b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d

General

Target

b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe
Size

218KB
MD5

bcafd7b7645e9934302fb83785a711ec
SHA1

27eff28b3838667f402bbb31708cfb37b2ecc483
SHA256

b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d
SHA512

701fc5915ad5977f725c16ebff4b831879e90df587ef2a5ee8b1e9711efdcb6a43011c95e3abd2f3c146b528e3504925940c883f327f7dab75784f0f3382f2c6
SSDEEP

6144:c8dNXSEqoFkV4UDr/l6lcb8uGtIC16m+9J:HqYkdr8SZw6R9J

Score

9^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Loads dropped DLL 4 IoCs

Processes:

b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe

pid	process
972	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe
972	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe
972	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe
972	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ixyvasat = "\"C:\\Windows\\yzaduxiq.exe\""	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exeb403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe

description	pid	process	target process
PID 972 set thread context of 1456	972	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe
PID 1456 set thread context of 1104	1456	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\Windows\yzaduxiq.exe explorer.exe
File created C:\Windows\yzaduxiq.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1140 vssadmin.exe

description	ioc	process
File opened for modification	C:\Windows\yzaduxiq.exe	explorer.exe
File created	C:\Windows\yzaduxiq.exe	explorer.exe

pid	process
1140	vssadmin.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PhishingFilter	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	explorer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1000 vssvc.exe
Token: SeRestorePrivilege 1000 vssvc.exe
Token: SeAuditPrivilege 1000 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	1000	vssvc.exe
Token: SeRestorePrivilege	1000	vssvc.exe
Token: SeAuditPrivilege	1000	vssvc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exeb403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exeexplorer.exe

description	pid	process	target process
PID 972 wrote to memory of 1456	972	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe
PID 972 wrote to memory of 1456	972	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe
PID 972 wrote to memory of 1456	972	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe
PID 972 wrote to memory of 1456	972	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe
PID 972 wrote to memory of 1456	972	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe
PID 972 wrote to memory of 1456	972	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe
PID 972 wrote to memory of 1456	972	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe
PID 972 wrote to memory of 1456	972	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe
PID 972 wrote to memory of 1456	972	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe
PID 972 wrote to memory of 1456	972	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe
PID 972 wrote to memory of 1456	972	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe
PID 1456 wrote to memory of 1104	1456	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe	explorer.exe
PID 1456 wrote to memory of 1104	1456	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe	explorer.exe
PID 1456 wrote to memory of 1104	1456	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe	explorer.exe
PID 1456 wrote to memory of 1104	1456	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe	explorer.exe
PID 1456 wrote to memory of 1104	1456	b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe	explorer.exe
PID 1104 wrote to memory of 1140	1104	explorer.exe	vssadmin.exe
PID 1104 wrote to memory of 1140	1104	explorer.exe	vssadmin.exe
PID 1104 wrote to memory of 1140	1104	explorer.exe	vssadmin.exe
PID 1104 wrote to memory of 1140	1104	explorer.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe
"C:\Users\Admin\AppData\Local\Temp\b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:972

C:\Users\Admin\AppData\Local\Temp\b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe
"C:\Users\Admin\AppData\Local\Temp\b403af902f115127cd9484244917b431ec9fd746feda7fb31e2724ff201e985d.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1140

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\aduqeliginopicah\01000000
Filesize
218KB

MD5
134428cab0b0b2f11889655db9c5e334

SHA1
3996707f723e59189333505ba59ee2d0be42912b

SHA256
810e660a561c8c5f277263b66be8563a20c6b5d8b2e80047c222948ebb495c7a

SHA512
546a53350f67f111142780a78ae0647919faa83d4d9c3633a1a8cc42df61a4e52ec1bfd8a93630387ae528aef40d2a7cf4d280e738c7813ab3cb59c53ba1b136

Download Submit
\Users\Admin\AppData\Local\Temp\nseE1D9.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
\Users\Admin\AppData\Local\Temp\nseE1D9.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
\Users\Admin\AppData\Local\Temp\nseE1D9.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
\Users\Admin\AppData\Local\Temp\nseE1D9.tmp\perches.dll
Filesize
12KB

MD5
7798378f2c9c626736b5e3047fa9101c

SHA1
5d75a899a9d48f8cfb061e89a5e0696c6ad53d5f

SHA256
a8143111f429e97aae802574743245ad3037dca568ba82d73fca7a5eb023d113

SHA512
aa74fad8301dff30db8afd0dfef6ff8f571b89e4bf6822e57aa39c05b1b5c688853ac46442d951651cd27ef902ebb9d83c1ad36d5ce25f24caa089f335ec35f1

Download Submit
memory/972-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1104-85-0x0000000072411000-0x0000000072413000-memory.dmp

Filesize
8KB

Download
memory/1104-84-0x00000000000C0000-0x00000000000FC000-memory.dmp

Filesize
240KB

Download
memory/1104-74-0x00000000000C0000-0x00000000000FC000-memory.dmp

Filesize
240KB

Download
memory/1104-80-0x00000000747C1000-0x00000000747C3000-memory.dmp

Filesize
8KB

Download
memory/1104-78-0x00000000000DA140-mapping.dmp

Download
memory/1104-76-0x00000000000C0000-0x00000000000FC000-memory.dmp

Filesize
240KB

Download
memory/1140-83-0x0000000000000000-mapping.dmp

Download
memory/1456-60-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1456-73-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1456-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1456-69-0x000000000040A61E-mapping.dmp

Download
memory/1456-68-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1456-66-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1456-82-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1456-65-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1456-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1456-62-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1456-59-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads