92f668c87333149798e88fd701a6ed3258985363db0043f30e530a30b3350f98

General

Target

Responder.Pdf _____________________________________________________________.exe
Size

296KB
MD5

931a3a162c8a16c141d12fa0b1c36509
SHA1

11b55d6a5a40dcee509da0e4c8cc96a353e6e35f
SHA256

a033bc4bd6ef532bf15c06c0be8a5d0632cae01002abc5822659170285660499
SHA512

72223e21d8d8aa128c17403d23822d9d5dea1e581d79e6929110fa4103453960c721990c6ce1f05cc6fe5e90ccbbc967cc1a4a890b6d1f94ec77ebcffac3e5a0
SSDEEP

6144:cfSb2QKX6KRvqDsQBYVndvPabiSHaUPpavnElI:cfw7KZgKndvYPpav3

Score

9^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Responder.Pdf _____________________________________________________________.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Responder.Pdf _____________________________________________________________.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ewodocul = "C:\\Windows\\izyqitij.exe"	Responder.Pdf _____________________________________________________________.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Responder.Pdf _____________________________________________________________.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Responder.Pdf _____________________________________________________________.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Responder.Pdf _____________________________________________________________.exe

description	pid	process	target process
PID 1620 set thread context of 568	1620	Responder.Pdf _____________________________________________________________.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

Responder.Pdf _____________________________________________________________.exe

description	ioc	process
File opened for modification	C:\Windows\izyqitij.exe	Responder.Pdf _____________________________________________________________.exe
File created	C:\Windows\izyqitij.exe	Responder.Pdf _____________________________________________________________.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1324 vssadmin.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1052 vssvc.exe
Token: SeRestorePrivilege 1052 vssvc.exe
Token: SeAuditPrivilege 1052 vssvc.exe

pid	process
1324	vssadmin.exe

description	pid	process
Token: SeBackupPrivilege	1052	vssvc.exe
Token: SeRestorePrivilege	1052	vssvc.exe
Token: SeAuditPrivilege	1052	vssvc.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Responder.Pdf _____________________________________________________________.exe

description	pid	process	target process
PID 1620 wrote to memory of 568	1620	Responder.Pdf _____________________________________________________________.exe	explorer.exe
PID 1620 wrote to memory of 568	1620	Responder.Pdf _____________________________________________________________.exe	explorer.exe
PID 1620 wrote to memory of 568	1620	Responder.Pdf _____________________________________________________________.exe	explorer.exe
PID 1620 wrote to memory of 568	1620	Responder.Pdf _____________________________________________________________.exe	explorer.exe
PID 1620 wrote to memory of 568	1620	Responder.Pdf _____________________________________________________________.exe	explorer.exe
PID 1620 wrote to memory of 1324	1620	Responder.Pdf _____________________________________________________________.exe	vssadmin.exe
PID 1620 wrote to memory of 1324	1620	Responder.Pdf _____________________________________________________________.exe	vssadmin.exe
PID 1620 wrote to memory of 1324	1620	Responder.Pdf _____________________________________________________________.exe	vssadmin.exe
PID 1620 wrote to memory of 1324	1620	Responder.Pdf _____________________________________________________________.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\Responder.Pdf _____________________________________________________________.exe
"C:\Users\Admin\AppData\Local\Temp\Responder.Pdf _____________________________________________________________.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
2⤵
PID:568

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:1324

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/568-59-0x00000000000C0000-0x00000000000FB000-memory.dmp

Filesize
236KB

Download
memory/568-61-0x00000000000C0000-0x00000000000FB000-memory.dmp

Filesize
236KB

Download
memory/568-63-0x00000000000D9C80-mapping.dmp

Download
memory/1324-66-0x0000000000000000-mapping.dmp

Download
memory/1620-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1620-55-0x00000000025C0000-0x00000000026DE000-memory.dmp

Filesize
1.1MB

Download
memory/1620-56-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1620-58-0x00000000025C0000-0x00000000026DE000-memory.dmp

Filesize
1.1MB

Download
memory/1620-65-0x00000000000D0000-0x000000000010B000-memory.dmp

Filesize
236KB

Download
memory/1620-67-0x0000000072E51000-0x0000000072E53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads