38687ba43a7985f681919df62c40e848e0d7f663ab01f2036f250400eecda131

General

Target

38687ba43a7985f681919df62c40e848e0d7f663ab01f2036f250400eecda131.exe
Size

639KB
MD5

589dbede3625d0fd43edb065b960d810
SHA1

803b7f8a439d024984f96f5c670cdcbf3d35d00e
SHA256

38687ba43a7985f681919df62c40e848e0d7f663ab01f2036f250400eecda131
SHA512

58261cdbb8770e05e614a0b97a8c975adbe8303966246fc4d3f4b2d73ae2797e6484c54a9d667d23595e273fa3dc01754ac43725595718c597fee4b45b2ca2ab
SSDEEP

12288:YMu3qmIifAhqDX2GrMEMRfrKnpth0WA80c3xjAfOvNa:f05DX2Go1RMLhEw8WM

Score

9^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ajaxidag = "\"C:\\Windows\\adubaqet.exe\""	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	38687ba43a7985f681919df62c40e848e0d7f663ab01f2036f250400eecda131.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1340 set thread context of 1232	1340	38687ba43a7985f681919df62c40e848e0d7f663ab01f2036f250400eecda131.exe	28
PID 1232 set thread context of 1696	1232	38687ba43a7985f681919df62c40e848e0d7f663ab01f2036f250400eecda131.exe	29

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\adubaqet.exe	explorer.exe
File created	C:\Windows\adubaqet.exe	explorer.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
892	vssadmin.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PhishingFilter	explorer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	980	vssvc.exe
Token: SeRestorePrivilege	980	vssvc.exe
Token: SeAuditPrivilege	980	vssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1340	38687ba43a7985f681919df62c40e848e0d7f663ab01f2036f250400eecda131.exe
1340	38687ba43a7985f681919df62c40e848e0d7f663ab01f2036f250400eecda131.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 1232	1340	38687ba43a7985f681919df62c40e848e0d7f663ab01f2036f250400eecda131.exe	28
PID 1340 wrote to memory of 1232	1340	38687ba43a7985f681919df62c40e848e0d7f663ab01f2036f250400eecda131.exe	28
PID 1340 wrote to memory of 1232	1340	38687ba43a7985f681919df62c40e848e0d7f663ab01f2036f250400eecda131.exe	28
PID 1340 wrote to memory of 1232	1340	38687ba43a7985f681919df62c40e848e0d7f663ab01f2036f250400eecda131.exe	28
PID 1340 wrote to memory of 1232	1340	38687ba43a7985f681919df62c40e848e0d7f663ab01f2036f250400eecda131.exe	28
PID 1340 wrote to memory of 1232	1340	38687ba43a7985f681919df62c40e848e0d7f663ab01f2036f250400eecda131.exe	28
PID 1340 wrote to memory of 1232	1340	38687ba43a7985f681919df62c40e848e0d7f663ab01f2036f250400eecda131.exe	28
PID 1340 wrote to memory of 1232	1340	38687ba43a7985f681919df62c40e848e0d7f663ab01f2036f250400eecda131.exe	28
PID 1340 wrote to memory of 1232	1340	38687ba43a7985f681919df62c40e848e0d7f663ab01f2036f250400eecda131.exe	28
PID 1340 wrote to memory of 1232	1340	38687ba43a7985f681919df62c40e848e0d7f663ab01f2036f250400eecda131.exe	28
PID 1340 wrote to memory of 1232	1340	38687ba43a7985f681919df62c40e848e0d7f663ab01f2036f250400eecda131.exe	28
PID 1232 wrote to memory of 1696	1232	38687ba43a7985f681919df62c40e848e0d7f663ab01f2036f250400eecda131.exe	29
PID 1232 wrote to memory of 1696	1232	38687ba43a7985f681919df62c40e848e0d7f663ab01f2036f250400eecda131.exe	29
PID 1232 wrote to memory of 1696	1232	38687ba43a7985f681919df62c40e848e0d7f663ab01f2036f250400eecda131.exe	29
PID 1232 wrote to memory of 1696	1232	38687ba43a7985f681919df62c40e848e0d7f663ab01f2036f250400eecda131.exe	29
PID 1232 wrote to memory of 1696	1232	38687ba43a7985f681919df62c40e848e0d7f663ab01f2036f250400eecda131.exe	29
PID 1696 wrote to memory of 892	1696	explorer.exe	30
PID 1696 wrote to memory of 892	1696	explorer.exe	30
PID 1696 wrote to memory of 892	1696	explorer.exe	30
PID 1696 wrote to memory of 892	1696	explorer.exe	30

C:\Users\Admin\AppData\Local\Temp\38687ba43a7985f681919df62c40e848e0d7f663ab01f2036f250400eecda131.exe
"C:\Users\Admin\AppData\Local\Temp\38687ba43a7985f681919df62c40e848e0d7f663ab01f2036f250400eecda131.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Local\Temp\38687ba43a7985f681919df62c40e848e0d7f663ab01f2036f250400eecda131.exe
  "C:\Users\Admin\AppData\Local\Temp\38687ba43a7985f681919df62c40e848e0d7f663ab01f2036f250400eecda131.exe"
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\system32\explorer.exe"
    3⤵
    - Adds Run key to start application
    - Drops file in Windows directory
    - Modifies Internet Explorer Phishing Filter
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:892

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\iwumyqytawumecyj\01000000

Filesize
639KB

MD5
5f8e626eead6ec30ebdedb4043c0b375

SHA1
75ac84e261225146e8bbc6a13fa39a554da00329

SHA256
e35dec983f5c7cc4d71a445a89f482a97e1119bcb892191699f5f1090e1ba90a

SHA512
ed16181df6b0aa3d967523febca99273a57c36fbd3d2f98c2e97769c68c9f9ee3044a43530b7602b3a01cebc7a150a41863edcd7ff10f9f1e822f471c03cd920

Download Submit
memory/1232-61-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1232-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1232-60-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1232-54-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1232-63-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1232-66-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1232-67-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1232-68-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1232-57-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1232-77-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1232-59-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1696-75-0x00000000749C1000-0x00000000749C3000-memory.dmp

Filesize
8KB

Download
memory/1696-71-0x00000000000C0000-0x00000000000F8000-memory.dmp

Filesize
224KB

Download
memory/1696-78-0x00000000000C0000-0x00000000000F8000-memory.dmp

Filesize
224KB

Download
memory/1696-69-0x00000000000C0000-0x00000000000F8000-memory.dmp

Filesize
224KB

Download
memory/1696-80-0x0000000072621000-0x0000000072623000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads