ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65

General

Target

ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe
Size

531KB
MD5

400d4d727950f4d6de451115b8c4cfc1
SHA1

e97b06dc654b70c6c117e7b2e91c9916a06e85a4
SHA256

ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65
SHA512

0d2d90ed3bef2f321629e63e672855ab9d4c3015970b35990147bdc14c87e657ca6c4178402f77f6e0d35ef82ce338c499b634faf928590d4717ef28d535d281
SSDEEP

6144:LUv7JBskamattpI16Mu4isYwNMQ9PRKeIXIRTjv1ECkrQUK:AvqNsieIk3v1eUf

Score

9^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\awizysis = "C:\\Windows\\okikamof.exe"	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exeee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe

description	pid	process	target process
PID 1292 set thread context of 328	1292	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe
PID 328 set thread context of 560	328	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\Windows\okikamof.exe explorer.exe
File created C:\Windows\okikamof.exe explorer.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

764 vssadmin.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1700 vssvc.exe
Token: SeRestorePrivilege 1700 vssvc.exe
Token: SeAuditPrivilege 1700 vssvc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe

pid process

1292 ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe

description	ioc	process
File opened for modification	C:\Windows\okikamof.exe	explorer.exe
File created	C:\Windows\okikamof.exe	explorer.exe

pid	process
764	vssadmin.exe

description	pid	process
Token: SeBackupPrivilege	1700	vssvc.exe
Token: SeRestorePrivilege	1700	vssvc.exe
Token: SeAuditPrivilege	1700	vssvc.exe

pid	process
1292	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exeee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exeexplorer.exe

description	pid	process	target process
PID 1292 wrote to memory of 328	1292	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe
PID 1292 wrote to memory of 328	1292	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe
PID 1292 wrote to memory of 328	1292	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe
PID 1292 wrote to memory of 328	1292	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe
PID 1292 wrote to memory of 328	1292	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe
PID 1292 wrote to memory of 328	1292	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe
PID 1292 wrote to memory of 328	1292	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe
PID 1292 wrote to memory of 328	1292	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe
PID 1292 wrote to memory of 328	1292	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe
PID 1292 wrote to memory of 328	1292	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe
PID 1292 wrote to memory of 328	1292	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe
PID 328 wrote to memory of 560	328	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe	explorer.exe
PID 328 wrote to memory of 560	328	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe	explorer.exe
PID 328 wrote to memory of 560	328	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe	explorer.exe
PID 328 wrote to memory of 560	328	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe	explorer.exe
PID 328 wrote to memory of 560	328	ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe	explorer.exe
PID 560 wrote to memory of 764	560	explorer.exe	vssadmin.exe
PID 560 wrote to memory of 764	560	explorer.exe	vssadmin.exe
PID 560 wrote to memory of 764	560	explorer.exe	vssadmin.exe
PID 560 wrote to memory of 764	560	explorer.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe
"C:\Users\Admin\AppData\Local\Temp\ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Local\Temp\ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe
"C:\Users\Admin\AppData\Local\Temp\ee177b068a2ac964536637fe4f04ff2deed524e981e69f5cceb2e0dd935c3f65.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:328

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:764

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ewosolyzuhobytal\01000000

Filesize
531KB

MD5
36ad0d6ee950275d288480e24f812bfd

SHA1
9dd2572045452dcff3bb8062314817b5b57e84b5

SHA256
d06e19904d9a5b3873ded58d05d83a9c78789935522f4b3b838d1b5d456f7e0c

SHA512
38dfdcc7841edcee3a6f08d78bbe1a1a43954c5f283996d266d9f0d0e2de66ec67e1ac5a5663ef774ba115c86a253af7586677814f7ebfa6eeb43387b2f04390

Download Submit
memory/328-69-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/328-59-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/328-60-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/328-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/328-57-0x000000000040A7BE-mapping.dmp

Download
memory/560-61-0x0000000000080000-0x00000000000BB000-memory.dmp

Filesize
236KB

Download
memory/560-63-0x0000000000080000-0x00000000000BB000-memory.dmp

Filesize
236KB

Download
memory/560-65-0x0000000000099C80-mapping.dmp

Download
memory/560-67-0x0000000075011000-0x0000000075013000-memory.dmp

Filesize
8KB

Download
memory/560-70-0x0000000000080000-0x00000000000BB000-memory.dmp

Filesize
236KB

Download
memory/560-72-0x0000000072AE1000-0x0000000072AE3000-memory.dmp

Filesize
8KB

Download
memory/764-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads