50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905

General

Target

50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe
Size

554KB
MD5

4e74a52e417186ba718af37a6f53067f
SHA1

c4866fc4fde0de7ad8f49e63a590a363f432fdab
SHA256

50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905
SHA512

7c6c7f0d4e5efa7dc2f70a29328349403b749dc62a67a9c2ab8959b2f729dec3fec73116ba393e81072c7aaf332ccf5bb89fc84d80e83ac974ec25a588477102
SSDEEP

12288:YQjLuRE4xKR72qKoe/ZWsYUxUKQzZZQZsqtOqW:nLueaKR72qKoe/EhdKYavW

Score

9^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ytutokaw = "\"C:\\Windows\\uduvajez.exe\""	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe

description	pid	process	target process
PID 1240 set thread context of 1628	1240	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe
PID 1628 set thread context of 1492	1628	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description ioc process

File created C:\Windows\uduvajez.exe explorer.exe
File opened for modification C:\Windows\uduvajez.exe explorer.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1664 vssadmin.exe

description	ioc	process
File created	C:\Windows\uduvajez.exe	explorer.exe
File opened for modification	C:\Windows\uduvajez.exe	explorer.exe

pid	process
1664	vssadmin.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PhishingFilter	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe

pid process

1240 50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1684 vssvc.exe
Token: SeRestorePrivilege 1684 vssvc.exe
Token: SeAuditPrivilege 1684 vssvc.exe

pid	process
1240	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe

description	pid	process
Token: SeBackupPrivilege	1684	vssvc.exe
Token: SeRestorePrivilege	1684	vssvc.exe
Token: SeAuditPrivilege	1684	vssvc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exeexplorer.exe

description	pid	process	target process
PID 1240 wrote to memory of 1628	1240	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe
PID 1240 wrote to memory of 1628	1240	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe
PID 1240 wrote to memory of 1628	1240	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe
PID 1240 wrote to memory of 1628	1240	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe
PID 1240 wrote to memory of 1628	1240	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe
PID 1240 wrote to memory of 1628	1240	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe
PID 1240 wrote to memory of 1628	1240	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe
PID 1240 wrote to memory of 1628	1240	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe
PID 1240 wrote to memory of 1628	1240	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe
PID 1240 wrote to memory of 1628	1240	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe
PID 1240 wrote to memory of 1628	1240	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe
PID 1628 wrote to memory of 1492	1628	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe	explorer.exe
PID 1628 wrote to memory of 1492	1628	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe	explorer.exe
PID 1628 wrote to memory of 1492	1628	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe	explorer.exe
PID 1628 wrote to memory of 1492	1628	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe	explorer.exe
PID 1628 wrote to memory of 1492	1628	50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe	explorer.exe
PID 1492 wrote to memory of 1664	1492	explorer.exe	vssadmin.exe
PID 1492 wrote to memory of 1664	1492	explorer.exe	vssadmin.exe
PID 1492 wrote to memory of 1664	1492	explorer.exe	vssadmin.exe
PID 1492 wrote to memory of 1664	1492	explorer.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe
"C:\Users\Admin\AppData\Local\Temp\50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1240

C:\Users\Admin\AppData\Local\Temp\50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe
"C:\Users\Admin\AppData\Local\Temp\50044945bf596b2da6b734d6c4d28f823d221bbbf5a008f9cb722d6b2058b905.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ywynugoxasijikec\01000000
Filesize
554KB

MD5
36c816773737570550374d2e09f05655

SHA1
c92066bc483d85137cf618e8cbb11ef5b59d67ed

SHA256
99f5116a9ed282c1c583519b3bde4adc1e99bd50c52bfbb286a9f8fc3648fb12

SHA512
8901622f02af8f5aa9ccac130c093c38d81a2da2312b10b8b4434a6f3a790aafde8372c82e8364ec048c605c823c9d3fae1fee8be1c8f01273d723a047b7a37a

Download Submit
memory/1240-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1492-69-0x00000000000E0000-0x000000000011C000-memory.dmp

Filesize
240KB

Download
memory/1492-81-0x00000000000E0000-0x000000000011C000-memory.dmp

Filesize
240KB

Download
memory/1492-80-0x00000000724E1000-0x00000000724E3000-memory.dmp

Filesize
8KB

Download
memory/1492-78-0x00000000000E0000-0x000000000011C000-memory.dmp

Filesize
240KB

Download
memory/1492-75-0x0000000074891000-0x0000000074893000-memory.dmp

Filesize
8KB

Download
memory/1492-73-0x00000000000FA160-mapping.dmp

Download
memory/1492-71-0x00000000000E0000-0x000000000011C000-memory.dmp

Filesize
240KB

Download
memory/1628-62-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1628-68-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1628-66-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1628-65-0x000000000040A61E-mapping.dmp

Download
memory/1628-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1628-61-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1628-77-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1628-60-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1628-58-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1628-55-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1664-79-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads