48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb

General

Target

48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe
Size

469KB
MD5

4a4baf09600a0da0e803d4f7716642a3
SHA1

7c84b6cd0a2f50f74522fbcced39d5e85ab45389
SHA256

48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb
SHA512

f4c78f68df0d0160b0312fa787414c49f30b91c9fae21114ecf04725203949249226c3f4b49df8e35ddef5aed9bdb69f60d7b712516b0f0424d354c3c8c8cdb9
SSDEEP

6144:kicL4qsxpzEHqcQLwIpVsBNzrn2xxHIFRU0POzzqexpKkpsszhNoFji5NDdvFZV:knUZbzS15NXn2xCH92GuzPpvFT

Score

9^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\urghavxw = "C:\\Windows\\uhumiten.exe"	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe

description	pid	process	target process
PID 996 set thread context of 1516	996	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe
PID 1516 set thread context of 860	1516	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\Windows\uhumiten.exe explorer.exe
File created C:\Windows\uhumiten.exe explorer.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1976 vssadmin.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe

pid process

996 48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1752 vssvc.exe
Token: SeRestorePrivilege 1752 vssvc.exe
Token: SeAuditPrivilege 1752 vssvc.exe

description	ioc	process
File opened for modification	C:\Windows\uhumiten.exe	explorer.exe
File created	C:\Windows\uhumiten.exe	explorer.exe

pid	process
1976	vssadmin.exe

pid	process
996	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe

description	pid	process
Token: SeBackupPrivilege	1752	vssvc.exe
Token: SeRestorePrivilege	1752	vssvc.exe
Token: SeAuditPrivilege	1752	vssvc.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exeexplorer.exe

description	pid	process	target process
PID 996 wrote to memory of 1516	996	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe
PID 996 wrote to memory of 1516	996	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe
PID 996 wrote to memory of 1516	996	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe
PID 996 wrote to memory of 1516	996	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe
PID 996 wrote to memory of 1516	996	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe
PID 996 wrote to memory of 1516	996	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe
PID 996 wrote to memory of 1516	996	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe
PID 996 wrote to memory of 1516	996	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe
PID 996 wrote to memory of 1516	996	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe
PID 996 wrote to memory of 1516	996	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe
PID 1516 wrote to memory of 860	1516	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe	explorer.exe
PID 1516 wrote to memory of 860	1516	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe	explorer.exe
PID 1516 wrote to memory of 860	1516	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe	explorer.exe
PID 1516 wrote to memory of 860	1516	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe	explorer.exe
PID 1516 wrote to memory of 860	1516	48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe	explorer.exe
PID 860 wrote to memory of 1976	860	explorer.exe	vssadmin.exe
PID 860 wrote to memory of 1976	860	explorer.exe	vssadmin.exe
PID 860 wrote to memory of 1976	860	explorer.exe	vssadmin.exe
PID 860 wrote to memory of 1976	860	explorer.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe
"C:\Users\Admin\AppData\Local\Temp\48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:996

C:\Users\Admin\AppData\Local\Temp\48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe
"C:\Users\Admin\AppData\Local\Temp\48e92e0a73d05721e7e50a28df98ea879246970c1c0c5cdd66b635485ef3dfcb.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1976

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\oqixicudoparelom\01000000
Filesize
469KB

MD5
28d5f399beeddcf32c349dc75afcbd2c

SHA1
df53438ededc368ed5edf6f215972c220c56904d

SHA256
e8a693e3ad4e287df7d130b2b6badc731cc107edc887d27c754407f253d1099c

SHA512
fcca60d6b4696d205f0686541e689d968ddfc6b254b5d97881f4a9eba1cf90ed7db8e12a5ff40a853fcc4a768027f02843ba6f3ba5dfbe41aa34008a954c5e6e

Download Submit
memory/860-69-0x0000000000100000-0x000000000013B000-memory.dmp

Filesize
236KB

Download
memory/860-80-0x0000000000100000-0x000000000013B000-memory.dmp

Filesize
236KB

Download
memory/860-79-0x0000000072B11000-0x0000000072B13000-memory.dmp

Filesize
8KB

Download
memory/860-75-0x0000000075061000-0x0000000075063000-memory.dmp

Filesize
8KB

Download
memory/860-71-0x0000000000100000-0x000000000013B000-memory.dmp

Filesize
236KB

Download
memory/860-73-0x0000000000119C80-mapping.dmp

Download
memory/996-54-0x0000000075E11000-0x0000000075E13000-memory.dmp

Filesize
8KB

Download
memory/1516-61-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1516-68-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1516-66-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1516-64-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1516-65-0x000000000040A78E-mapping.dmp

Download
memory/1516-62-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1516-77-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1516-60-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1516-58-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1516-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1976-78-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads