5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b

General

Target

5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
Size

416KB
MD5

121e0d2c092d76e599e925f0b96746a3
SHA1

6b0311750c7e712b4de156dda496bb88705c8e1b
SHA256

5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b
SHA512

b9fd5ceb2b8ef2375dbd6698fa12e98e8ce184801dcbfa7bcf9196aaf91ac875b3b8972f686801c9988d543d423adbd46bd8a6dd616238db47aeb9a96ba324a4

Score

10^/10

persistence ransomware spyware stealer suricata

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1101907861-274115917-2188613224-1000\Recovery+aqsdn.txt

Ransom Note

__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://p57gest54celltraf743knjf.mottesapo.com/9DBF1B10D7701699 2. http://k4restportgonst34d23r.oftpony.at/9DBF1B10D7701699 3. http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/9DBF1B10D7701699 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization 3. Type in the address bar: fwgrhsao3aoml7ej.onion/9DBF1B10D7701699 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *** Your personal pages: http://p57gest54celltraf743knjf.mottesapo.com/9DBF1B10D7701699 http://k4restportgonst34d23r.oftpony.at/9DBF1B10D7701699 http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/9DBF1B10D7701699 *** Your personal page Tor-Browser: fwgrhsao3aoml7ej.ONION/9DBF1B10D7701699 *** Your personal identification ID: 9DBF1B10D7701699

URLs

http://p57gest54celltraf743knjf.mottesapo.com/9DBF1B10D7701699

http://k4restportgonst34d23r.oftpony.at/9DBF1B10D7701699

http://rr7mdgjbjhbefvkhbashrg.ginnypecht.com/9DBF1B10D7701699

http://fwgrhsao3aoml7ej.onion/9DBF1B10D7701699

http://fwgrhsao3aoml7ej.ONION/9DBF1B10D7701699

Signatures

suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 3 IoCs

Processes:

pfvvraltodor.exepfvvraltodor.exedlnyr.exe

pid process

2452 pfvvraltodor.exe
2456 pfvvraltodor.exe
1640 dlnyr.exe

pid	process
2452	pfvvraltodor.exe
2456	pfvvraltodor.exe
1640	dlnyr.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

pfvvraltodor.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\MergeClose.png => C:\Users\Admin\Pictures\MergeClose.png.mp3	pfvvraltodor.exe
File renamed	C:\Users\Admin\Pictures\RedoGet.raw => C:\Users\Admin\Pictures\RedoGet.raw.mp3	pfvvraltodor.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exedlnyr.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	dlnyr.exe

Drops startup file 6 IoCs

Processes:

pfvvraltodor.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+aqsdn.png	pfvvraltodor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+aqsdn.txt	pfvvraltodor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+aqsdn.html	pfvvraltodor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+aqsdn.png	pfvvraltodor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+aqsdn.txt	pfvvraltodor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+aqsdn.html	pfvvraltodor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pfvvraltodor.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows\CurrentVersion\Run	pfvvraltodor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12_23-dst = "C:\\Windows\\pfvvraltodor.exe"	pfvvraltodor.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exepfvvraltodor.exe

description	pid	process	target process
PID 3996 set thread context of 1944	3996	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
PID 2452 set thread context of 2456	2452	pfvvraltodor.exe	pfvvraltodor.exe

Drops file in Program Files directory 64 IoCs

Processes:

pfvvraltodor.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\is-IS\Recovery+aqsdn.txt	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notetagsUI\Recovery+aqsdn.html	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-20.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxMediumTile.scale-150.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\Recovery+aqsdn.html	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\SmallTile.scale-200.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsWideTile.scale-125.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailBadge.scale-400.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\it-IT\Recovery+aqsdn.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-24_altform-unplated.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\Recovery+aqsdn.txt	pfvvraltodor.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_school.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-125_contrast-white.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\it-IT\Recovery+aqsdn.txt	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\splashscreen.scale-100.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Doughboy.scale-125.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\Recovery+aqsdn.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\ja\Recovery+aqsdn.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\weather_2_travel.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-24_altform-unplated.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_contrast-white.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_altform-unplated_contrast-black.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\3px.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\th-TH\View3d\Recovery+aqsdn.txt	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Recovery+aqsdn.txt	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-36_altform-unplated.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\winsdkfb\Recovery+aqsdn.html	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageLargeTile.scale-150.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\Recovery+aqsdn.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\Sunset.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\AppxMetadata\Recovery+aqsdn.html	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-GoogleCloudCache.scale-100.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-30.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_altform-lightunplated_devicefamily-colorfulunplated.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_star_Loud.m4a	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-US\Recovery+aqsdn.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\SplashScreen.scale-200.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\Recovery+aqsdn.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBarNotificationLogo.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_should.help.txt	pfvvraltodor.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1036\Recovery+aqsdn.html	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-24.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-400_contrast-black.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\Recovery+aqsdn.txt	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_scale-125.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\te-IN\Recovery+aqsdn.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleMedTile.scale-125.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-100_contrast-black.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailLargeTile.scale-125.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96_altform-lightunplated_devicefamily-colorfulunplated.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Recovery+aqsdn.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-100_contrast-black.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-140.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\Recovery+aqsdn.html	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+aqsdn.txt	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Programmer.targetsize-24_contrast-black.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square150x150\PaintMedTile.scale-125.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarLargeTile.scale-100.png	pfvvraltodor.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\Recovery+aqsdn.txt	pfvvraltodor.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\Recovery+aqsdn.html	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\Recovery+aqsdn.html	pfvvraltodor.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsStoreLogo.contrast-black_scale-100.png	pfvvraltodor.exe

Drops file in Windows directory 2 IoCs

Processes:

5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe

description	ioc	process
File created	C:\Windows\pfvvraltodor.exe	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
File opened for modification	C:\Windows\pfvvraltodor.exe	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4220 vssadmin.exe

pid	process
4220	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pfvvraltodor.exe

pid	process
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe
2456	pfvvraltodor.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exepfvvraltodor.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1944	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
Token: SeDebugPrivilege	2456	pfvvraltodor.exe
Token: SeBackupPrivilege	1736	vssvc.exe
Token: SeRestorePrivilege	1736	vssvc.exe
Token: SeAuditPrivilege	1736	vssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exepfvvraltodor.exe

pid process

3996 5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
2452 pfvvraltodor.exe

pid	process
3996	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
2452	pfvvraltodor.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exepfvvraltodor.exepfvvraltodor.exedlnyr.exe

description	pid	process	target process
PID 3996 wrote to memory of 1944	3996	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
PID 3996 wrote to memory of 1944	3996	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
PID 3996 wrote to memory of 1944	3996	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
PID 3996 wrote to memory of 1944	3996	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
PID 3996 wrote to memory of 1944	3996	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
PID 3996 wrote to memory of 1944	3996	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
PID 3996 wrote to memory of 1944	3996	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
PID 3996 wrote to memory of 1944	3996	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
PID 3996 wrote to memory of 1944	3996	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
PID 3996 wrote to memory of 1944	3996	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
PID 1944 wrote to memory of 2452	1944	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	pfvvraltodor.exe
PID 1944 wrote to memory of 2452	1944	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	pfvvraltodor.exe
PID 1944 wrote to memory of 2452	1944	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	pfvvraltodor.exe
PID 1944 wrote to memory of 4364	1944	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	cmd.exe
PID 1944 wrote to memory of 4364	1944	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	cmd.exe
PID 1944 wrote to memory of 4364	1944	5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe	cmd.exe
PID 2452 wrote to memory of 2456	2452	pfvvraltodor.exe	pfvvraltodor.exe
PID 2452 wrote to memory of 2456	2452	pfvvraltodor.exe	pfvvraltodor.exe
PID 2452 wrote to memory of 2456	2452	pfvvraltodor.exe	pfvvraltodor.exe
PID 2452 wrote to memory of 2456	2452	pfvvraltodor.exe	pfvvraltodor.exe
PID 2452 wrote to memory of 2456	2452	pfvvraltodor.exe	pfvvraltodor.exe
PID 2452 wrote to memory of 2456	2452	pfvvraltodor.exe	pfvvraltodor.exe
PID 2452 wrote to memory of 2456	2452	pfvvraltodor.exe	pfvvraltodor.exe
PID 2452 wrote to memory of 2456	2452	pfvvraltodor.exe	pfvvraltodor.exe
PID 2452 wrote to memory of 2456	2452	pfvvraltodor.exe	pfvvraltodor.exe
PID 2452 wrote to memory of 2456	2452	pfvvraltodor.exe	pfvvraltodor.exe
PID 2456 wrote to memory of 1640	2456	pfvvraltodor.exe	dlnyr.exe
PID 2456 wrote to memory of 1640	2456	pfvvraltodor.exe	dlnyr.exe
PID 2456 wrote to memory of 1640	2456	pfvvraltodor.exe	dlnyr.exe
PID 1640 wrote to memory of 4220	1640	dlnyr.exe	vssadmin.exe
PID 1640 wrote to memory of 4220	1640	dlnyr.exe	vssadmin.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

pfvvraltodor.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	pfvvraltodor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	pfvvraltodor.exe

C:\Users\Admin\AppData\Local\Temp\5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
"C:\Users\Admin\AppData\Local\Temp\5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3996

C:\Users\Admin\AppData\Local\Temp\5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe
"C:\Users\Admin\AppData\Local\Temp\5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b.exe"
2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\pfvvraltodor.exe
C:\Windows\pfvvraltodor.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\pfvvraltodor.exe
C:\Windows\pfvvraltodor.exe
4⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2456

C:\Users\Admin\Documents\dlnyr.exe
C:\Users\Admin\Documents\dlnyr.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
6⤵
- Interacts with shadow copies
PID:4220

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\5638C4~1.EXE
3⤵
PID:4364

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\dlnyr.exe
Filesize
5KB

MD5
34d3f2e3fd92cd38a103d415dbb22936

SHA1
abdcf16a82cf8d3109ec39203181d839f2154a68

SHA256
5119839eaaf7dfc670c7d2c8a83e74f895e07fab5f22c379185769eed07ece25

SHA512
bc76ed0fe69ab38f66217f4b4aec79947e706136aecc5a42840ccd963799c8c175dc796d92be678b2b1e55d22c3a97fb4b9e00f6879958ae5a5bb2081ae7ad92

Download Submit
C:\Users\Admin\Documents\dlnyr.exe
Filesize
5KB

MD5
34d3f2e3fd92cd38a103d415dbb22936

SHA1
abdcf16a82cf8d3109ec39203181d839f2154a68

SHA256
5119839eaaf7dfc670c7d2c8a83e74f895e07fab5f22c379185769eed07ece25

SHA512
bc76ed0fe69ab38f66217f4b4aec79947e706136aecc5a42840ccd963799c8c175dc796d92be678b2b1e55d22c3a97fb4b9e00f6879958ae5a5bb2081ae7ad92

Download Submit
C:\Windows\pfvvraltodor.exe
Filesize
416KB

MD5
121e0d2c092d76e599e925f0b96746a3

SHA1
6b0311750c7e712b4de156dda496bb88705c8e1b

SHA256
5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b

SHA512
b9fd5ceb2b8ef2375dbd6698fa12e98e8ce184801dcbfa7bcf9196aaf91ac875b3b8972f686801c9988d543d423adbd46bd8a6dd616238db47aeb9a96ba324a4

Download Submit
C:\Windows\pfvvraltodor.exe
Filesize
416KB

MD5
121e0d2c092d76e599e925f0b96746a3

SHA1
6b0311750c7e712b4de156dda496bb88705c8e1b

SHA256
5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b

SHA512
b9fd5ceb2b8ef2375dbd6698fa12e98e8ce184801dcbfa7bcf9196aaf91ac875b3b8972f686801c9988d543d423adbd46bd8a6dd616238db47aeb9a96ba324a4

Download Submit
C:\Windows\pfvvraltodor.exe
Filesize
416KB

MD5
121e0d2c092d76e599e925f0b96746a3

SHA1
6b0311750c7e712b4de156dda496bb88705c8e1b

SHA256
5638c4d8dc87ed5a2ea5bf600bb3c90a01c742fa09973e9bfdb066a94836490b

SHA512
b9fd5ceb2b8ef2375dbd6698fa12e98e8ce184801dcbfa7bcf9196aaf91ac875b3b8972f686801c9988d543d423adbd46bd8a6dd616238db47aeb9a96ba324a4

Download Submit
memory/1640-147-0x0000000000000000-mapping.dmp

Download
memory/1944-133-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1944-135-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1944-136-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1944-132-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1944-131-0x0000000000000000-mapping.dmp

Download
memory/1944-141-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2452-137-0x0000000000000000-mapping.dmp

Download
memory/2456-146-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2456-145-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2456-142-0x0000000000000000-mapping.dmp

Download
memory/2456-151-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2456-152-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3996-130-0x0000000000C80000-0x0000000000C83000-memory.dmp

Filesize
12KB

Download
memory/3996-134-0x0000000000C80000-0x0000000000C83000-memory.dmp

Filesize
12KB

Download
memory/4220-150-0x0000000000000000-mapping.dmp

Download
memory/4364-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads