605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710

General

Target

605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe
Size

316KB
MD5

6a60a270addbfad002914e5a5bc5ef0e
SHA1

510b3203b1a7f0385cda3bc2aa7e7d53c9168f6b
SHA256

605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710
SHA512

6efc8826704c98d49316a0d5b45927933a5d44d428d9ede192acea11662cb8cec0811eefdd6e4e534e4445c6f0fc572232e0696947c6871d91abc81f8fe937ef
SSDEEP

6144:O3UhrPPvuEQo0PwM2by87ts+c5/IYHdp8G/:O3czuEQYMOv5R0/IYHL8G/

Score

9^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sropunac = "C:\\Windows\\ecujpgav.exe"	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe

description	pid	process	target process
PID 1500 set thread context of 872	1500	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe
PID 872 set thread context of 1756	872	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description ioc process

File created C:\Windows\ecujpgav.exe explorer.exe
File opened for modification C:\Windows\ecujpgav.exe explorer.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

968 vssadmin.exe

description	ioc	process
File created	C:\Windows\ecujpgav.exe	explorer.exe
File opened for modification	C:\Windows\ecujpgav.exe	explorer.exe

pid	process
968	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe

pid	process
1500	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe
1500	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1752 vssvc.exe
Token: SeRestorePrivilege 1752 vssvc.exe
Token: SeAuditPrivilege 1752 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	1752	vssvc.exe
Token: SeRestorePrivilege	1752	vssvc.exe
Token: SeAuditPrivilege	1752	vssvc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exeexplorer.exe

description	pid	process	target process
PID 1500 wrote to memory of 872	1500	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe
PID 1500 wrote to memory of 872	1500	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe
PID 1500 wrote to memory of 872	1500	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe
PID 1500 wrote to memory of 872	1500	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe
PID 1500 wrote to memory of 872	1500	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe
PID 1500 wrote to memory of 872	1500	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe
PID 1500 wrote to memory of 872	1500	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe
PID 1500 wrote to memory of 872	1500	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe
PID 1500 wrote to memory of 872	1500	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe
PID 1500 wrote to memory of 872	1500	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe
PID 1500 wrote to memory of 872	1500	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe
PID 872 wrote to memory of 1756	872	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe	explorer.exe
PID 872 wrote to memory of 1756	872	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe	explorer.exe
PID 872 wrote to memory of 1756	872	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe	explorer.exe
PID 872 wrote to memory of 1756	872	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe	explorer.exe
PID 872 wrote to memory of 1756	872	605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe	explorer.exe
PID 1756 wrote to memory of 968	1756	explorer.exe	vssadmin.exe
PID 1756 wrote to memory of 968	1756	explorer.exe	vssadmin.exe
PID 1756 wrote to memory of 968	1756	explorer.exe	vssadmin.exe
PID 1756 wrote to memory of 968	1756	explorer.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe
"C:\Users\Admin\AppData\Local\Temp\605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe
"C:\Users\Admin\AppData\Local\Temp\605116c6b8a84efa4e25bd42f75ee8f88e02f7cff895fb434a55ce9ddfc9b710.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:968

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\uluxohydelujynyf\01000000
Filesize
316KB

MD5
5ff7dbdc6c5ba3ace0190ff3a458bf3d

SHA1
34cf93246ebd1168b56969fb278beee8b41c6de7

SHA256
96b2769d01f671a4bccfc66b722e8a084729e67241d125243e8d7dd7f8c79841

SHA512
500aa9633cba98774e6d9a65b88d8d57818fb773165ce3b280a4df9602e8aeba95467743f3110c62046ef5e10affe7c1fa633e037382d1b8d3c1ef4464948f1b

Download Submit
memory/872-62-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/872-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/872-58-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/872-60-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/872-61-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/872-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/872-64-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/872-65-0x000000000040A7BE-mapping.dmp

Download
memory/872-68-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/872-70-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/872-79-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/968-81-0x0000000000000000-mapping.dmp

Download
memory/1500-69-0x0000000000230000-0x0000000000259000-memory.dmp

Filesize
164KB

Download
memory/1500-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/1756-75-0x0000000000119C80-mapping.dmp

Download
memory/1756-77-0x0000000074C81000-0x0000000074C83000-memory.dmp

Filesize
8KB

Download
memory/1756-73-0x0000000000100000-0x000000000013B000-memory.dmp

Filesize
236KB

Download
memory/1756-71-0x0000000000100000-0x000000000013B000-memory.dmp

Filesize
236KB

Download
memory/1756-80-0x0000000000100000-0x000000000013B000-memory.dmp

Filesize
236KB

Download
memory/1756-82-0x0000000072BB1000-0x0000000072BB3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads