17f8366d6fd211cb3e4e43578cedef2e72b61f6103e3f53969ea59b222e323a1

General

Target

Processing.Pdf____________________________________________________________.exe
Size

474KB
MD5

7e3556dc9dc56ef11af7276854f404c8
SHA1

26f676d0a6a0057fe6aa35a0d025c478d8e05741
SHA256

efd29f1af6c5e828bc4c1c980ab22ddc0a89c0c7813bf8075b8b8943edc19e5c
SHA512

d2a5b2c2ed9f628d2c85bac66eeb6af7d19d1b5baed8577acf83701d08b377c47ff3f00a5e590b96136cfab887c15d62622f54a56cc3dd23a507b985fd288bb2
SSDEEP

6144:dipL4qsxpzEOqcQLO8eNpOsYZqQJgOFATNFadd5G/c9FhkZJh4NCf0oxAOQPTRpD:d6UZbzfZmswqfNFQDuJhEJxR8L0

Score

9^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ybufmvov = "C:\\Windows\\etetadul.exe"	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Processing.Pdf____________________________________________________________.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Processing.Pdf____________________________________________________________.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Processing.Pdf____________________________________________________________.exeProcessing.Pdf____________________________________________________________.exe

description	pid	process	target process
PID 620 set thread context of 856	620	Processing.Pdf____________________________________________________________.exe	Processing.Pdf____________________________________________________________.exe
PID 856 set thread context of 1684	856	Processing.Pdf____________________________________________________________.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\Windows\etetadul.exe explorer.exe
File created C:\Windows\etetadul.exe explorer.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1752 vssadmin.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Processing.Pdf____________________________________________________________.exe

pid process

620 Processing.Pdf____________________________________________________________.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1644 vssvc.exe
Token: SeRestorePrivilege 1644 vssvc.exe
Token: SeAuditPrivilege 1644 vssvc.exe

description	ioc	process
File opened for modification	C:\Windows\etetadul.exe	explorer.exe
File created	C:\Windows\etetadul.exe	explorer.exe

pid	process
1752	vssadmin.exe

pid	process
620	Processing.Pdf____________________________________________________________.exe

description	pid	process
Token: SeBackupPrivilege	1644	vssvc.exe
Token: SeRestorePrivilege	1644	vssvc.exe
Token: SeAuditPrivilege	1644	vssvc.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Processing.Pdf____________________________________________________________.exeProcessing.Pdf____________________________________________________________.exeexplorer.exe

description	pid	process	target process
PID 620 wrote to memory of 856	620	Processing.Pdf____________________________________________________________.exe	Processing.Pdf____________________________________________________________.exe
PID 620 wrote to memory of 856	620	Processing.Pdf____________________________________________________________.exe	Processing.Pdf____________________________________________________________.exe
PID 620 wrote to memory of 856	620	Processing.Pdf____________________________________________________________.exe	Processing.Pdf____________________________________________________________.exe
PID 620 wrote to memory of 856	620	Processing.Pdf____________________________________________________________.exe	Processing.Pdf____________________________________________________________.exe
PID 620 wrote to memory of 856	620	Processing.Pdf____________________________________________________________.exe	Processing.Pdf____________________________________________________________.exe
PID 620 wrote to memory of 856	620	Processing.Pdf____________________________________________________________.exe	Processing.Pdf____________________________________________________________.exe
PID 620 wrote to memory of 856	620	Processing.Pdf____________________________________________________________.exe	Processing.Pdf____________________________________________________________.exe
PID 620 wrote to memory of 856	620	Processing.Pdf____________________________________________________________.exe	Processing.Pdf____________________________________________________________.exe
PID 620 wrote to memory of 856	620	Processing.Pdf____________________________________________________________.exe	Processing.Pdf____________________________________________________________.exe
PID 620 wrote to memory of 856	620	Processing.Pdf____________________________________________________________.exe	Processing.Pdf____________________________________________________________.exe
PID 856 wrote to memory of 1684	856	Processing.Pdf____________________________________________________________.exe	explorer.exe
PID 856 wrote to memory of 1684	856	Processing.Pdf____________________________________________________________.exe	explorer.exe
PID 856 wrote to memory of 1684	856	Processing.Pdf____________________________________________________________.exe	explorer.exe
PID 856 wrote to memory of 1684	856	Processing.Pdf____________________________________________________________.exe	explorer.exe
PID 856 wrote to memory of 1684	856	Processing.Pdf____________________________________________________________.exe	explorer.exe
PID 1684 wrote to memory of 1752	1684	explorer.exe	vssadmin.exe
PID 1684 wrote to memory of 1752	1684	explorer.exe	vssadmin.exe
PID 1684 wrote to memory of 1752	1684	explorer.exe	vssadmin.exe
PID 1684 wrote to memory of 1752	1684	explorer.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\Processing.Pdf____________________________________________________________.exe
"C:\Users\Admin\AppData\Local\Temp\Processing.Pdf____________________________________________________________.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:620

C:\Users\Admin\AppData\Local\Temp\Processing.Pdf____________________________________________________________.exe
"C:\Users\Admin\AppData\Local\Temp\Processing.Pdf____________________________________________________________.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\itepoqipifegakiz\01000000

Filesize
474KB

MD5
c73cb670aa24161d8549ca421283a748

SHA1
01680d22569d2b096b7cec397a53d27cace3b4fd

SHA256
347e3eb5391e4fc911efd072bd0d98df6b567c9fbdc94e4d7d1fdec928db77a5

SHA512
cb60059650d5d5f88b52c1a38f47ba276fa245c80005ae3382e09409dbc3e22ec5684558d3d1627c4290d13d20544526f2e7ebcf985098fcdacf0584b234334f

Download Submit
memory/620-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/856-66-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/856-77-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/856-61-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/856-62-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/856-64-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/856-65-0x000000000040B283-mapping.dmp

Download
memory/856-58-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/856-68-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/856-60-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/856-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1684-73-0x000000000010A9D0-mapping.dmp

Download
memory/1684-75-0x0000000075401000-0x0000000075403000-memory.dmp

Filesize
8KB

Download
memory/1684-71-0x00000000000F0000-0x000000000012C000-memory.dmp

Filesize
240KB

Download
memory/1684-69-0x00000000000F0000-0x000000000012C000-memory.dmp

Filesize
240KB

Download
memory/1684-79-0x00000000000F0000-0x000000000012C000-memory.dmp

Filesize
240KB

Download
memory/1684-80-0x0000000072EC1000-0x0000000072EC3000-memory.dmp

Filesize
8KB

Download
memory/1752-78-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads