71e34afc13185632b41941c46dbd5c965e5570c461370182c7305b5cabdef188

General

Target

Info.Pdf____________________________________________________________.exe
Size

474KB
MD5

7e3556dc9dc56ef11af7276854f404c8
SHA1

26f676d0a6a0057fe6aa35a0d025c478d8e05741
SHA256

efd29f1af6c5e828bc4c1c980ab22ddc0a89c0c7813bf8075b8b8943edc19e5c
SHA512

d2a5b2c2ed9f628d2c85bac66eeb6af7d19d1b5baed8577acf83701d08b377c47ff3f00a5e590b96136cfab887c15d62622f54a56cc3dd23a507b985fd288bb2
SSDEEP

6144:dipL4qsxpzEOqcQLO8eNpOsYZqQJgOFATNFadd5G/c9FhkZJh4NCf0oxAOQPTRpD:d6UZbzfZmswqfNFQDuJhEJxR8L0

Score

9^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ibwwaron = "C:\\Windows\\okurwroz.exe"	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Info.Pdf____________________________________________________________.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Info.Pdf____________________________________________________________.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Info.Pdf____________________________________________________________.exeInfo.Pdf____________________________________________________________.exe

description	pid	process	target process
PID 1652 set thread context of 1984	1652	Info.Pdf____________________________________________________________.exe	Info.Pdf____________________________________________________________.exe
PID 1984 set thread context of 1560	1984	Info.Pdf____________________________________________________________.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\Windows\okurwroz.exe explorer.exe
File created C:\Windows\okurwroz.exe explorer.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1116 vssadmin.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Info.Pdf____________________________________________________________.exe

pid process

1652 Info.Pdf____________________________________________________________.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1692 vssvc.exe
Token: SeRestorePrivilege 1692 vssvc.exe
Token: SeAuditPrivilege 1692 vssvc.exe

description	ioc	process
File opened for modification	C:\Windows\okurwroz.exe	explorer.exe
File created	C:\Windows\okurwroz.exe	explorer.exe

pid	process
1116	vssadmin.exe

pid	process
1652	Info.Pdf____________________________________________________________.exe

description	pid	process
Token: SeBackupPrivilege	1692	vssvc.exe
Token: SeRestorePrivilege	1692	vssvc.exe
Token: SeAuditPrivilege	1692	vssvc.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Info.Pdf____________________________________________________________.exeInfo.Pdf____________________________________________________________.exeexplorer.exe

description	pid	process	target process
PID 1652 wrote to memory of 1984	1652	Info.Pdf____________________________________________________________.exe	Info.Pdf____________________________________________________________.exe
PID 1652 wrote to memory of 1984	1652	Info.Pdf____________________________________________________________.exe	Info.Pdf____________________________________________________________.exe
PID 1652 wrote to memory of 1984	1652	Info.Pdf____________________________________________________________.exe	Info.Pdf____________________________________________________________.exe
PID 1652 wrote to memory of 1984	1652	Info.Pdf____________________________________________________________.exe	Info.Pdf____________________________________________________________.exe
PID 1652 wrote to memory of 1984	1652	Info.Pdf____________________________________________________________.exe	Info.Pdf____________________________________________________________.exe
PID 1652 wrote to memory of 1984	1652	Info.Pdf____________________________________________________________.exe	Info.Pdf____________________________________________________________.exe
PID 1652 wrote to memory of 1984	1652	Info.Pdf____________________________________________________________.exe	Info.Pdf____________________________________________________________.exe
PID 1652 wrote to memory of 1984	1652	Info.Pdf____________________________________________________________.exe	Info.Pdf____________________________________________________________.exe
PID 1652 wrote to memory of 1984	1652	Info.Pdf____________________________________________________________.exe	Info.Pdf____________________________________________________________.exe
PID 1652 wrote to memory of 1984	1652	Info.Pdf____________________________________________________________.exe	Info.Pdf____________________________________________________________.exe
PID 1984 wrote to memory of 1560	1984	Info.Pdf____________________________________________________________.exe	explorer.exe
PID 1984 wrote to memory of 1560	1984	Info.Pdf____________________________________________________________.exe	explorer.exe
PID 1984 wrote to memory of 1560	1984	Info.Pdf____________________________________________________________.exe	explorer.exe
PID 1984 wrote to memory of 1560	1984	Info.Pdf____________________________________________________________.exe	explorer.exe
PID 1984 wrote to memory of 1560	1984	Info.Pdf____________________________________________________________.exe	explorer.exe
PID 1560 wrote to memory of 1116	1560	explorer.exe	vssadmin.exe
PID 1560 wrote to memory of 1116	1560	explorer.exe	vssadmin.exe
PID 1560 wrote to memory of 1116	1560	explorer.exe	vssadmin.exe
PID 1560 wrote to memory of 1116	1560	explorer.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\Info.Pdf____________________________________________________________.exe
"C:\Users\Admin\AppData\Local\Temp\Info.Pdf____________________________________________________________.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\Info.Pdf____________________________________________________________.exe
"C:\Users\Admin\AppData\Local\Temp\Info.Pdf____________________________________________________________.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1116

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\itepoqipifegakiz\01000000
Filesize
474KB

MD5
c73cb670aa24161d8549ca421283a748

SHA1
01680d22569d2b096b7cec397a53d27cace3b4fd

SHA256
347e3eb5391e4fc911efd072bd0d98df6b567c9fbdc94e4d7d1fdec928db77a5

SHA512
cb60059650d5d5f88b52c1a38f47ba276fa245c80005ae3382e09409dbc3e22ec5684558d3d1627c4290d13d20544526f2e7ebcf985098fcdacf0584b234334f

Download Submit
memory/1116-79-0x0000000000000000-mapping.dmp

Download
memory/1560-69-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/1560-81-0x0000000072311000-0x0000000072313000-memory.dmp

Filesize
8KB

Download
memory/1560-80-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/1560-76-0x00000000746B1000-0x00000000746B3000-memory.dmp

Filesize
8KB

Download
memory/1560-73-0x000000000009A9D0-mapping.dmp

Download
memory/1560-71-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/1652-54-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/1984-62-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1984-68-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1984-66-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1984-65-0x000000000040B283-mapping.dmp

Download
memory/1984-75-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1984-64-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1984-78-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1984-61-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1984-60-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1984-58-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1984-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads