af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17

General

Target

af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe
Size

233KB
MD5

55841d5818935938e350943471785894
SHA1

d2a97467a0a92ba167cc1c3020d0172a6623a3d2
SHA256

af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17
SHA512

ec0ce562c56abede5219d0f05cc0ac9428662e93ed555ce5dc262345c81f4045e7a486a89c3daf379aa864794bc4ac2ea40c06aef524d6143c4259e2e349589b
SSDEEP

6144:88dNXSEprMkKP1yhkGX/PXdTFxNCmng5K+nSP6:npAwrX//tfZ6

Score

9^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Loads dropped DLL 4 IoCs

Processes:

af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe

pid	process
1428	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe
1428	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe
1428	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe
1428	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ejetyxim = "\"C:\\Windows\\ojihukan.exe\""	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exeaf987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe

description	pid	process	target process
PID 1428 set thread context of 340	1428	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe
PID 340 set thread context of 560	340	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description ioc process

File created C:\Windows\ojihukan.exe explorer.exe
File opened for modification C:\Windows\ojihukan.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1888 vssadmin.exe

description	ioc	process
File created	C:\Windows\ojihukan.exe	explorer.exe
File opened for modification	C:\Windows\ojihukan.exe	explorer.exe

pid	process
1888	vssadmin.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PhishingFilter	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	explorer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1760 vssvc.exe
Token: SeRestorePrivilege 1760 vssvc.exe
Token: SeAuditPrivilege 1760 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	1760	vssvc.exe
Token: SeRestorePrivilege	1760	vssvc.exe
Token: SeAuditPrivilege	1760	vssvc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exeaf987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exeexplorer.exe

description	pid	process	target process
PID 1428 wrote to memory of 340	1428	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe
PID 1428 wrote to memory of 340	1428	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe
PID 1428 wrote to memory of 340	1428	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe
PID 1428 wrote to memory of 340	1428	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe
PID 1428 wrote to memory of 340	1428	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe
PID 1428 wrote to memory of 340	1428	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe
PID 1428 wrote to memory of 340	1428	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe
PID 1428 wrote to memory of 340	1428	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe
PID 1428 wrote to memory of 340	1428	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe
PID 1428 wrote to memory of 340	1428	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe
PID 1428 wrote to memory of 340	1428	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe
PID 340 wrote to memory of 560	340	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe	explorer.exe
PID 340 wrote to memory of 560	340	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe	explorer.exe
PID 340 wrote to memory of 560	340	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe	explorer.exe
PID 340 wrote to memory of 560	340	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe	explorer.exe
PID 340 wrote to memory of 560	340	af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe	explorer.exe
PID 560 wrote to memory of 1888	560	explorer.exe	vssadmin.exe
PID 560 wrote to memory of 1888	560	explorer.exe	vssadmin.exe
PID 560 wrote to memory of 1888	560	explorer.exe	vssadmin.exe
PID 560 wrote to memory of 1888	560	explorer.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe
"C:\Users\Admin\AppData\Local\Temp\af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1428

C:\Users\Admin\AppData\Local\Temp\af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe
"C:\Users\Admin\AppData\Local\Temp\af987e9949de476f955b540bd09d88fa36ad66a29a531a554761a9256cdebd17.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1888

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\adyxihodaryrujum\01000000
Filesize
233KB

MD5
aa44ce726bc03e75c23f56ed642e5f16

SHA1
3c5659e0b08424b3ef079627886e5cda69b74bce

SHA256
068d33dcbe93df8b1933ded11432af3b443c2a50d3c9985f18d8a642845c2b02

SHA512
4df6a246824ae0f4ff0b703cf1adf043ba83d908b813b565ae6611d64ffb8a0f008e9a272cb011b0dc84350797cd04b1305335373312ffb7dfc1a84797ec215a

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB80B.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB80B.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB80B.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB80B.tmp\oxygenate.dll
Filesize
56KB

MD5
2ef8cf8605d3d42da5e70b7b9478ac1f

SHA1
ff26c75863cb2f21319be719b4ff94a3b1cadecd

SHA256
8fe88a60dd903069cdfff27813ff1c0d6f01246191aca805af4e11a117067a5f

SHA512
f4b2785d4c020c36e41adc7ab34a72b18012faccdd69c4a24fd963740fcd870f79b7273166d2275caebf90c9cf4d6bcb1a099605bcaeab12cbc42e9db3463658

Download Submit
memory/340-69-0x000000000040AD0A-mapping.dmp

Download
memory/340-59-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/340-62-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/340-64-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/340-65-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/340-66-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/340-68-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/340-80-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/340-72-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/340-60-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/340-83-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/560-73-0x0000000000080000-0x00000000000B8000-memory.dmp

Filesize
224KB

Download
memory/560-79-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download
memory/560-81-0x0000000000080000-0x00000000000B8000-memory.dmp

Filesize
224KB

Download
memory/560-77-0x000000000009A540-mapping.dmp

Download
memory/560-75-0x0000000000080000-0x00000000000B8000-memory.dmp

Filesize
224KB

Download
memory/560-84-0x0000000000080000-0x00000000000B8000-memory.dmp

Filesize
224KB

Download
memory/560-86-0x00000000726A1000-0x00000000726A3000-memory.dmp

Filesize
8KB

Download
memory/1428-54-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1888-85-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads