3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0

General

Target

3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe
Size

232KB
MD5

80a735b520d4f75a4cb7ac829de99ab4
SHA1

e7a0e483d97424c6cf75d402325cd31eef730bfa
SHA256

3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0
SHA512

b670bff8a2905d5914282af76b3cefb8216085420cd8141f923487eda54376640adde2c9137c8daffaec88c4ee43e7d90fa2842c0b404c0ae2ed0d457cc8eed8
SSDEEP

6144:yAsBZ1Z69879Fm9PmqZIccYyhbPaHVzc+A:aZ6O79aJuPOa+A

Score

9^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Loads dropped DLL 4 IoCs

Processes:

3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe

pid	process
1896	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe
1896	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe
1896	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe
1896	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\axakofib = "\"C:\\Windows\\sqwtakeh.exe\""	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe

description	pid	process	target process
PID 1896 set thread context of 2008	1896	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe
PID 2008 set thread context of 1928	2008	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\Windows\sqwtakeh.exe explorer.exe
File created C:\Windows\sqwtakeh.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1312 vssadmin.exe

description	ioc	process
File opened for modification	C:\Windows\sqwtakeh.exe	explorer.exe
File created	C:\Windows\sqwtakeh.exe	explorer.exe

pid	process
1312	vssadmin.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PhishingFilter	explorer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1472 vssvc.exe
Token: SeRestorePrivilege 1472 vssvc.exe
Token: SeAuditPrivilege 1472 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	1472	vssvc.exe
Token: SeRestorePrivilege	1472	vssvc.exe
Token: SeAuditPrivilege	1472	vssvc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exeexplorer.exe

C:\Users\Admin\AppData\Local\Temp\3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe
"C:\Users\Admin\AppData\Local\Temp\3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1896

C:\Users\Admin\AppData\Local\Temp\3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe
"C:\Users\Admin\AppData\Local\Temp\3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\system32\explorer.exe"
3⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1312

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\utoligapetoqemaz\01000000
Filesize
232KB

MD5
81a835a7894a0d99ffc1d63e04c23ba0

SHA1
0468104e782e31a1ed926f79d462961f5f11037f

SHA256
1b17716660f7f6456716404356f98caf183aa4f7915a501d19febb67a93f261c

SHA512
00e2ea758b860eb41c5e650b605e5bf201a1e9d3f2c11480676652479798e97c6f0b664610c50abecd4825f7cfc76807cc3a550ea3bfa2fac18a69895a73b40e

Download Submit
\Users\Admin\AppData\Local\Temp\nstDC1F.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
\Users\Admin\AppData\Local\Temp\nstDC1F.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
\Users\Admin\AppData\Local\Temp\nstDC1F.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
\Users\Admin\AppData\Local\Temp\nstDC1F.tmp\dustbin.dll
Filesize
68KB

MD5
f1fdb2132eddba792e7035c5f60580fd

SHA1
cd1e9cc9dcd12a79b8441d22b527cc39b28c0d4e

SHA256
878ea307e4e003a6b8966917890a75a6ede9140146e328fc9b9256c0b2ec5712

SHA512
0eef828e171f479fe7b20eda5b49d720c57992878916fc421809bc820e623486fe86dfc51e65bcb6104c4c3144527fb40fbc36fc662fee72cd1b58b814e84b54

Download Submit
memory/1312-83-0x0000000000000000-mapping.dmp

Download
memory/1896-54-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download
memory/1928-84-0x00000000730B1000-0x00000000730B3000-memory.dmp

Filesize
8KB

Download
memory/1928-73-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/1928-79-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1928-77-0x000000000009A140-mapping.dmp

Download
memory/1928-75-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/1928-85-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/2008-69-0x000000000040A61E-mapping.dmp

Download
memory/2008-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2008-68-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2008-66-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2008-65-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2008-80-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2008-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2008-82-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2008-62-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2008-60-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2008-59-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

description	pid	process	target process
PID 1896 wrote to memory of 2008	1896	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe
PID 1896 wrote to memory of 2008	1896	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe
PID 1896 wrote to memory of 2008	1896	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe
PID 1896 wrote to memory of 2008	1896	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe
PID 1896 wrote to memory of 2008	1896	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe
PID 1896 wrote to memory of 2008	1896	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe
PID 1896 wrote to memory of 2008	1896	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe
PID 1896 wrote to memory of 2008	1896	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe
PID 1896 wrote to memory of 2008	1896	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe
PID 1896 wrote to memory of 2008	1896	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe
PID 1896 wrote to memory of 2008	1896	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe
PID 1896 wrote to memory of 2008	1896	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe
PID 1896 wrote to memory of 2008	1896	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe
PID 1896 wrote to memory of 2008	1896	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe
PID 2008 wrote to memory of 1928	2008	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe	explorer.exe
PID 2008 wrote to memory of 1928	2008	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe	explorer.exe
PID 2008 wrote to memory of 1928	2008	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe	explorer.exe
PID 2008 wrote to memory of 1928	2008	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe	explorer.exe
PID 2008 wrote to memory of 1928	2008	3a738402946b1c5810e2d3e6bd02eb440a17930a3123740fb48a1e21b4064cb0.exe	explorer.exe
PID 1928 wrote to memory of 1312	1928	explorer.exe	vssadmin.exe
PID 1928 wrote to memory of 1312	1928	explorer.exe	vssadmin.exe
PID 1928 wrote to memory of 1312	1928	explorer.exe	vssadmin.exe
PID 1928 wrote to memory of 1312	1928	explorer.exe	vssadmin.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads