3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3

General

Target

3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe
Size

482KB
MD5

eefb361a598211ef2a468017d1a3bb2c
SHA1

c51f28a9ceb78a3920a766874dc1b4601f1ba443
SHA256

3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3
SHA512

c7a5ea8c5da3c19b1c44af93a2914271f3a4833fe788f3875c122014f1f308b8dacfec92504d8db5a5cecaf66d63a74edebbfdfa2cf4df5fdc8866b8657cc76d
SSDEEP

6144:kioL4qsxpzE0qcQL/RPsBllXpA0iIOg2OJR7R7XxTD10rNptyEG/62z9bxvoYal3:kDUZbz1X8GvAY0vopR8ZKFVMiYaI

Score

9^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ujefokaf = "C:\\Windows\\ewlnelul.exe"	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe

description	pid	process	target process
PID 1988 set thread context of 480	1988	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe
PID 480 set thread context of 1756	480	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\Windows\ewlnelul.exe explorer.exe
File created C:\Windows\ewlnelul.exe explorer.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1320 vssadmin.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe

pid process

1988 3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1020 vssvc.exe
Token: SeRestorePrivilege 1020 vssvc.exe
Token: SeAuditPrivilege 1020 vssvc.exe

description	ioc	process
File opened for modification	C:\Windows\ewlnelul.exe	explorer.exe
File created	C:\Windows\ewlnelul.exe	explorer.exe

pid	process
1320	vssadmin.exe

pid	process
1988	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe

description	pid	process
Token: SeBackupPrivilege	1020	vssvc.exe
Token: SeRestorePrivilege	1020	vssvc.exe
Token: SeAuditPrivilege	1020	vssvc.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exeexplorer.exe

description	pid	process	target process
PID 1988 wrote to memory of 480	1988	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe
PID 1988 wrote to memory of 480	1988	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe
PID 1988 wrote to memory of 480	1988	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe
PID 1988 wrote to memory of 480	1988	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe
PID 1988 wrote to memory of 480	1988	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe
PID 1988 wrote to memory of 480	1988	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe
PID 1988 wrote to memory of 480	1988	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe
PID 1988 wrote to memory of 480	1988	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe
PID 1988 wrote to memory of 480	1988	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe
PID 1988 wrote to memory of 480	1988	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe
PID 480 wrote to memory of 1756	480	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe	explorer.exe
PID 480 wrote to memory of 1756	480	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe	explorer.exe
PID 480 wrote to memory of 1756	480	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe	explorer.exe
PID 480 wrote to memory of 1756	480	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe	explorer.exe
PID 480 wrote to memory of 1756	480	3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe	explorer.exe
PID 1756 wrote to memory of 1320	1756	explorer.exe	vssadmin.exe
PID 1756 wrote to memory of 1320	1756	explorer.exe	vssadmin.exe
PID 1756 wrote to memory of 1320	1756	explorer.exe	vssadmin.exe
PID 1756 wrote to memory of 1320	1756	explorer.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe
"C:\Users\Admin\AppData\Local\Temp\3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Local\Temp\3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe
"C:\Users\Admin\AppData\Local\Temp\3cf9b5ce45b7349947d4b1ec0edcd24f72b93b4a7bcfb1f0dfccccdab76a82a3.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:480

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1320

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\itepoqipifegakiz\01000000
Filesize
482KB

MD5
79f358fe968e8ad028114a697a2b95a4

SHA1
0c3fbefb1aa0541aed78fd8bd0bc52f981c334e4

SHA256
040349407ed756cc9683e33ef4e57e5bf46817c80f69460da3ddb8783af4a8b3

SHA512
afd1e4521f3ede3a1401c56622cc81e489ef6f26b0dda446956a9d3ab6ac4a732391cc425c905d767536badc01d942aa6b0d46268cda575bab4b46590faa1247

Download Submit
memory/480-62-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/480-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/480-68-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/480-61-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/480-69-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/480-64-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/480-65-0x000000000040B283-mapping.dmp

Download
memory/480-66-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/480-60-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/480-58-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/480-78-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1320-80-0x0000000000000000-mapping.dmp

Download
memory/1756-81-0x00000000722D1000-0x00000000722D3000-memory.dmp

Filesize
8KB

Download
memory/1756-76-0x0000000074721000-0x0000000074723000-memory.dmp

Filesize
8KB

Download
memory/1756-74-0x00000000000FA9D0-mapping.dmp

Download
memory/1756-70-0x00000000000E0000-0x000000000011C000-memory.dmp

Filesize
240KB

Download
memory/1756-79-0x00000000000E0000-0x000000000011C000-memory.dmp

Filesize
240KB

Download
memory/1756-72-0x00000000000E0000-0x000000000011C000-memory.dmp

Filesize
240KB

Download
memory/1988-54-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads