31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5

General

Target

31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe
Size

527KB
MD5

253491ad824e156971c957cd15254844
SHA1

d47161e939cc823a331fff50859b915c3f876342
SHA256

31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5
SHA512

6ba1b7ecb435bccab47b96eb5f008b84003c5fd7518df4aee221004e669c9bd4b8e93163f7755f474102142c63f7c3d753e466483a3d82e418aa4cea127bb53f
SSDEEP

6144:O6LMUW1qIa6s/Ab/f+4tD7kVkBtx2rqD7Hg3fWsPJWojKwfybrU0hN+oZTc2:Dof12/U/f+4dkKBWrasvLhWWKwfb0+oj

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xrebafuq = "C:\\Windows\\ohurfqif.exe"	explorer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe

pid process

1616 31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe

pid	process
1616	31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe

description	pid	process	target process
PID 1616 set thread context of 4656	1616	31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe	31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe
PID 4656 set thread context of 4160	4656	31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\Windows\ohurfqif.exe explorer.exe
File created C:\Windows\ohurfqif.exe explorer.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1748 vssadmin.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 4416 vssvc.exe
Token: SeRestorePrivilege 4416 vssvc.exe
Token: SeAuditPrivilege 4416 vssvc.exe

description	ioc	process
File opened for modification	C:\Windows\ohurfqif.exe	explorer.exe
File created	C:\Windows\ohurfqif.exe	explorer.exe

pid	process
1748	vssadmin.exe

description	pid	process
Token: SeBackupPrivilege	4416	vssvc.exe
Token: SeRestorePrivilege	4416	vssvc.exe
Token: SeAuditPrivilege	4416	vssvc.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exeexplorer.exe

C:\Users\Admin\AppData\Local\Temp\31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe
"C:\Users\Admin\AppData\Local\Temp\31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Local\Temp\31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe
"C:\Users\Admin\AppData\Local\Temp\31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ihyzetobyzizyqeq\01000000

Filesize
527KB

MD5
17e3a7aa932f0e9da6cf852f0b47ac03

SHA1
8034cb51703cfc380aa7796df4e3a1e73a9bf0b4

SHA256
5997c68ba01b0490e062f336e85caa9cd2341d3a3db3237a5e0c840a90eb55b9

SHA512
ae4945bbb5d00036f81b7c97f50036370476d2a2b70824c1c889103c92af07011d7f8c8d326d67af9e0210b7ac4e361aec8152feb0669ac5a43e472bd5b77569

Download Submit
memory/1616-133-0x0000000000400000-0x0000000001299000-memory.dmp

Filesize
14.6MB

Download
memory/1616-132-0x0000000000400000-0x0000000001299000-memory.dmp

Filesize
14.6MB

Download
memory/1616-138-0x0000000000400000-0x0000000001299000-memory.dmp

Filesize
14.6MB

Download
memory/1748-145-0x0000000000000000-mapping.dmp

Download
memory/4160-140-0x0000000000320000-0x000000000035B000-memory.dmp

Filesize
236KB

Download
memory/4160-146-0x0000000000320000-0x000000000035B000-memory.dmp

Filesize
236KB

Download
memory/4160-139-0x0000000000000000-mapping.dmp

Download
memory/4656-135-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4656-142-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4656-137-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4656-144-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4656-136-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4656-134-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1616 wrote to memory of 4656	1616	31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe	31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe
PID 1616 wrote to memory of 4656	1616	31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe	31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe
PID 1616 wrote to memory of 4656	1616	31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe	31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe
PID 1616 wrote to memory of 4656	1616	31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe	31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe
PID 1616 wrote to memory of 4656	1616	31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe	31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe
PID 1616 wrote to memory of 4656	1616	31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe	31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe
PID 1616 wrote to memory of 4656	1616	31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe	31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe
PID 1616 wrote to memory of 4656	1616	31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe	31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe
PID 1616 wrote to memory of 4656	1616	31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe	31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe
PID 1616 wrote to memory of 4656	1616	31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe	31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe
PID 4656 wrote to memory of 4160	4656	31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe	explorer.exe
PID 4656 wrote to memory of 4160	4656	31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe	explorer.exe
PID 4656 wrote to memory of 4160	4656	31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe	explorer.exe
PID 4656 wrote to memory of 4160	4656	31cbc1ad9f119d6d8eff0d01e07e130ff7c12761e9345a525613106b9c6bc8d5.exe	explorer.exe
PID 4160 wrote to memory of 1748	4160	explorer.exe	vssadmin.exe
PID 4160 wrote to memory of 1748	4160	explorer.exe	vssadmin.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads