cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52

General

Target

cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
Size

291KB
MD5

5eec2a408bd473700b38c9e9ed9a09c8
SHA1

ac63ab147f81e9476a9e50e85086f1744ab47a7f
SHA256

cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52
SHA512

a7ca04aa8b80ecfcad36284dc453eaff6f757e365d1a18ab5bf9f52118d5d0fce915cc162838f49f35b6c8d270ba422c511b13b504f8bb139a2abd3abd92dd00
SSDEEP

6144:3oTDTFUek8+IwWaVqTLgdwKSSW4wSlV1UPX/XdhDlxiK:3oxUm+rVqIdyS9wSlnUvvXlA

Score

9^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\onimowiz = "C:\\Windows\\awizaqyf.exe"	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.execd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe

description	pid	process	target process
PID 3948 set thread context of 4988	3948	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
PID 4988 set thread context of 204	4988	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\Windows\awizaqyf.exe explorer.exe
File created C:\Windows\awizaqyf.exe explorer.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4240 vssadmin.exe

description	ioc	process
File opened for modification	C:\Windows\awizaqyf.exe	explorer.exe
File created	C:\Windows\awizaqyf.exe	explorer.exe

pid	process
4240	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe

pid	process
3948	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
3948	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 4320 vssvc.exe
Token: SeRestorePrivilege 4320 vssvc.exe
Token: SeAuditPrivilege 4320 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	4320	vssvc.exe
Token: SeRestorePrivilege	4320	vssvc.exe
Token: SeAuditPrivilege	4320	vssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe

pid	process
3948	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
3948	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.execd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exeexplorer.exe

C:\Users\Admin\AppData\Local\Temp\cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
"C:\Users\Admin\AppData\Local\Temp\cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3948

C:\Users\Admin\AppData\Local\Temp\cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
C:\Users\Admin\AppData\Local\Temp\cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:204

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:4240

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\uxyjomoreradapof\01000000

Filesize
291KB

MD5
74f541b5e4be4dce9b549f28d7fb920a

SHA1
7741761bfb9239f21b050cd200ebacb44aed2a4b

SHA256
413ef52a11a74279362552da62d446d4417e14f13a0c0571ea1bec31f6e33c2d

SHA512
9094b7dc6c8dcdc9d27a02628fdf97bfc2b78ea60eed75bd4edf88aa50bfb400f971f1bd774cdc3ea0de77387ec2f060f92be8101e3a80f3c2470a2511c71aa8

Download Submit
memory/204-139-0x0000000000CB0000-0x0000000000CED000-memory.dmp

Filesize
244KB

Download
memory/204-138-0x0000000000000000-mapping.dmp

Download
memory/204-144-0x0000000000CB0000-0x0000000000CED000-memory.dmp

Filesize
244KB

Download
memory/204-145-0x0000000000CB0000-0x0000000000CED000-memory.dmp

Filesize
244KB

Download
memory/3948-134-0x0000000002260000-0x0000000002264000-memory.dmp

Filesize
16KB

Download
memory/4240-143-0x0000000000000000-mapping.dmp

Download
memory/4988-132-0x0000000000000000-mapping.dmp

Download
memory/4988-133-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4988-136-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4988-137-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4988-142-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

description	pid	process	target process
PID 3948 wrote to memory of 4988	3948	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
PID 3948 wrote to memory of 4988	3948	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
PID 3948 wrote to memory of 4988	3948	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
PID 3948 wrote to memory of 4988	3948	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
PID 3948 wrote to memory of 4988	3948	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
PID 3948 wrote to memory of 4988	3948	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
PID 3948 wrote to memory of 4988	3948	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
PID 3948 wrote to memory of 4988	3948	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
PID 3948 wrote to memory of 4988	3948	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
PID 3948 wrote to memory of 4988	3948	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe
PID 4988 wrote to memory of 204	4988	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	explorer.exe
PID 4988 wrote to memory of 204	4988	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	explorer.exe
PID 4988 wrote to memory of 204	4988	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	explorer.exe
PID 4988 wrote to memory of 204	4988	cd85bf4f33df12a86b8f88708e5da9c02cedbc58e87c529d6370340fdf3a0f52.exe	explorer.exe
PID 204 wrote to memory of 4240	204	explorer.exe	vssadmin.exe
PID 204 wrote to memory of 4240	204	explorer.exe	vssadmin.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads