cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d

General

Target

cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe
Size

288KB
MD5

508136766c7ea2f26ef44ffd81a63bcb
SHA1

0f7fefc95164729f34722fee9b752627b3236209
SHA256

cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d
SHA512

d72736c719264a10b77f33953bb171cdf390ac624d3acfef4da401cd3f711606f43a245ab8e89c5c98512339f8d5002bfb51c3594ca364146cf83215a6f96a82
SSDEEP

6144:Bo/sqyUU6zRcHhF4gXfA7kqtcYngjtlycJey498lY:Bqsq9U6zRcHMgvA7dtcagCHy498lY

Score

9^/10

collection evasion persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	explorer.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upzhexim = "C:\\Windows\\ohiffzew.exe"	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.execd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe

description	pid	process	target process
PID 1768 set thread context of 1332	1768	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe
PID 1332 set thread context of 1168	1332	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\Windows\ohiffzew.exe explorer.exe
File created C:\Windows\ohiffzew.exe explorer.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

560 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe

pid process

1768 cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1880 vssvc.exe
Token: SeRestorePrivilege 1880 vssvc.exe
Token: SeAuditPrivilege 1880 vssvc.exe

description	ioc	process
File opened for modification	C:\Windows\ohiffzew.exe	explorer.exe
File created	C:\Windows\ohiffzew.exe	explorer.exe

pid	process
560	vssadmin.exe

description	pid	process
Token: SeBackupPrivilege	1880	vssvc.exe
Token: SeRestorePrivilege	1880	vssvc.exe
Token: SeAuditPrivilege	1880	vssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe

pid	process
1768	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe
1768	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.execd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exeexplorer.exe

description	pid	process	target process
PID 1768 wrote to memory of 1332	1768	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe
PID 1768 wrote to memory of 1332	1768	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe
PID 1768 wrote to memory of 1332	1768	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe
PID 1768 wrote to memory of 1332	1768	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe
PID 1768 wrote to memory of 1332	1768	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe
PID 1768 wrote to memory of 1332	1768	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe
PID 1768 wrote to memory of 1332	1768	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe
PID 1768 wrote to memory of 1332	1768	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe
PID 1768 wrote to memory of 1332	1768	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe
PID 1768 wrote to memory of 1332	1768	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe
PID 1768 wrote to memory of 1332	1768	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe
PID 1332 wrote to memory of 1168	1332	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe	explorer.exe
PID 1332 wrote to memory of 1168	1332	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe	explorer.exe
PID 1332 wrote to memory of 1168	1332	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe	explorer.exe
PID 1332 wrote to memory of 1168	1332	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe	explorer.exe
PID 1332 wrote to memory of 1168	1332	cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe	explorer.exe
PID 1168 wrote to memory of 560	1168	explorer.exe	vssadmin.exe
PID 1168 wrote to memory of 560	1168	explorer.exe	vssadmin.exe
PID 1168 wrote to memory of 560	1168	explorer.exe	vssadmin.exe
PID 1168 wrote to memory of 560	1168	explorer.exe	vssadmin.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	explorer.exe

C:\Users\Admin\AppData\Local\Temp\cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe
"C:\Users\Admin\AppData\Local\Temp\cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe
C:\Users\Admin\AppData\Local\Temp\cd6a182636d6726056705ee3cc1a18b1d7f2420b39af1b6cec2baab0b4baed7d.exe
2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
3⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:1168

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:560

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

2

T1114

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\uxyjomoreradapof\01000000
Filesize
288KB

MD5
37775c42b1390dab3cf9319f435ae042

SHA1
624048eb8c7549520ae7a59eba82f946ca299e8f

SHA256
21dc4258d72c363c39fa8e2cc95a79f6e73b7c13f8fd3264bc2d15568c4aaaa3

SHA512
e361af595c405d041f3e60c00d4ba163abba570bea22a21ec7938ccbb10f88775d850521a79a29b3d3ec8c3e98878d80fc40a998850c6330143bb882913d5633

Download Submit
memory/560-81-0x0000000000000000-mapping.dmp

Download
memory/1168-71-0x00000000000D0000-0x000000000010D000-memory.dmp

Filesize
244KB

Download
memory/1168-83-0x00000000000D0000-0x000000000010D000-memory.dmp

Filesize
244KB

Download
memory/1168-82-0x00000000721B1000-0x00000000721B3000-memory.dmp

Filesize
8KB

Download
memory/1168-80-0x00000000000D0000-0x000000000010D000-memory.dmp

Filesize
244KB

Download
memory/1168-77-0x0000000074701000-0x0000000074703000-memory.dmp

Filesize
8KB

Download
memory/1168-75-0x00000000000EADA0-mapping.dmp

Download
memory/1168-73-0x00000000000D0000-0x000000000010D000-memory.dmp

Filesize
244KB

Download
memory/1332-61-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1332-70-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1332-66-0x000000000040A78E-mapping.dmp

Download
memory/1332-65-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1332-63-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1332-62-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1332-79-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1332-59-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1332-57-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1332-56-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1768-67-0x0000000000300000-0x0000000000304000-memory.dmp

Filesize
16KB

Download
memory/1768-54-0x0000000000220000-0x00000000002CC000-memory.dmp

Filesize
688KB

Download
memory/1768-55-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads