cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52

General

Target

cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
Size

291KB
MD5

5eec2a408bd473700b38c9e9ed9a09c8
SHA1

ac63ab147f81e9476a9e50e85086f1744ab47a7f
SHA256

cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52
SHA512

a7ca04aa8b80ecfcad36284dc453eaff6f757e365d1a18ab5bf9f52118d5d0fce915cc162838f49f35b6c8d270ba422c511b13b504f8bb139a2abd3abd92dd00
SSDEEP

6144:3oTDTFUek8+IwWaVqTLgdwKSSW4wSlV1UPX/XdhDlxiK:3oxUm+rVqIdyS9wSlnUvvXlA

Score

9^/10

collection evasion persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	explorer.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\onkrijis = "C:\\Windows\\eqovpplk.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.execd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe

description	pid	process	target process
PID 620 set thread context of 1188	620	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
PID 1188 set thread context of 1908	1188	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\Windows\eqovpplk.exe explorer.exe
File created C:\Windows\eqovpplk.exe explorer.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1816 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe

pid process

620 cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 360 vssvc.exe
Token: SeRestorePrivilege 360 vssvc.exe
Token: SeAuditPrivilege 360 vssvc.exe

description	ioc	process
File opened for modification	C:\Windows\eqovpplk.exe	explorer.exe
File created	C:\Windows\eqovpplk.exe	explorer.exe

pid	process
1816	vssadmin.exe

description	pid	process
Token: SeBackupPrivilege	360	vssvc.exe
Token: SeRestorePrivilege	360	vssvc.exe
Token: SeAuditPrivilege	360	vssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe

pid	process
620	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
620	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.execd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exeexplorer.exe

description	pid	process	target process
PID 620 wrote to memory of 1188	620	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
PID 620 wrote to memory of 1188	620	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
PID 620 wrote to memory of 1188	620	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
PID 620 wrote to memory of 1188	620	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
PID 620 wrote to memory of 1188	620	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
PID 620 wrote to memory of 1188	620	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
PID 620 wrote to memory of 1188	620	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
PID 620 wrote to memory of 1188	620	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
PID 620 wrote to memory of 1188	620	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
PID 620 wrote to memory of 1188	620	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
PID 620 wrote to memory of 1188	620	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
PID 1188 wrote to memory of 1908	1188	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	explorer.exe
PID 1188 wrote to memory of 1908	1188	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	explorer.exe
PID 1188 wrote to memory of 1908	1188	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	explorer.exe
PID 1188 wrote to memory of 1908	1188	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	explorer.exe
PID 1188 wrote to memory of 1908	1188	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	explorer.exe
PID 1908 wrote to memory of 1816	1908	explorer.exe	vssadmin.exe
PID 1908 wrote to memory of 1816	1908	explorer.exe	vssadmin.exe
PID 1908 wrote to memory of 1816	1908	explorer.exe	vssadmin.exe
PID 1908 wrote to memory of 1816	1908	explorer.exe	vssadmin.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	explorer.exe

C:\Users\Admin\AppData\Local\Temp\cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
"C:\Users\Admin\AppData\Local\Temp\cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:620

C:\Users\Admin\AppData\Local\Temp\cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
C:\Users\Admin\AppData\Local\Temp\cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
3⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:1908

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1816

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

2

T1114

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\uxyjomoreradapof\01000000

Filesize
291KB

MD5
74f541b5e4be4dce9b549f28d7fb920a

SHA1
7741761bfb9239f21b050cd200ebacb44aed2a4b

SHA256
413ef52a11a74279362552da62d446d4417e14f13a0c0571ea1bec31f6e33c2d

SHA512
9094b7dc6c8dcdc9d27a02628fdf97bfc2b78ea60eed75bd4edf88aa50bfb400f971f1bd774cdc3ea0de77387ec2f060f92be8101e3a80f3c2470a2511c71aa8

Download Submit
memory/620-54-0x00000000002D0000-0x000000000037C000-memory.dmp

Filesize
688KB

Download
memory/620-55-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/620-67-0x00000000004A0000-0x00000000004A4000-memory.dmp

Filesize
16KB

Download
memory/1188-61-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1188-79-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1188-62-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1188-63-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1188-66-0x000000000040A78E-mapping.dmp

Download
memory/1188-65-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1188-57-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1188-70-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1188-59-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1188-56-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1816-81-0x0000000000000000-mapping.dmp

Download
memory/1908-75-0x000000000009ADA0-mapping.dmp

Download
memory/1908-77-0x0000000075411000-0x0000000075413000-memory.dmp

Filesize
8KB

Download
memory/1908-73-0x0000000000080000-0x00000000000BD000-memory.dmp

Filesize
244KB

Download
memory/1908-71-0x0000000000080000-0x00000000000BD000-memory.dmp

Filesize
244KB

Download
memory/1908-80-0x0000000000080000-0x00000000000BD000-memory.dmp

Filesize
244KB

Download
memory/1908-82-0x0000000072EC1000-0x0000000072EC3000-memory.dmp

Filesize
8KB

Download
memory/1908-83-0x0000000000080000-0x00000000000BD000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads