156c734b2817afebbac8f489b206154cccae619079e95af90b83bd8aca4fb59a

General

Target

156c734b2817afebbac8f489b206154cccae619079e95af90b83bd8aca4fb59a.exe
Size

777KB
MD5

f498b490551fb872aded182a378be645
SHA1

4a946d7700af23de8d376061fd8c3a504e08dd14
SHA256

156c734b2817afebbac8f489b206154cccae619079e95af90b83bd8aca4fb59a
SHA512

2aa9f069bd9e7ace1d689031ec6d7e08b2afe71f7b0fe5e0f0b916ca1ff74799590a2feef4e9de5155c48bf83691d307a87bbbed11b4619b25127a588842fb95
SSDEEP

12288:6ztHM/d+Ba5WQUhat0w64lyMvYL8ZxFJC0uMONbwWQsV3v7X4D7vA0lvtwC6/6U7:Nwc53xt0wjJvYLUx1uMOJvj4f9

Score

9^/10

evasion persistence ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
2028	bcdedit.exe
1572	bcdedit.exe
956	bcdedit.exe
1760	bcdedit.exe
1740	bcdedit.exe
1244	bcdedit.exe
320	bcdedit.exe
2044	bcdedit.exe
1948	bcdedit.exe
1028	bcdedit.exe

Drops file in Drivers directory 1 IoCs

Processes:

oppeab.exe

description ioc process

File created C:\Windows\system32\drivers\6bf844.sys oppeab.exe
Executes dropped EXE 1 IoCs

Processes:

oppeab.exe

pid process

1724 oppeab.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

776 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

156c734b2817afebbac8f489b206154cccae619079e95af90b83bd8aca4fb59a.exe

pid process

1112 156c734b2817afebbac8f489b206154cccae619079e95af90b83bd8aca4fb59a.exe

description	ioc	process
File created	C:\Windows\system32\drivers\6bf844.sys	oppeab.exe

pid	process
1724	oppeab.exe

pid	process
776	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

oppeab.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	oppeab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Oppeab = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Taevhe\\oppeab.exe"	oppeab.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

156c734b2817afebbac8f489b206154cccae619079e95af90b83bd8aca4fb59a.exe

description pid process target process

PID 1112 set thread context of 776 1112 156c734b2817afebbac8f489b206154cccae619079e95af90b83bd8aca4fb59a.exe cmd.exe

description	pid	process	target process
PID 1112 set thread context of 776	1112	156c734b2817afebbac8f489b206154cccae619079e95af90b83bd8aca4fb59a.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

156c734b2817afebbac8f489b206154cccae619079e95af90b83bd8aca4fb59a.exeoppeab.exe

pid	process
1112	156c734b2817afebbac8f489b206154cccae619079e95af90b83bd8aca4fb59a.exe
1724	oppeab.exe
1724	oppeab.exe
1724	oppeab.exe
1724	oppeab.exe
1724	oppeab.exe
1724	oppeab.exe
1724	oppeab.exe
1724	oppeab.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
464

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

156c734b2817afebbac8f489b206154cccae619079e95af90b83bd8aca4fb59a.exeoppeab.exe

description	pid	process	target process
PID 1112 wrote to memory of 1724	1112	156c734b2817afebbac8f489b206154cccae619079e95af90b83bd8aca4fb59a.exe	oppeab.exe
PID 1112 wrote to memory of 1724	1112	156c734b2817afebbac8f489b206154cccae619079e95af90b83bd8aca4fb59a.exe	oppeab.exe
PID 1112 wrote to memory of 1724	1112	156c734b2817afebbac8f489b206154cccae619079e95af90b83bd8aca4fb59a.exe	oppeab.exe
PID 1112 wrote to memory of 1724	1112	156c734b2817afebbac8f489b206154cccae619079e95af90b83bd8aca4fb59a.exe	oppeab.exe
PID 1724 wrote to memory of 2028	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 2028	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 2028	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 2028	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 1572	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 1572	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 1572	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 1572	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 956	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 956	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 956	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 956	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 1760	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 1760	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 1760	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 1760	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 1244	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 1244	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 1244	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 1244	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 1740	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 1740	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 1740	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 1740	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 2044	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 2044	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 2044	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 2044	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 320	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 320	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 320	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 320	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 1028	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 1028	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 1028	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 1028	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 1948	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 1948	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 1948	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 1948	1724	oppeab.exe	bcdedit.exe
PID 1724 wrote to memory of 1148	1724	oppeab.exe	taskhost.exe
PID 1724 wrote to memory of 1148	1724	oppeab.exe	taskhost.exe
PID 1724 wrote to memory of 1148	1724	oppeab.exe	taskhost.exe
PID 1724 wrote to memory of 1148	1724	oppeab.exe	taskhost.exe
PID 1724 wrote to memory of 1148	1724	oppeab.exe	taskhost.exe
PID 1724 wrote to memory of 1248	1724	oppeab.exe	Dwm.exe
PID 1724 wrote to memory of 1248	1724	oppeab.exe	Dwm.exe
PID 1724 wrote to memory of 1248	1724	oppeab.exe	Dwm.exe
PID 1724 wrote to memory of 1248	1724	oppeab.exe	Dwm.exe
PID 1724 wrote to memory of 1248	1724	oppeab.exe	Dwm.exe
PID 1724 wrote to memory of 1276	1724	oppeab.exe	Explorer.EXE
PID 1724 wrote to memory of 1276	1724	oppeab.exe	Explorer.EXE
PID 1724 wrote to memory of 1276	1724	oppeab.exe	Explorer.EXE
PID 1724 wrote to memory of 1276	1724	oppeab.exe	Explorer.EXE
PID 1724 wrote to memory of 1276	1724	oppeab.exe	Explorer.EXE
PID 1724 wrote to memory of 1112	1724	oppeab.exe	156c734b2817afebbac8f489b206154cccae619079e95af90b83bd8aca4fb59a.exe
PID 1724 wrote to memory of 1112	1724	oppeab.exe	156c734b2817afebbac8f489b206154cccae619079e95af90b83bd8aca4fb59a.exe
PID 1724 wrote to memory of 1112	1724	oppeab.exe	156c734b2817afebbac8f489b206154cccae619079e95af90b83bd8aca4fb59a.exe
PID 1724 wrote to memory of 1112	1724	oppeab.exe	156c734b2817afebbac8f489b206154cccae619079e95af90b83bd8aca4fb59a.exe
PID 1724 wrote to memory of 1112	1724	oppeab.exe	156c734b2817afebbac8f489b206154cccae619079e95af90b83bd8aca4fb59a.exe

C:\Users\Admin\AppData\Local\Temp\156c734b2817afebbac8f489b206154cccae619079e95af90b83bd8aca4fb59a.exe
"C:\Users\Admin\AppData\Local\Temp\156c734b2817afebbac8f489b206154cccae619079e95af90b83bd8aca4fb59a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Local\Temp\Taevhe\oppeab.exe
"C:\Users\Admin\AppData\Local\Temp\Taevhe\oppeab.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:2028

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:1572

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:956

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:1760

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:1740

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:1244

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:320

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:2044

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:1948

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
3⤵
- Modifies boot configuration data using bcdedit
PID:1028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\TESBFD9.bat"
2⤵
- Deletes itself
PID:776

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1276

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1248

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TESBFD9.bat
Filesize
303B

MD5
ef3ea048db1ade350ed4525ae471e406

SHA1
1a3408b71f2b839ce1951f182d128c814db51ce0

SHA256
7507c865e1ee1149aa284844b394206b4edd473205a06118b13734efeab6a350

SHA512
690f18c304e0f67116451af44617251d717e87634e010470414a9d85fcaadaecfbf94141e9557a3759570ce455ead5032b1bb5601a595eda24127a5486d338a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taevhe\oppeab.exe
Filesize
777KB

MD5
de0f6abb034a330c47ad855c4ddc955d

SHA1
74aded12ec5cd87542f46ee0d2c9aea754f9ce8f

SHA256
ae53c7b07ca088d09c25dee78c3ed571cf945dcfca36f1a6c277169a6ed0296b

SHA512
7cb2d7701ded1e8ba8c4f869ccbc1a40e65d70e904edb6e571261825b5954cd1bc086943bee417efff6968f7587db321fdab8094c58a014117cc670688c2c248

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taevhe\oppeab.exe
Filesize
777KB

MD5
de0f6abb034a330c47ad855c4ddc955d

SHA1
74aded12ec5cd87542f46ee0d2c9aea754f9ce8f

SHA256
ae53c7b07ca088d09c25dee78c3ed571cf945dcfca36f1a6c277169a6ed0296b

SHA512
7cb2d7701ded1e8ba8c4f869ccbc1a40e65d70e904edb6e571261825b5954cd1bc086943bee417efff6968f7587db321fdab8094c58a014117cc670688c2c248

Download Submit
\Users\Admin\AppData\Local\Temp\Taevhe\oppeab.exe
Filesize
777KB

MD5
de0f6abb034a330c47ad855c4ddc955d

SHA1
74aded12ec5cd87542f46ee0d2c9aea754f9ce8f

SHA256
ae53c7b07ca088d09c25dee78c3ed571cf945dcfca36f1a6c277169a6ed0296b

SHA512
7cb2d7701ded1e8ba8c4f869ccbc1a40e65d70e904edb6e571261825b5954cd1bc086943bee417efff6968f7587db321fdab8094c58a014117cc670688c2c248

Download Submit
memory/320-69-0x0000000000000000-mapping.dmp

Download
memory/776-116-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/776-108-0x0000000000050000-0x00000000000BD000-memory.dmp

Filesize
436KB

Download
memory/776-119-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/776-105-0x0000000000050000-0x00000000000BD000-memory.dmp

Filesize
436KB

Download
memory/776-118-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/776-107-0x0000000000050000-0x00000000000BD000-memory.dmp

Filesize
436KB

Download
memory/776-117-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/776-121-0x0000000000050000-0x00000000000BD000-memory.dmp

Filesize
436KB

Download
memory/776-115-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/776-109-0x0000000000050000-0x00000000000BD000-memory.dmp

Filesize
436KB

Download
memory/776-114-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/776-110-0x00000000000AB3EE-mapping.dmp

Download
memory/776-113-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/956-64-0x0000000000000000-mapping.dmp

Download
memory/1028-70-0x0000000000000000-mapping.dmp

Download
memory/1112-99-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1112-102-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1112-101-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1112-100-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1112-98-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1112-97-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1112-96-0x0000000001F30000-0x0000000001F9D000-memory.dmp

Filesize
436KB

Download
memory/1112-111-0x0000000001F30000-0x0000000001F9D000-memory.dmp

Filesize
436KB

Download
memory/1112-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1112-95-0x0000000001F30000-0x0000000001F9D000-memory.dmp

Filesize
436KB

Download
memory/1112-55-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1112-93-0x0000000001F30000-0x0000000001F9D000-memory.dmp

Filesize
436KB

Download
memory/1112-94-0x0000000001F30000-0x0000000001F9D000-memory.dmp

Filesize
436KB

Download
memory/1148-76-0x0000000001FF0000-0x000000000205D000-memory.dmp

Filesize
436KB

Download
memory/1148-78-0x0000000001FF0000-0x000000000205D000-memory.dmp

Filesize
436KB

Download
memory/1148-77-0x0000000001FF0000-0x000000000205D000-memory.dmp

Filesize
436KB

Download
memory/1148-75-0x0000000001FF0000-0x000000000205D000-memory.dmp

Filesize
436KB

Download
memory/1148-73-0x0000000001FF0000-0x000000000205D000-memory.dmp

Filesize
436KB

Download
memory/1244-66-0x0000000000000000-mapping.dmp

Download
memory/1248-84-0x00000000001C0000-0x000000000022D000-memory.dmp

Filesize
436KB

Download
memory/1248-83-0x00000000001C0000-0x000000000022D000-memory.dmp

Filesize
436KB

Download
memory/1248-82-0x00000000001C0000-0x000000000022D000-memory.dmp

Filesize
436KB

Download
memory/1248-81-0x00000000001C0000-0x000000000022D000-memory.dmp

Filesize
436KB

Download
memory/1276-88-0x0000000002960000-0x00000000029CD000-memory.dmp

Filesize
436KB

Download
memory/1276-90-0x0000000002960000-0x00000000029CD000-memory.dmp

Filesize
436KB

Download
memory/1276-89-0x0000000002960000-0x00000000029CD000-memory.dmp

Filesize
436KB

Download
memory/1276-87-0x0000000002960000-0x00000000029CD000-memory.dmp

Filesize
436KB

Download
memory/1572-63-0x0000000000000000-mapping.dmp

Download
memory/1724-72-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/1724-60-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1724-57-0x0000000000000000-mapping.dmp

Download
memory/1740-67-0x0000000000000000-mapping.dmp

Download
memory/1760-65-0x0000000000000000-mapping.dmp

Download
memory/1948-71-0x0000000000000000-mapping.dmp

Download
memory/2028-62-0x0000000000000000-mapping.dmp

Download
memory/2044-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads