88757631988c9544b36f0212cf7cdf6c621d5005b99b64c238f4f7c487eb89f2

General

Target

88757631988c9544b36f0212cf7cdf6c621d5005b99b64c238f4f7c487eb89f2.exe
Size

706KB
MD5

d5ae8a95a74e4e6c37e21ba2a4eefb09
SHA1

c41fbff4e3639b2563eeb97f9a90d357a26d665c
SHA256

88757631988c9544b36f0212cf7cdf6c621d5005b99b64c238f4f7c487eb89f2
SHA512

a1c080195281c3b7cc6cd34cd07c1471c7abf9980b0f6b51f181bbea9055d1209c52cd46c201a365079a191c2ad9bc64907509bdcd1cc06201c6910fbadd1d71
SSDEEP

12288:vdNxMB4UKc/WL6Ls5K0NGi5n6hft0TxssvHMpssp:LxDs/ZSG/feGsvHCr

Score

9^/10

evasion persistence ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
3516	bcdedit.exe
3612	bcdedit.exe
1844	bcdedit.exe
4856	bcdedit.exe
4284	bcdedit.exe
4320	bcdedit.exe
5028	bcdedit.exe
2872	bcdedit.exe
4228	bcdedit.exe
2688	bcdedit.exe

Drops file in Drivers directory 1 IoCs

Processes:

zyudho.exe

description ioc process

File created C:\Windows\system32\drivers\e57182b.sys zyudho.exe
Executes dropped EXE 1 IoCs

Processes:

zyudho.exe

pid process

216 zyudho.exe

description	ioc	process
File created	C:\Windows\system32\drivers\e57182b.sys	zyudho.exe

pid	process
216	zyudho.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zyudho.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run	zyudho.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zyudho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Jaulib\\zyudho.exe"	zyudho.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

88757631988c9544b36f0212cf7cdf6c621d5005b99b64c238f4f7c487eb89f2.exe

description	pid	process	target process
PID 3536 set thread context of 1584	3536	88757631988c9544b36f0212cf7cdf6c621d5005b99b64c238f4f7c487eb89f2.exe	cmd.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "58"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

88757631988c9544b36f0212cf7cdf6c621d5005b99b64c238f4f7c487eb89f2.exezyudho.exe

pid	process
3536	88757631988c9544b36f0212cf7cdf6c621d5005b99b64c238f4f7c487eb89f2.exe
3536	88757631988c9544b36f0212cf7cdf6c621d5005b99b64c238f4f7c487eb89f2.exe
216	zyudho.exe
216	zyudho.exe
216	zyudho.exe
216	zyudho.exe
216	zyudho.exe
216	zyudho.exe
216	zyudho.exe
216	zyudho.exe
216	zyudho.exe
216	zyudho.exe
216	zyudho.exe
216	zyudho.exe
216	zyudho.exe
216	zyudho.exe
216	zyudho.exe
216	zyudho.exe
216	zyudho.exe
216	zyudho.exe
216	zyudho.exe
216	zyudho.exe
216	zyudho.exe
216	zyudho.exe
216	zyudho.exe
216	zyudho.exe
216	zyudho.exe
216	zyudho.exe
216	zyudho.exe
216	zyudho.exe
216	zyudho.exe
216	zyudho.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

648
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

zyudho.exe

description pid process

Token: SeShutdownPrivilege 216 zyudho.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

1284 LogonUI.exe

pid	process
648

description	pid	process
Token: SeShutdownPrivilege	216	zyudho.exe

pid	process
1284	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

88757631988c9544b36f0212cf7cdf6c621d5005b99b64c238f4f7c487eb89f2.exezyudho.exe

description	pid	process	target process
PID 3536 wrote to memory of 216	3536	88757631988c9544b36f0212cf7cdf6c621d5005b99b64c238f4f7c487eb89f2.exe	zyudho.exe
PID 3536 wrote to memory of 216	3536	88757631988c9544b36f0212cf7cdf6c621d5005b99b64c238f4f7c487eb89f2.exe	zyudho.exe
PID 3536 wrote to memory of 216	3536	88757631988c9544b36f0212cf7cdf6c621d5005b99b64c238f4f7c487eb89f2.exe	zyudho.exe
PID 216 wrote to memory of 3516	216	zyudho.exe	bcdedit.exe
PID 216 wrote to memory of 3516	216	zyudho.exe	bcdedit.exe
PID 216 wrote to memory of 3612	216	zyudho.exe	bcdedit.exe
PID 216 wrote to memory of 3612	216	zyudho.exe	bcdedit.exe
PID 216 wrote to memory of 1844	216	zyudho.exe	bcdedit.exe
PID 216 wrote to memory of 1844	216	zyudho.exe	bcdedit.exe
PID 216 wrote to memory of 4856	216	zyudho.exe	bcdedit.exe
PID 216 wrote to memory of 4856	216	zyudho.exe	bcdedit.exe
PID 216 wrote to memory of 4284	216	zyudho.exe	bcdedit.exe
PID 216 wrote to memory of 4284	216	zyudho.exe	bcdedit.exe
PID 216 wrote to memory of 4320	216	zyudho.exe	bcdedit.exe
PID 216 wrote to memory of 4320	216	zyudho.exe	bcdedit.exe
PID 216 wrote to memory of 5028	216	zyudho.exe	bcdedit.exe
PID 216 wrote to memory of 5028	216	zyudho.exe	bcdedit.exe
PID 216 wrote to memory of 2872	216	zyudho.exe	bcdedit.exe
PID 216 wrote to memory of 2872	216	zyudho.exe	bcdedit.exe
PID 216 wrote to memory of 2688	216	zyudho.exe	bcdedit.exe
PID 216 wrote to memory of 2688	216	zyudho.exe	bcdedit.exe
PID 216 wrote to memory of 4228	216	zyudho.exe	bcdedit.exe
PID 216 wrote to memory of 4228	216	zyudho.exe	bcdedit.exe
PID 216 wrote to memory of 2432	216	zyudho.exe	sihost.exe
PID 216 wrote to memory of 2432	216	zyudho.exe	sihost.exe
PID 216 wrote to memory of 2432	216	zyudho.exe	sihost.exe
PID 216 wrote to memory of 2432	216	zyudho.exe	sihost.exe
PID 216 wrote to memory of 2432	216	zyudho.exe	sihost.exe
PID 216 wrote to memory of 2488	216	zyudho.exe	svchost.exe
PID 216 wrote to memory of 2488	216	zyudho.exe	svchost.exe
PID 216 wrote to memory of 2488	216	zyudho.exe	svchost.exe
PID 216 wrote to memory of 2488	216	zyudho.exe	svchost.exe
PID 216 wrote to memory of 2488	216	zyudho.exe	svchost.exe
PID 216 wrote to memory of 2756	216	zyudho.exe	taskhostw.exe
PID 216 wrote to memory of 2756	216	zyudho.exe	taskhostw.exe
PID 216 wrote to memory of 2756	216	zyudho.exe	taskhostw.exe
PID 216 wrote to memory of 2756	216	zyudho.exe	taskhostw.exe
PID 216 wrote to memory of 2756	216	zyudho.exe	taskhostw.exe
PID 216 wrote to memory of 2380	216	zyudho.exe	Explorer.EXE
PID 216 wrote to memory of 2380	216	zyudho.exe	Explorer.EXE
PID 216 wrote to memory of 2380	216	zyudho.exe	Explorer.EXE
PID 216 wrote to memory of 2380	216	zyudho.exe	Explorer.EXE
PID 216 wrote to memory of 2380	216	zyudho.exe	Explorer.EXE
PID 216 wrote to memory of 2020	216	zyudho.exe	svchost.exe
PID 216 wrote to memory of 2020	216	zyudho.exe	svchost.exe
PID 216 wrote to memory of 2020	216	zyudho.exe	svchost.exe
PID 216 wrote to memory of 2020	216	zyudho.exe	svchost.exe
PID 216 wrote to memory of 2020	216	zyudho.exe	svchost.exe
PID 216 wrote to memory of 3252	216	zyudho.exe	DllHost.exe
PID 216 wrote to memory of 3252	216	zyudho.exe	DllHost.exe
PID 216 wrote to memory of 3252	216	zyudho.exe	DllHost.exe
PID 216 wrote to memory of 3252	216	zyudho.exe	DllHost.exe
PID 216 wrote to memory of 3252	216	zyudho.exe	DllHost.exe
PID 216 wrote to memory of 3356	216	zyudho.exe	StartMenuExperienceHost.exe
PID 216 wrote to memory of 3356	216	zyudho.exe	StartMenuExperienceHost.exe
PID 216 wrote to memory of 3356	216	zyudho.exe	StartMenuExperienceHost.exe
PID 216 wrote to memory of 3356	216	zyudho.exe	StartMenuExperienceHost.exe
PID 216 wrote to memory of 3356	216	zyudho.exe	StartMenuExperienceHost.exe
PID 216 wrote to memory of 3420	216	zyudho.exe	RuntimeBroker.exe
PID 216 wrote to memory of 3420	216	zyudho.exe	RuntimeBroker.exe
PID 216 wrote to memory of 3420	216	zyudho.exe	RuntimeBroker.exe
PID 216 wrote to memory of 3420	216	zyudho.exe	RuntimeBroker.exe
PID 216 wrote to memory of 3420	216	zyudho.exe	RuntimeBroker.exe
PID 216 wrote to memory of 3500	216	zyudho.exe	SearchApp.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2432

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3420

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3356

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2340

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2480

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:3044

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3660

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3500

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2020

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\88757631988c9544b36f0212cf7cdf6c621d5005b99b64c238f4f7c487eb89f2.exe
"C:\Users\Admin\AppData\Local\Temp\88757631988c9544b36f0212cf7cdf6c621d5005b99b64c238f4f7c487eb89f2.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3536

C:\Users\Admin\AppData\Local\Temp\Jaulib\zyudho.exe
"C:\Users\Admin\AppData\Local\Temp\Jaulib\zyudho.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:3516

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:3612

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:1844

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:4856

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:4284

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:4320

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:5028

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:2872

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:4228

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:2688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HHNF070.bat"
3⤵
PID:1584

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2488

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39bc855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HHNF070.bat

Filesize
276B

MD5
839941203f66e52d1b53a2333bc34496

SHA1
99a07ae370ff24281fa16623f8c3756f1aa30c78

SHA256
0dfad574e307596843005068b9a545e9d5b33ddd205f6197054393d78c041e69

SHA512
f78d3814e0ca935b008de05108a9e84dabf39e53efba11c96437a1e5c310760088b2929f06d3e7ac0949dc59f934b443c9fd3f00a42c9d9cd824e8a2303292f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jaulib\zyudho.exe

Filesize
706KB

MD5
783e4d87d0c28f7bbb95e0852f29fda4

SHA1
eb1a985026ee18d1ce2621e5b718c6d24baf03ee

SHA256
33480c1845eec59351cecf6a22cd66332e20f13d4b4c980df6bd4179f22199e5

SHA512
4d4e7754a9079ee0bff5cfeb8c88866c8a68cac8dfadec6ad489f10a90635f18fa59a95e5cd902848fae571c5b5895815344c6aba7c3a6563924b2fa837d2d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jaulib\zyudho.exe

Filesize
706KB

MD5
783e4d87d0c28f7bbb95e0852f29fda4

SHA1
eb1a985026ee18d1ce2621e5b718c6d24baf03ee

SHA256
33480c1845eec59351cecf6a22cd66332e20f13d4b4c980df6bd4179f22199e5

SHA512
4d4e7754a9079ee0bff5cfeb8c88866c8a68cac8dfadec6ad489f10a90635f18fa59a95e5cd902848fae571c5b5895815344c6aba7c3a6563924b2fa837d2d06

Download Submit
memory/216-149-0x0000000000590000-0x0000000000596000-memory.dmp

Filesize
24KB

Download
memory/216-134-0x0000000000000000-mapping.dmp

Download
memory/216-138-0x0000000002240000-0x00000000022F8000-memory.dmp

Filesize
736KB

Download
memory/1584-157-0x0000000000700000-0x0000000000769000-memory.dmp

Filesize
420KB

Download
memory/1584-156-0x0000000000000000-mapping.dmp

Download
memory/1584-167-0x0000000000700000-0x0000000000769000-memory.dmp

Filesize
420KB

Download
memory/1584-165-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1584-164-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1584-163-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1584-162-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1584-161-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1584-160-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1584-159-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1844-141-0x0000000000000000-mapping.dmp

Download
memory/2688-147-0x0000000000000000-mapping.dmp

Download
memory/2872-146-0x0000000000000000-mapping.dmp

Download
memory/3516-139-0x0000000000000000-mapping.dmp

Download
memory/3536-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3536-133-0x0000000002280000-0x0000000002338000-memory.dmp

Filesize
736KB

Download
memory/3536-155-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3536-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3536-132-0x0000000002280000-0x0000000002338000-memory.dmp

Filesize
736KB

Download
memory/3536-158-0x0000000000590000-0x00000000005F9000-memory.dmp

Filesize
420KB

Download
memory/3536-154-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3536-153-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3536-150-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3612-140-0x0000000000000000-mapping.dmp

Download
memory/4228-148-0x0000000000000000-mapping.dmp

Download
memory/4284-143-0x0000000000000000-mapping.dmp

Download
memory/4320-144-0x0000000000000000-mapping.dmp

Download
memory/4856-142-0x0000000000000000-mapping.dmp

Download
memory/5028-145-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads