7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee

General

Target

7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe
Size

478KB
MD5

3346650620e7a2161f761bb9d1958220
SHA1

1c7e265e0a9c7cacc4f073f506279907d02ed6fb
SHA256

7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee
SHA512

a7f1ad5b86b89428518d6452d63e27fc2a26f30cb869e65ce1e5acb7b484f4ea0fb9bc4108655d80d9d13bcdc56527cfffd86b2f60a1bfd573dfa5694bde9d6a
SSDEEP

6144:bicL4qwxpzEaqcQMfx/o9JAKcQrdSTfXE1Sp2XyWOfevI0Fzm12qlw:bnUlbz3H/o99cOSTf0S2Xyk1f8w

Score

9^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\esukixap = "C:\\Windows\\ogefyrul.exe"	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe

description	pid	process	target process
PID 784 set thread context of 2028	784	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe
PID 2028 set thread context of 936	2028	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\Windows\ogefyrul.exe explorer.exe
File created C:\Windows\ogefyrul.exe explorer.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1356 vssadmin.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 560 vssvc.exe
Token: SeRestorePrivilege 560 vssvc.exe
Token: SeAuditPrivilege 560 vssvc.exe

description	ioc	process
File opened for modification	C:\Windows\ogefyrul.exe	explorer.exe
File created	C:\Windows\ogefyrul.exe	explorer.exe

pid	process
1356	vssadmin.exe

description	pid	process
Token: SeBackupPrivilege	560	vssvc.exe
Token: SeRestorePrivilege	560	vssvc.exe
Token: SeAuditPrivilege	560	vssvc.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exeexplorer.exe

description	pid	process	target process
PID 784 wrote to memory of 2028	784	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe
PID 784 wrote to memory of 2028	784	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe
PID 784 wrote to memory of 2028	784	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe
PID 784 wrote to memory of 2028	784	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe
PID 784 wrote to memory of 2028	784	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe
PID 784 wrote to memory of 2028	784	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe
PID 784 wrote to memory of 2028	784	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe
PID 784 wrote to memory of 2028	784	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe
PID 784 wrote to memory of 2028	784	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe
PID 784 wrote to memory of 2028	784	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe
PID 2028 wrote to memory of 936	2028	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe	explorer.exe
PID 2028 wrote to memory of 936	2028	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe	explorer.exe
PID 2028 wrote to memory of 936	2028	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe	explorer.exe
PID 2028 wrote to memory of 936	2028	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe	explorer.exe
PID 2028 wrote to memory of 936	2028	7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe	explorer.exe
PID 936 wrote to memory of 1356	936	explorer.exe	vssadmin.exe
PID 936 wrote to memory of 1356	936	explorer.exe	vssadmin.exe
PID 936 wrote to memory of 1356	936	explorer.exe	vssadmin.exe
PID 936 wrote to memory of 1356	936	explorer.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe
"C:\Users\Admin\AppData\Local\Temp\7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:784

C:\Users\Admin\AppData\Local\Temp\7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe
"C:\Users\Admin\AppData\Local\Temp\7a0dc2d9d5c14e0869ef9caa240bc24d170130b5c5689ef1f83454e97a14feee.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1356

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\itepoqipifegakiz\01000000

Filesize
478KB

MD5
95063b75f01b11000d62328e4d42da38

SHA1
10464acd2d4d4f3a53ad236fe73db928e2f5f663

SHA256
f296f942d023579ceb4d6f4f3439486cf6523cd74175b396ce8112a2e792d7c1

SHA512
3603ec1943306cd502d316bf782abd13877239c8b0bfef1815394954d6a84e65e84f321a614f5d32953a5ae4ac0cfe12532ae27ff684da3bdd647bfc04b0601c

Download Submit
memory/784-54-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/936-81-0x0000000072311000-0x0000000072313000-memory.dmp

Filesize
8KB

Download
memory/936-80-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/936-76-0x00000000746B1000-0x00000000746B3000-memory.dmp

Filesize
8KB

Download
memory/936-74-0x000000000009A9D0-mapping.dmp

Download
memory/936-72-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/936-70-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/1356-79-0x0000000000000000-mapping.dmp

Download
memory/2028-69-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2028-68-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2028-66-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2028-65-0x000000000040B283-mapping.dmp

Download
memory/2028-64-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2028-62-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2028-78-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2028-61-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2028-60-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2028-58-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2028-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads