560c2b56abc7854631568fda3564a898927a840cf0f65e21e192c7159b9b97c5

General

Target

560c2b56abc7854631568fda3564a898927a840cf0f65e21e192c7159b9b97c5.exe
Size

334KB
MD5

297d424347e669aa6e1ba055008f83f7
SHA1

a80df965e8346b04f254bd965091a9279a0076ed
SHA256

560c2b56abc7854631568fda3564a898927a840cf0f65e21e192c7159b9b97c5
SHA512

0bb9d1ed58af93aa372c7c62179505bae1a1305006dc2b65cd36d5d0bce4c9774baf71ed19ca849dc1d3f85bc3e3e533aa0e756e8f85c76c28a3ddf5445d6cf6

Score

10^/10

persistence ransomware spyware stealer suricata

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-335065374-4263250628-1829373619-1000\Recovery+cojbh.txt

Ransom Note

__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/50EEE69D6322F6C3 2. http://b4youfred5485jgsa3453f.italazudda.com/50EEE69D6322F6C3 3. http://5rport45vcdef345adfkksawe.bematvocal.at/50EEE69D6322F6C3 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization 3. Type in the address bar: fwgrhsao3aoml7ej.onion/50EEE69D6322F6C3 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/50EEE69D6322F6C3 http://b4youfred5485jgsa3453f.italazudda.com/50EEE69D6322F6C3 http://5rport45vcdef345adfkksawe.bematvocal.at/50EEE69D6322F6C3 *-*-* Your personal page Tor-Browser: fwgrhsao3aoml7ej.ONION/50EEE69D6322F6C3 *-*-* Your personal identification ID: 50EEE69D6322F6C3

URLs

http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/50EEE69D6322F6C3

http://b4youfred5485jgsa3453f.italazudda.com/50EEE69D6322F6C3

http://5rport45vcdef345adfkksawe.bematvocal.at/50EEE69D6322F6C3

http://fwgrhsao3aoml7ej.onion/50EEE69D6322F6C3

http://fwgrhsao3aoml7ej.ONION/50EEE69D6322F6C3

Signatures

suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

dkobqouqvvrm.exe

pid process

1428 dkobqouqvvrm.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

dkobqouqvvrm.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\InvokeExport.raw => C:\Users\Admin\Pictures\InvokeExport.raw.mp3	dkobqouqvvrm.exe
File renamed	C:\Users\Admin\Pictures\ReceiveInvoke.raw => C:\Users\Admin\Pictures\ReceiveInvoke.raw.mp3	dkobqouqvvrm.exe
File renamed	C:\Users\Admin\Pictures\UnblockUninstall.png => C:\Users\Admin\Pictures\UnblockUninstall.png.mp3	dkobqouqvvrm.exe
File renamed	C:\Users\Admin\Pictures\UnlockLock.raw => C:\Users\Admin\Pictures\UnlockLock.raw.mp3	dkobqouqvvrm.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2032 cmd.exe

pid	process
2032	cmd.exe

Drops startup file 3 IoCs

Processes:

dkobqouqvvrm.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+cojbh.txt	dkobqouqvvrm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+cojbh.html	dkobqouqvvrm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+cojbh.png	dkobqouqvvrm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dkobqouqvvrm.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run	dkobqouqvvrm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\mnferimxmrat = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\dkobqouqvvrm.exe\""	dkobqouqvvrm.exe

Drops file in Program Files directory 64 IoCs

Processes:

dkobqouqvvrm.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\WhiteDot.png	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\Recovery+cojbh.png	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\Recovery+cojbh.html	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\Recovery+cojbh.html	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\Recovery+cojbh.txt	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\Recovery+cojbh.txt	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\Recovery+cojbh.txt	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\Recovery+cojbh.png	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\Recovery+cojbh.txt	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\Recovery+cojbh.txt	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.jpg	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\fr-FR\Recovery+cojbh.html	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\Recovery+cojbh.html	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Windows Journal\Recovery+cojbh.png	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\Recovery+cojbh.png	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\Recovery+cojbh.html	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Recovery+cojbh.txt	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\Recovery+cojbh.html	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\Recovery+cojbh.png	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\Recovery+cojbh.txt	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\Recovery+cojbh.txt	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\Recovery+cojbh.png	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\settings.js	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\12.png	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\Recovery+cojbh.txt	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_top.png	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Recovery+cojbh.html	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\Recovery+cojbh.txt	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\Recovery+cojbh.txt	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Recovery+cojbh.html	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\Recovery+cojbh.png	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Recovery+cojbh.txt	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\Recovery+cojbh.txt	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\main.css	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\0.png	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\Recovery+cojbh.html	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ia\Recovery+cojbh.png	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\Recovery+cojbh.png	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\Recovery+cojbh.txt	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\Recovery+cojbh.png	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\Recovery+cojbh.html	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\scenesscroll.png	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\Recovery+cojbh.txt	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\Recovery+cojbh.png	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_hail.png	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\Recovery+cojbh.png	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Recovery+cojbh.txt	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\Recovery+cojbh.png	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Java\jre7\README.txt	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\Recovery+cojbh.txt	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\Recovery+cojbh.png	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\Recovery+cojbh.html	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\Recovery+cojbh.html	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_m.png	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_s.png	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\Recovery+cojbh.png	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\Recovery+cojbh.html	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\Recovery+cojbh.html	dkobqouqvvrm.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\Recovery+cojbh.txt	dkobqouqvvrm.exe

Drops file in Windows directory 2 IoCs

Processes:

560c2b56abc7854631568fda3564a898927a840cf0f65e21e192c7159b9b97c5.exe

description	ioc	process
File created	C:\Windows\dkobqouqvvrm.exe	560c2b56abc7854631568fda3564a898927a840cf0f65e21e192c7159b9b97c5.exe
File opened for modification	C:\Windows\dkobqouqvvrm.exe	560c2b56abc7854631568fda3564a898927a840cf0f65e21e192c7159b9b97c5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7EDC70D1-0BF0-11ED-A4CA-E6B1751AC39B} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2016 NOTEPAD.EXE

pid	process
2016	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dkobqouqvvrm.exe

pid	process
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe
1428	dkobqouqvvrm.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

560c2b56abc7854631568fda3564a898927a840cf0f65e21e192c7159b9b97c5.exedkobqouqvvrm.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1932	560c2b56abc7854631568fda3564a898927a840cf0f65e21e192c7159b9b97c5.exe
Token: SeDebugPrivilege	1428	dkobqouqvvrm.exe
Token: SeIncreaseQuotaPrivilege	1764	WMIC.exe
Token: SeSecurityPrivilege	1764	WMIC.exe
Token: SeTakeOwnershipPrivilege	1764	WMIC.exe
Token: SeLoadDriverPrivilege	1764	WMIC.exe
Token: SeSystemProfilePrivilege	1764	WMIC.exe
Token: SeSystemtimePrivilege	1764	WMIC.exe
Token: SeProfSingleProcessPrivilege	1764	WMIC.exe
Token: SeIncBasePriorityPrivilege	1764	WMIC.exe
Token: SeCreatePagefilePrivilege	1764	WMIC.exe
Token: SeBackupPrivilege	1764	WMIC.exe
Token: SeRestorePrivilege	1764	WMIC.exe
Token: SeShutdownPrivilege	1764	WMIC.exe
Token: SeDebugPrivilege	1764	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1764	WMIC.exe
Token: SeRemoteShutdownPrivilege	1764	WMIC.exe
Token: SeUndockPrivilege	1764	WMIC.exe
Token: SeManageVolumePrivilege	1764	WMIC.exe
Token: 33	1764	WMIC.exe
Token: 34	1764	WMIC.exe
Token: 35	1764	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1764	WMIC.exe
Token: SeSecurityPrivilege	1764	WMIC.exe
Token: SeTakeOwnershipPrivilege	1764	WMIC.exe
Token: SeLoadDriverPrivilege	1764	WMIC.exe
Token: SeSystemProfilePrivilege	1764	WMIC.exe
Token: SeSystemtimePrivilege	1764	WMIC.exe
Token: SeProfSingleProcessPrivilege	1764	WMIC.exe
Token: SeIncBasePriorityPrivilege	1764	WMIC.exe
Token: SeCreatePagefilePrivilege	1764	WMIC.exe
Token: SeBackupPrivilege	1764	WMIC.exe
Token: SeRestorePrivilege	1764	WMIC.exe
Token: SeShutdownPrivilege	1764	WMIC.exe
Token: SeDebugPrivilege	1764	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1764	WMIC.exe
Token: SeRemoteShutdownPrivilege	1764	WMIC.exe
Token: SeUndockPrivilege	1764	WMIC.exe
Token: SeManageVolumePrivilege	1764	WMIC.exe
Token: 33	1764	WMIC.exe
Token: 34	1764	WMIC.exe
Token: 35	1764	WMIC.exe
Token: SeBackupPrivilege	2004	vssvc.exe
Token: SeRestorePrivilege	2004	vssvc.exe
Token: SeAuditPrivilege	2004	vssvc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

2040 iexplore.exe
1224 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2040 iexplore.exe
2040 iexplore.exe
1760 IEXPLORE.EXE
1760 IEXPLORE.EXE

pid	process
2040	iexplore.exe
1224	DllHost.exe

pid	process
2040	iexplore.exe
2040	iexplore.exe
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

560c2b56abc7854631568fda3564a898927a840cf0f65e21e192c7159b9b97c5.exedkobqouqvvrm.exeiexplore.exe

description	pid	process	target process
PID 1932 wrote to memory of 1428	1932	560c2b56abc7854631568fda3564a898927a840cf0f65e21e192c7159b9b97c5.exe	dkobqouqvvrm.exe
PID 1932 wrote to memory of 1428	1932	560c2b56abc7854631568fda3564a898927a840cf0f65e21e192c7159b9b97c5.exe	dkobqouqvvrm.exe
PID 1932 wrote to memory of 1428	1932	560c2b56abc7854631568fda3564a898927a840cf0f65e21e192c7159b9b97c5.exe	dkobqouqvvrm.exe
PID 1932 wrote to memory of 1428	1932	560c2b56abc7854631568fda3564a898927a840cf0f65e21e192c7159b9b97c5.exe	dkobqouqvvrm.exe
PID 1932 wrote to memory of 2032	1932	560c2b56abc7854631568fda3564a898927a840cf0f65e21e192c7159b9b97c5.exe	cmd.exe
PID 1932 wrote to memory of 2032	1932	560c2b56abc7854631568fda3564a898927a840cf0f65e21e192c7159b9b97c5.exe	cmd.exe
PID 1932 wrote to memory of 2032	1932	560c2b56abc7854631568fda3564a898927a840cf0f65e21e192c7159b9b97c5.exe	cmd.exe
PID 1932 wrote to memory of 2032	1932	560c2b56abc7854631568fda3564a898927a840cf0f65e21e192c7159b9b97c5.exe	cmd.exe
PID 1428 wrote to memory of 1764	1428	dkobqouqvvrm.exe	WMIC.exe
PID 1428 wrote to memory of 1764	1428	dkobqouqvvrm.exe	WMIC.exe
PID 1428 wrote to memory of 1764	1428	dkobqouqvvrm.exe	WMIC.exe
PID 1428 wrote to memory of 1764	1428	dkobqouqvvrm.exe	WMIC.exe
PID 1428 wrote to memory of 2016	1428	dkobqouqvvrm.exe	NOTEPAD.EXE
PID 1428 wrote to memory of 2016	1428	dkobqouqvvrm.exe	NOTEPAD.EXE
PID 1428 wrote to memory of 2016	1428	dkobqouqvvrm.exe	NOTEPAD.EXE
PID 1428 wrote to memory of 2016	1428	dkobqouqvvrm.exe	NOTEPAD.EXE
PID 1428 wrote to memory of 2040	1428	dkobqouqvvrm.exe	iexplore.exe
PID 1428 wrote to memory of 2040	1428	dkobqouqvvrm.exe	iexplore.exe
PID 1428 wrote to memory of 2040	1428	dkobqouqvvrm.exe	iexplore.exe
PID 1428 wrote to memory of 2040	1428	dkobqouqvvrm.exe	iexplore.exe
PID 2040 wrote to memory of 1760	2040	iexplore.exe	IEXPLORE.EXE
PID 2040 wrote to memory of 1760	2040	iexplore.exe	IEXPLORE.EXE
PID 2040 wrote to memory of 1760	2040	iexplore.exe	IEXPLORE.EXE
PID 2040 wrote to memory of 1760	2040	iexplore.exe	IEXPLORE.EXE

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

dkobqouqvvrm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	dkobqouqvvrm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	dkobqouqvvrm.exe

C:\Users\Admin\AppData\Local\Temp\560c2b56abc7854631568fda3564a898927a840cf0f65e21e192c7159b9b97c5.exe
"C:\Users\Admin\AppData\Local\Temp\560c2b56abc7854631568fda3564a898927a840cf0f65e21e192c7159b9b97c5.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\dkobqouqvvrm.exe
C:\Windows\dkobqouqvvrm.exe
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1428

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
3⤵
- Opens file in notepad (likely ransom note)
PID:2016

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2040 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\560C2B~1.EXE
2⤵
- Deletes itself
PID:2032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

1

T1107

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\RECOVERY.HTM
Filesize
8KB

MD5
4090d0891afa4210a6c021eb73d0332e

SHA1
6b22dc84d0e0eb82d6255b772f15ccd6732fcb97

SHA256
aad03372000615cec2a41d4c7af277f18e2c0bbf7be51eb323f3502dfc8d08c3

SHA512
75e5d155cf0f61a21326931b1b347d85feff7ffa78a54b6812f0cd856e420c3bf0f18606f9f7180880edd42389db6bb3151748702be9c2fb4c3244d538807a6d

Download Submit
C:\Users\Admin\Desktop\RECOVERY.TXT
Filesize
2KB

MD5
70d83140e3241972512140313f92658f

SHA1
2e09bf84590d3f26307c9a25029cac70184a58a8

SHA256
1efcdbd57764fbec1a159e90fca11b04812a32757b81f534b5d42c06dda781c7

SHA512
6dc16901e7d5a5dcecd94b6ce4f7b1f671b5a978d6c3b7f127656e73f0328667ec0f49dfcd3eb86abeed1b5d6876bc47fa63b95673e4f882ec2bcb688958bb7e

Download Submit
C:\Users\Admin\Desktop\RECOVERY.png
Filesize
68KB

MD5
5cf7a4bf3936609df3c8022996eebe11

SHA1
a7d2392c8c5f5bdcb8ee5d66eb85f5226474875f

SHA256
1a7ba6b46c050620cad9b51390634b099b7b4a9bc547b173c864f8c73f2f79eb

SHA512
a521be01b0ae6c9b60cd77bd878f4e2da4e4667083ddf0769dee5571313e70534429e9f304eb22780501081e7d5ea1e9908cc9b13d5384dba0be0d42471e9026

Download Submit
C:\Windows\dkobqouqvvrm.exe
Filesize
334KB

MD5
297d424347e669aa6e1ba055008f83f7

SHA1
a80df965e8346b04f254bd965091a9279a0076ed

SHA256
560c2b56abc7854631568fda3564a898927a840cf0f65e21e192c7159b9b97c5

SHA512
0bb9d1ed58af93aa372c7c62179505bae1a1305006dc2b65cd36d5d0bce4c9774baf71ed19ca849dc1d3f85bc3e3e533aa0e756e8f85c76c28a3ddf5445d6cf6

Download Submit
C:\Windows\dkobqouqvvrm.exe
Filesize
334KB

MD5
297d424347e669aa6e1ba055008f83f7

SHA1
a80df965e8346b04f254bd965091a9279a0076ed

SHA256
560c2b56abc7854631568fda3564a898927a840cf0f65e21e192c7159b9b97c5

SHA512
0bb9d1ed58af93aa372c7c62179505bae1a1305006dc2b65cd36d5d0bce4c9774baf71ed19ca849dc1d3f85bc3e3e533aa0e756e8f85c76c28a3ddf5445d6cf6

Download Submit
memory/1428-64-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1428-62-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1428-57-0x0000000000000000-mapping.dmp

Download
memory/1764-65-0x0000000000000000-mapping.dmp

Download
memory/1932-61-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1932-54-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download
memory/1932-56-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1932-55-0x0000000000350000-0x000000000037D000-memory.dmp

Filesize
180KB

Download
memory/2016-66-0x0000000000000000-mapping.dmp

Download
memory/2032-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads