62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490

General

Target

62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe
Size

446KB
MD5

11ff8a8e9a643deff1dcf58e7e2fdf20
SHA1

40b1d84b341bae23dc5cfa8dd1c44cf96294cd54
SHA256

62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490
SHA512

29499106387047744693da395da8aeb695933579f7b1f5dd23613059591215ca60be4021286c04cacf5c02e5726ab28fe2ed15b0a9b6c12571b88532eec156f1
SSDEEP

12288:/uPIb4kzPgkrw1k2Fr8+o/tH18wtuomhUqlDykX:SItUkrQ5Fr6/n82yblmg

Score

9^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lradawop = "C:\\Windows\\ehixoniz.exe"	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe

description	pid	process	target process
PID 3156 set thread context of 3544	3156	62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe	62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe
PID 3544 set thread context of 1064	3544	62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description ioc process

File created C:\Windows\ehixoniz.exe explorer.exe
File opened for modification C:\Windows\ehixoniz.exe explorer.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1900 vssadmin.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1976 vssvc.exe
Token: SeRestorePrivilege 1976 vssvc.exe
Token: SeAuditPrivilege 1976 vssvc.exe

description	ioc	process
File created	C:\Windows\ehixoniz.exe	explorer.exe
File opened for modification	C:\Windows\ehixoniz.exe	explorer.exe

pid	process
1900	vssadmin.exe

description	pid	process
Token: SeBackupPrivilege	1976	vssvc.exe
Token: SeRestorePrivilege	1976	vssvc.exe
Token: SeAuditPrivilege	1976	vssvc.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exeexplorer.exe

C:\Users\Admin\AppData\Local\Temp\62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe
"C:\Users\Admin\AppData\Local\Temp\62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3156

C:\Users\Admin\AppData\Local\Temp\62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe
"C:\Users\Admin\AppData\Local\Temp\62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe"¶C:\Users\Admin\AppData\Local\Temp\62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe
2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3544

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1900

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\uwiryzenebaxoxoc\01000000
Filesize
446KB

MD5
b47f943f502acd0bb7d5e6981504f230

SHA1
e536bfdd82bed444a8e094cb406b1f8a49a0fbe3

SHA256
eb727709ce0f220d90d272e69746b71ce7a4f6f0708c3bd0c4795df683509db4

SHA512
6984f3a1122c70e811f4c269cde43a48928451a67f55341cd04844e2ae55d274f1b560fe27e54600735396aa5a8b46f26150b061f093cacf3d508647f0d9b698

Download Submit
memory/1064-137-0x0000000000000000-mapping.dmp

Download
memory/1064-138-0x0000000000E80000-0x0000000000EBD000-memory.dmp

Filesize
244KB

Download
memory/1064-143-0x0000000000E80000-0x0000000000EBD000-memory.dmp

Filesize
244KB

Download
memory/1064-144-0x0000000000E80000-0x0000000000EBD000-memory.dmp

Filesize
244KB

Download
memory/1900-142-0x0000000000000000-mapping.dmp

Download
memory/3544-132-0x0000000000000000-mapping.dmp

Download
memory/3544-133-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3544-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3544-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3544-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3544-141-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

description	pid	process	target process
PID 3156 wrote to memory of 3544	3156	62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe	62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe
PID 3156 wrote to memory of 3544	3156	62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe	62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe
PID 3156 wrote to memory of 3544	3156	62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe	62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe
PID 3156 wrote to memory of 3544	3156	62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe	62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe
PID 3156 wrote to memory of 3544	3156	62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe	62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe
PID 3156 wrote to memory of 3544	3156	62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe	62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe
PID 3156 wrote to memory of 3544	3156	62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe	62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe
PID 3156 wrote to memory of 3544	3156	62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe	62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe
PID 3156 wrote to memory of 3544	3156	62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe	62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe
PID 3156 wrote to memory of 3544	3156	62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe	62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe
PID 3544 wrote to memory of 1064	3544	62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe	explorer.exe
PID 3544 wrote to memory of 1064	3544	62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe	explorer.exe
PID 3544 wrote to memory of 1064	3544	62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe	explorer.exe
PID 3544 wrote to memory of 1064	3544	62d0ce15d2dc5825d4bf46690bc296547387f6b74304ba6a6fedbebba440a490.exe	explorer.exe
PID 1064 wrote to memory of 1900	1064	explorer.exe	vssadmin.exe
PID 1064 wrote to memory of 1900	1064	explorer.exe	vssadmin.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads