ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a

General

Target

ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
Size

394KB
MD5

7a35101aad6d97ec448aeae1c4ce23ba
SHA1

49b5ff89c61620328f2cb4b77319dc85b1460997
SHA256

ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a
SHA512

61d60b11d3166cfa83d6021545b833c696f0e622b4820f54b27f2d9d3e9406b60ad6f266c006820bfe4523267e893da8067d8a89467b7765728b7383ddec811c
SSDEEP

6144:/XklIFkOBUXUlhtsN8LsCUDJk7lymC+xiz+TLJ2edKOVVdk3VMLF9Hlgd/J7SvL5:BUEloN8gNDePVxiK2uKqklUDlSRkL5

Score

10^/10

persistence ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-4063495947-34355257-727531523-1000\RECOVERmvgvu.txt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What's the matter with your files? Your data was secured using a strong encryption with RSA4096. Use the link down below to find additional information on the encryption keys using RSA4096:https://en.wikipedia.org/wiki/RSA_(cryptosystem) What exactly that means? It means that on a structural level your files have been transformed. You won't be able to use, read, see or work with them anymore. In other words they are useless, however, there is a possibility to restore them with our help. What exactly happened to your files? *** Two personal RSA4096 keys were generated for your PC/Laptop; one key is public, another key is private. *** All your data and files were encrypted by the means of the public key, which you received over the web. *** In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers. What should you do next? There are several options for you to consider: 1. You can wait for a while until the price of a private key will raise, so you will have to pay twice as much to access your files or 2. You can start getting BitCoins right now and get access to your data quite fast. In case you have valuable files, we advise you to act fast as there is no other option rather than paying in order to get back your data. In order to obtain specific instructions, please access your personal homepage by choosing one of the few addresses down below: http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/D5C7915318EBBA4 http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/D5C7915318EBBA4 http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/D5C7915318EBBA4 If you can't access your personal homepage or the addresses are not working, complete the following steps: 1. Download TOR Browser - http://www.torproject.org/projects/torbrowser.html.en 2. Install TOR Browser 3. Open TOR Browser 4. Insert the following link in the address bar: k7tlx3ghr3m4n2tu.onion/D5C7915318EBBA4 5. Follow the steps on your screen IMPORTANT INFORMATION Your personal homepages: http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/D5C7915318EBBA4 http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/D5C7915318EBBA4 http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/D5C7915318EBBA4 Your personal page Tor-Browser k7tlx3ghr3m4n2tu.onion/D5C7915318EBBA4 Your personal identification ID: D5C7915318EBBA4

URLs

http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/D5C7915318EBBA4

http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/D5C7915318EBBA4

http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/D5C7915318EBBA4

http://k7tlx3ghr3m4n2tu.onion/D5C7915318EBBA4

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

eiykuy.exeeiykuy.exe

pid process

580 eiykuy.exe
980 eiykuy.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1176 cmd.exe

pid	process
580	eiykuy.exe
980	eiykuy.exe

pid	process
1176	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe

pid	process
1152	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
1152	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

eiykuy.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	eiykuy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\_ahjc = "C:\\Windows\\SYSTEM32\\CMD.EXE /C START C:\\Users\\Admin\\Documents\\eiykuy.exe"	eiykuy.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exeeiykuy.exe

description	pid	process	target process
PID 1456 set thread context of 1152	1456	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
PID 580 set thread context of 980	580	eiykuy.exe	eiykuy.exe

Drops file in Program Files directory 64 IoCs

Processes:

eiykuy.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png	eiykuy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\RECOVERmvgvu.txt	eiykuy.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png	eiykuy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\RECOVERmvgvu.txt	eiykuy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\RECOVERmvgvu.html	eiykuy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_ButtonGraphic.png	eiykuy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonSubpicture.png	eiykuy.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\RECOVERmvgvu.png	eiykuy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\RECOVERmvgvu.txt	eiykuy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg	eiykuy.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\RECOVERmvgvu.png	eiykuy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\15x15dot.png	eiykuy.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	eiykuy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\RECOVERmvgvu.png	eiykuy.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RECOVERmvgvu.html	eiykuy.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\RECOVERmvgvu.txt	eiykuy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\RECOVERmvgvu.txt	eiykuy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\RECOVERmvgvu.html	eiykuy.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\RECOVERmvgvu.txt	eiykuy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png	eiykuy.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\RECOVERmvgvu.png	eiykuy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\RECOVERmvgvu.txt	eiykuy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\RECOVERmvgvu.html	eiykuy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\RECOVERmvgvu.txt	eiykuy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png	eiykuy.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\RECOVERmvgvu.html	eiykuy.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\it-IT\RECOVERmvgvu.png	eiykuy.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\RECOVERmvgvu.html	eiykuy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\RECOVERmvgvu.html	eiykuy.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	eiykuy.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\RECOVERmvgvu.html	eiykuy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\RECOVERmvgvu.png	eiykuy.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RECOVERmvgvu.png	eiykuy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\RECOVERmvgvu.png	eiykuy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\RECOVERmvgvu.png	eiykuy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\RECOVERmvgvu.png	eiykuy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\RECOVERmvgvu.png	eiykuy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\RECOVERmvgvu.html	eiykuy.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\ja-JP\RECOVERmvgvu.png	eiykuy.exe
File opened for modification	C:\Program Files\Microsoft Games\RECOVERmvgvu.png	eiykuy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\RECOVERmvgvu.html	eiykuy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\RECOVERmvgvu.txt	eiykuy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png	eiykuy.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\RECOVERmvgvu.html	eiykuy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\RECOVERmvgvu.png	eiykuy.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\RECOVERmvgvu.txt	eiykuy.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\de-DE\RECOVERmvgvu.html	eiykuy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\RECOVERmvgvu.html	eiykuy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\RECOVERmvgvu.txt	eiykuy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\RECOVERmvgvu.html	eiykuy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\RECOVERmvgvu.txt	eiykuy.exe
File opened for modification	C:\Program Files\MSBuild\RECOVERmvgvu.png	eiykuy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\RECOVERmvgvu.png	eiykuy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\RECOVERmvgvu.html	eiykuy.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\RECOVERmvgvu.html	eiykuy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png	eiykuy.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\RECOVERmvgvu.txt	eiykuy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\RECOVERmvgvu.txt	eiykuy.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\RECOVERmvgvu.html	eiykuy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mac.css	eiykuy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\1047x576black.png	eiykuy.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png	eiykuy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\RECOVERmvgvu.txt	eiykuy.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	eiykuy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1488 vssadmin.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

eiykuy.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\Software\trueimg eiykuy.exe

pid	process
1488	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\trueimg	eiykuy.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

eiykuy.exe

pid	process
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe
980	eiykuy.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

eiykuy.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	980	eiykuy.exe
Token: SeBackupPrivilege	1748	vssvc.exe
Token: SeRestorePrivilege	1748	vssvc.exe
Token: SeAuditPrivilege	1748	vssvc.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exead32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exeeiykuy.exeeiykuy.exe

description	pid	process	target process
PID 1456 wrote to memory of 1152	1456	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
PID 1456 wrote to memory of 1152	1456	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
PID 1456 wrote to memory of 1152	1456	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
PID 1456 wrote to memory of 1152	1456	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
PID 1456 wrote to memory of 1152	1456	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
PID 1456 wrote to memory of 1152	1456	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
PID 1456 wrote to memory of 1152	1456	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
PID 1456 wrote to memory of 1152	1456	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
PID 1456 wrote to memory of 1152	1456	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
PID 1456 wrote to memory of 1152	1456	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
PID 1456 wrote to memory of 1152	1456	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
PID 1152 wrote to memory of 580	1152	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	eiykuy.exe
PID 1152 wrote to memory of 580	1152	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	eiykuy.exe
PID 1152 wrote to memory of 580	1152	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	eiykuy.exe
PID 1152 wrote to memory of 580	1152	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	eiykuy.exe
PID 1152 wrote to memory of 1176	1152	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	cmd.exe
PID 1152 wrote to memory of 1176	1152	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	cmd.exe
PID 1152 wrote to memory of 1176	1152	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	cmd.exe
PID 1152 wrote to memory of 1176	1152	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	cmd.exe
PID 580 wrote to memory of 980	580	eiykuy.exe	eiykuy.exe
PID 580 wrote to memory of 980	580	eiykuy.exe	eiykuy.exe
PID 580 wrote to memory of 980	580	eiykuy.exe	eiykuy.exe
PID 580 wrote to memory of 980	580	eiykuy.exe	eiykuy.exe
PID 580 wrote to memory of 980	580	eiykuy.exe	eiykuy.exe
PID 580 wrote to memory of 980	580	eiykuy.exe	eiykuy.exe
PID 580 wrote to memory of 980	580	eiykuy.exe	eiykuy.exe
PID 580 wrote to memory of 980	580	eiykuy.exe	eiykuy.exe
PID 580 wrote to memory of 980	580	eiykuy.exe	eiykuy.exe
PID 580 wrote to memory of 980	580	eiykuy.exe	eiykuy.exe
PID 580 wrote to memory of 980	580	eiykuy.exe	eiykuy.exe
PID 980 wrote to memory of 1488	980	eiykuy.exe	vssadmin.exe
PID 980 wrote to memory of 1488	980	eiykuy.exe	vssadmin.exe
PID 980 wrote to memory of 1488	980	eiykuy.exe	vssadmin.exe
PID 980 wrote to memory of 1488	980	eiykuy.exe	vssadmin.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

eiykuy.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	eiykuy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	eiykuy.exe

C:\Users\Admin\AppData\Local\Temp\ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
"C:\Users\Admin\AppData\Local\Temp\ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
"C:\Users\Admin\AppData\Local\Temp\ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\Documents\eiykuy.exe
C:\Users\Admin\Documents\eiykuy.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:580

C:\Users\Admin\Documents\eiykuy.exe
C:\Users\Admin\Documents\eiykuy.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:980

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet
5⤵
- Interacts with shadow copies
PID:1488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\AD32F2~1.EXE >> NUL
3⤵
- Deletes itself
PID:1176

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\eiykuy.exe
Filesize
394KB

MD5
7a35101aad6d97ec448aeae1c4ce23ba

SHA1
49b5ff89c61620328f2cb4b77319dc85b1460997

SHA256
ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a

SHA512
61d60b11d3166cfa83d6021545b833c696f0e622b4820f54b27f2d9d3e9406b60ad6f266c006820bfe4523267e893da8067d8a89467b7765728b7383ddec811c

Download Submit
C:\Users\Admin\Documents\eiykuy.exe
Filesize
394KB

MD5
7a35101aad6d97ec448aeae1c4ce23ba

SHA1
49b5ff89c61620328f2cb4b77319dc85b1460997

SHA256
ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a

SHA512
61d60b11d3166cfa83d6021545b833c696f0e622b4820f54b27f2d9d3e9406b60ad6f266c006820bfe4523267e893da8067d8a89467b7765728b7383ddec811c

Download Submit
C:\Users\Admin\Documents\eiykuy.exe
Filesize
394KB

MD5
7a35101aad6d97ec448aeae1c4ce23ba

SHA1
49b5ff89c61620328f2cb4b77319dc85b1460997

SHA256
ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a

SHA512
61d60b11d3166cfa83d6021545b833c696f0e622b4820f54b27f2d9d3e9406b60ad6f266c006820bfe4523267e893da8067d8a89467b7765728b7383ddec811c

Download Submit
\Users\Admin\Documents\eiykuy.exe
Filesize
394KB

MD5
7a35101aad6d97ec448aeae1c4ce23ba

SHA1
49b5ff89c61620328f2cb4b77319dc85b1460997

SHA256
ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a

SHA512
61d60b11d3166cfa83d6021545b833c696f0e622b4820f54b27f2d9d3e9406b60ad6f266c006820bfe4523267e893da8067d8a89467b7765728b7383ddec811c

Download Submit
\Users\Admin\Documents\eiykuy.exe
Filesize
394KB

MD5
7a35101aad6d97ec448aeae1c4ce23ba

SHA1
49b5ff89c61620328f2cb4b77319dc85b1460997

SHA256
ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a

SHA512
61d60b11d3166cfa83d6021545b833c696f0e622b4820f54b27f2d9d3e9406b60ad6f266c006820bfe4523267e893da8067d8a89467b7765728b7383ddec811c

Download Submit
memory/580-75-0x0000000000000000-mapping.dmp

Download
memory/980-98-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/980-96-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/980-95-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/980-91-0x00000000004160C4-mapping.dmp

Download
memory/1152-71-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1152-78-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1152-56-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1152-72-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1152-57-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1152-67-0x00000000004160C4-mapping.dmp

Download
memory/1152-66-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1152-64-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1152-59-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1152-70-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1152-63-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1152-61-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1176-77-0x0000000000000000-mapping.dmp

Download
memory/1456-68-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/1456-54-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/1456-55-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/1488-97-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads