6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83

General

Target

6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe
Size

557KB
MD5

65c094df3fd52240b1068d843ba91a1f
SHA1

bf071072b54701aacd3f303e94350ecce7642a50
SHA256

6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83
SHA512

ffe93848e1594a747226cd12bd58cc848ef1fb0d73e09aaa4b68b1e6901a02a35bd94ee1b324225817e0eb7bb44f7ebc4c78b5de526dc9f68b87829102816964
SSDEEP

12288:zzjLu+E49KR7KqKoeW64scN73mvT44t0K7MW/t03FroN/Ai:jLuleKR7KqKoeW641Nrq8mf7MW/t0Jox

Score

9^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ezicecyd = "\"C:\\Windows\\onerhzad.exe\""	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe

description	pid	process	target process
PID 1112 set thread context of 1420	1112	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe
PID 1420 set thread context of 1768	1420	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\Windows\onerhzad.exe explorer.exe
File created C:\Windows\onerhzad.exe explorer.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1668 vssadmin.exe

description	ioc	process
File opened for modification	C:\Windows\onerhzad.exe	explorer.exe
File created	C:\Windows\onerhzad.exe	explorer.exe

pid	process
1668	vssadmin.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PhishingFilter	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe

pid process

1112 6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1264 vssvc.exe
Token: SeRestorePrivilege 1264 vssvc.exe
Token: SeAuditPrivilege 1264 vssvc.exe

pid	process
1112	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe

description	pid	process
Token: SeBackupPrivilege	1264	vssvc.exe
Token: SeRestorePrivilege	1264	vssvc.exe
Token: SeAuditPrivilege	1264	vssvc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exeexplorer.exe

description	pid	process	target process
PID 1112 wrote to memory of 1420	1112	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe
PID 1112 wrote to memory of 1420	1112	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe
PID 1112 wrote to memory of 1420	1112	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe
PID 1112 wrote to memory of 1420	1112	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe
PID 1112 wrote to memory of 1420	1112	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe
PID 1112 wrote to memory of 1420	1112	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe
PID 1112 wrote to memory of 1420	1112	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe
PID 1112 wrote to memory of 1420	1112	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe
PID 1112 wrote to memory of 1420	1112	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe
PID 1112 wrote to memory of 1420	1112	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe
PID 1112 wrote to memory of 1420	1112	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe
PID 1420 wrote to memory of 1768	1420	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe	explorer.exe
PID 1420 wrote to memory of 1768	1420	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe	explorer.exe
PID 1420 wrote to memory of 1768	1420	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe	explorer.exe
PID 1420 wrote to memory of 1768	1420	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe	explorer.exe
PID 1420 wrote to memory of 1768	1420	6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe	explorer.exe
PID 1768 wrote to memory of 1668	1768	explorer.exe	vssadmin.exe
PID 1768 wrote to memory of 1668	1768	explorer.exe	vssadmin.exe
PID 1768 wrote to memory of 1668	1768	explorer.exe	vssadmin.exe
PID 1768 wrote to memory of 1668	1768	explorer.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe
"C:\Users\Admin\AppData\Local\Temp\6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Local\Temp\6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe
"C:\Users\Admin\AppData\Local\Temp\6bf4433fbea4827e61ee5239a7c0a17b1ea592c77dc75e5e156f41aa7a2eca83.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1668

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ycofydacamomuzax\01000000
Filesize
557KB

MD5
4a3dcd4622df780e6f5055ca2a8acdbc

SHA1
501b7e53466a9c7b7bd800514cfb169c6316df39

SHA256
a7426352878b029a4d36d7c076898c83196911de08d1c4604ef2cdf5cf437369

SHA512
43b02a90649512618519fc3025e1da35117d58f66eb468cc03fe92554dc7bb63d872dadbdd6ef07080a819a5f1ae5766e90087f90b1f9e1c8a38e40a548afcbf

Download Submit
memory/1112-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1420-65-0x000000000040A61E-mapping.dmp

Download
memory/1420-60-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1420-61-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1420-62-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1420-76-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1420-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1420-66-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1420-68-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1420-58-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1420-55-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1420-79-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1668-80-0x0000000000000000-mapping.dmp

Download
memory/1768-69-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/1768-77-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/1768-75-0x0000000074CB1000-0x0000000074CB3000-memory.dmp

Filesize
8KB

Download
memory/1768-73-0x000000000009A140-mapping.dmp

Download
memory/1768-71-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/1768-81-0x0000000072851000-0x0000000072853000-memory.dmp

Filesize
8KB

Download
memory/1768-82-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads