4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1

General

Target

4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe
Size

766KB
MD5

9b1da810487cdcb458d46f394f561fdb
SHA1

b8fbf9babf7182cf7dd1e6039e4c2a072a4df70c
SHA256

4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1
SHA512

babbecf43d00e1cfe58b9b3d2895993624e62f136178f64616f43e49c1006dc9d64d6e2dcfa3b88434ad9b9790270aa063236deaaf92022d8b3ebeaa42efd7fc
SSDEEP

12288:CH+pDu9YrDQKiXEfiVzhY1Iys0P9ckgveteiZLnfHSoGKmeVd8kyBwvBH4JVJ:Ce0sDNiUfiPgI91kgveYAHSoGoWeOVJ

Score

9^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\etokiloj = "\"C:\\Windows\\edezesoh.exe\""	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe

description	pid	process	target process
PID 2508 set thread context of 4368	2508	4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe	4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe
PID 4368 set thread context of 4288	4368	4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\Windows\edezesoh.exe explorer.exe
File created C:\Windows\edezesoh.exe explorer.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

428 vssadmin.exe

description	ioc	process
File opened for modification	C:\Windows\edezesoh.exe	explorer.exe
File created	C:\Windows\edezesoh.exe	explorer.exe

pid	process
428	vssadmin.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\PhishingFilter	explorer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 4436 vssvc.exe
Token: SeRestorePrivilege 4436 vssvc.exe
Token: SeAuditPrivilege 4436 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	4436	vssvc.exe
Token: SeRestorePrivilege	4436	vssvc.exe
Token: SeAuditPrivilege	4436	vssvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exeexplorer.exe

description	pid	process	target process
PID 2508 wrote to memory of 4368	2508	4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe	4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe
PID 2508 wrote to memory of 4368	2508	4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe	4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe
PID 2508 wrote to memory of 4368	2508	4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe	4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe
PID 2508 wrote to memory of 4368	2508	4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe	4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe
PID 2508 wrote to memory of 4368	2508	4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe	4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe
PID 4368 wrote to memory of 4288	4368	4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe	explorer.exe
PID 4368 wrote to memory of 4288	4368	4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe	explorer.exe
PID 4368 wrote to memory of 4288	4368	4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe	explorer.exe
PID 4368 wrote to memory of 4288	4368	4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe	explorer.exe
PID 4288 wrote to memory of 428	4288	explorer.exe	vssadmin.exe
PID 4288 wrote to memory of 428	4288	explorer.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe
"C:\Users\Admin\AppData\Local\Temp\4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2508

C:\Users\Admin\AppData\Local\Temp\4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe
"C:\Users\Admin\AppData\Local\Temp\4b20937d2f09872bdb78359d0df30b554d514c7f2df07c4026f99c859b09d1f1.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:428

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\aduqeliginopicah\01000000
Filesize
766KB

MD5
b08099f62223f6fcb24b05adcbbc74ad

SHA1
af92c74915e34d1d63d03783132d424848843de5

SHA256
659aa6c68411cdbcfd6053ec3db63a4b3b2ceedeba3b21488b8690e3259d8e38

SHA512
5dd58501fc459b0bd3d742a022cf5a10cfb8d3d699f8e1d7394ee3e217e8be25f9253cea61ad4978a76b0471c3e0f338a9ec06f19bdc402eefc84cd0b5a40e27

Download Submit
memory/428-144-0x0000000000000000-mapping.dmp

Download
memory/2508-132-0x0000000002230000-0x0000000002238000-memory.dmp

Filesize
32KB

Download
memory/4288-139-0x0000000000A50000-0x0000000000A8C000-memory.dmp

Filesize
240KB

Download
memory/4288-145-0x0000000000A50000-0x0000000000A8C000-memory.dmp

Filesize
240KB

Download
memory/4288-143-0x0000000000A50000-0x0000000000A8C000-memory.dmp

Filesize
240KB

Download
memory/4288-138-0x0000000000000000-mapping.dmp

Download
memory/4368-135-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4368-137-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4368-142-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4368-136-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4368-134-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4368-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads