vssadmin.exe
PID 1508 wrote to memory of 2044	1508	hebtt.exe	vssadmin.exe
PID 1508 wrote to memory of 2044	1508	hebtt.exe	vssadmin.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

gfuvlpmofebw.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	gfuvlpmofebw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	gfuvlpmofebw.exe

C:\Users\Admin\AppData\Local\Temp\5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
"C:\Users\Admin\AppData\Local\Temp\5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1360

C:\Users\Admin\AppData\Local\Temp\5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
"C:\Users\Admin\AppData\Local\Temp\5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\gfuvlpmofebw.exe
C:\Windows\gfuvlpmofebw.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\gfuvlpmofebw.exe
C:\Windows\gfuvlpmofebw.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1632

C:\Users\Admin\Documents\hebtt.exe
C:\Users\Admin\Documents\hebtt.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
6⤵
- Interacts with shadow copies
PID:2044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\5638C4~1.EXE
3⤵
- Deletes itself
PID:1288

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\hebtt.exe
Filesize
5KB

MD5
34d3f2e3fd92cd38a103d415dbb22936

SHA1
abdcf16a82cf8d3109ec39203181d839f2154a68

SHA256
5119839eaaf7dfc670c7d2c8a83e74f895e07fab5f22c379185769eed07ece25

SHA512
bc76ed0fe69ab38f66217f4b4aec79947e706136aecc5a42840ccd963799c8c175dc796d92be678b2b1e55d22c3a97fb4b9e00f6879958ae5a5bb2081ae7ad92

Download Submit
C:\Windows\gfuvlpmofebw.exe
Filesize
416KB

MD5
121e0d2c092d76e599e925f0b96746a3

SHA1
6b0311750c7e712b4de156dda496bb88705c8e1b

SHA256
5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b

SHA512
b9fd5ceb2b8ef2375dbd6698fa12e98e8ce184801dcbfa7bcf9196aaf91ac875b3b8972f686801c9988d543d423adbd46bd8a6dd616238db47aeb9a96ba324a4

Download Submit
C:\Windows\gfuvlpmofebw.exe
Filesize
416KB

MD5
121e0d2c092d76e599e925f0b96746a3

SHA1
6b0311750c7e712b4de156dda496bb88705c8e1b

SHA256
5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b

SHA512
b9fd5ceb2b8ef2375dbd6698fa12e98e8ce184801dcbfa7bcf9196aaf91ac875b3b8972f686801c9988d543d423adbd46bd8a6dd616238db47aeb9a96ba324a4

Download Submit
C:\Windows\gfuvlpmofebw.exe
Filesize
416KB

MD5
121e0d2c092d76e599e925f0b96746a3

SHA1
6b0311750c7e712b4de156dda496bb88705c8e1b

SHA256
5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b

SHA512
b9fd5ceb2b8ef2375dbd6698fa12e98e8ce184801dcbfa7bcf9196aaf91ac875b3b8972f686801c9988d543d423adbd46bd8a6dd616238db47aeb9a96ba324a4

Download Submit
\Users\Admin\Documents\hebtt.exe
Filesize
5KB

MD5
34d3f2e3fd92cd38a103d415dbb22936

SHA1
abdcf16a82cf8d3109ec39203181d839f2154a68

SHA256
5119839eaaf7dfc670c7d2c8a83e74f895e07fab5f22c379185769eed07ece25

SHA512
bc76ed0fe69ab38f66217f4b4aec79947e706136aecc5a42840ccd963799c8c175dc796d92be678b2b1e55d22c3a97fb4b9e00f6879958ae5a5bb2081ae7ad92

Download Submit
memory/1208-73-0x0000000000000000-mapping.dmp

Download
memory/1288-76-0x0000000000000000-mapping.dmp

Download
memory/1360-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/1360-69-0x00000000003E0000-0x00000000003E3000-memory.dmp

Filesize
12KB

Download
memory/1360-55-0x00000000003E0000-0x00000000003E3000-memory.dmp

Filesize
12KB

Download
memory/1508-98-0x0000000000000000-mapping.dmp

Download
memory/1632-94-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1632-95-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1632-90-0x000000000041A920-mapping.dmp

Download
memory/1632-96-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2004-63-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2004-77-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2004-72-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2004-71-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2004-67-0x000000000041A920-mapping.dmp

Download
memory/2004-66-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2004-64-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2004-61-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2004-59-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2004-57-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2004-56-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2044-101-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads