96b9f76d4187e3b83a35848c75e74db4155ce966200fd985db7ebb65d9cc6e7f

Reason

Machine shutdown

General

Target

wolvmsetup.exe
Size

5.0MB
MD5

9f06f30ac91487808c75a630575a8a36
SHA1

6e9c1bb53b2e4dad2483778bf423e9dbfea50a48
SHA256

96b9f76d4187e3b83a35848c75e74db4155ce966200fd985db7ebb65d9cc6e7f
SHA512

45030e00f47b969357a208850d454c0bf77c98907e5de429842632c613f18b314f44032f4b4ded093df056524d7461cf77b800ef7d73ed09c62d8ca2d2557eb8
SSDEEP

98304:VOMALnIZjy7hUu5IGY/3+a5UiSw7AT9jiiSl6k+THm9ub3KpDQpJNEZFCCVLt1eg:EMALIZjy7Su5Id/3+aU6c9Gii6k+zNil

Score

10^/10

discovery evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\WOLVM = "v2.24\|Action=Allow\|Active=TRUE\|Dir=In\|Protocol=17\|LPort=7\|LPort=9\|App=C:\\Program Files (x86)\\Alexander Yarovy\\Wake-On-LAN Virtual Machine\\wolvm.exe\|Name=WOLVM\|Desc=This feature allows Wake-On-LAN Virtual Machine to receive Wake-On-LAN magic packets.\|Edge=FALSE\|"	wolvmsetup.tmp
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\WOLVMSVC = "v2.24\|Action=Allow\|Active=TRUE\|Dir=In\|Protocol=17\|LPort=7\|LPort=9\|App=C:\\Program Files (x86)\\Alexander Yarovy\\Wake-On-LAN Virtual Machine\\wolvmsvc.exe\|Name=WOLVM-service\|Desc=This feature allows Wake-On-LAN Virtual Machine to receive Wake-On-LAN magic packets.\|Edge=FALSE\|"	wolvmsetup.tmp
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	wolvmsetup.tmp

Executes dropped EXE 4 IoCs

pid	Process
3132	wolvmsetup.tmp
3420	config.wvm
2660	config.wvm
1216	config.wvm

Loads dropped DLL 2 IoCs

pid	Process
3132	wolvmsetup.tmp
3132	wolvmsetup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\is-U9FFH.tmp	wolvmsetup.tmp
File created	C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\is-RGKOP.tmp	wolvmsetup.tmp
File created	C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\is-KU1MC.tmp	wolvmsetup.tmp
File created	C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\is-FD9NN.tmp	wolvmsetup.tmp
File opened for modification	C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\wolvmsvc.exe	wolvmsetup.tmp
File opened for modification	C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\wolvm.chm	wolvmsetup.tmp
File created	C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\is-5COSB.tmp	wolvmsetup.tmp
File created	C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\is-0G5OD.tmp	wolvmsetup.tmp
File created	C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\is-V57O1.tmp	wolvmsetup.tmp
File created	C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\is-CUSI8.tmp	wolvmsetup.tmp
File created	C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\is-M081R.tmp	wolvmsetup.tmp
File opened for modification	C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\unins000.dat	wolvmsetup.tmp
File opened for modification	C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\prs.dll	wolvmsetup.tmp
File opened for modification	C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\wolvm.exe	wolvmsetup.tmp
File opened for modification	C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\wolvmlog.dll	wolvmsetup.tmp
File created	C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\unins000.dat	wolvmsetup.tmp
File created	C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\is-4FRFA.tmp	wolvmsetup.tmp
File created	C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\is-76B04.tmp	wolvmsetup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "247"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3132	wolvmsetup.tmp
3132	wolvmsetup.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1392	wolvmsetup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3132	wolvmsetup.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3780	LogonUI.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 3132	1392	wolvmsetup.exe	87
PID 1392 wrote to memory of 3132	1392	wolvmsetup.exe	87
PID 1392 wrote to memory of 3132	1392	wolvmsetup.exe	87
PID 3132 wrote to memory of 3420	3132	wolvmsetup.tmp	103
PID 3132 wrote to memory of 3420	3132	wolvmsetup.tmp	103
PID 3132 wrote to memory of 3420	3132	wolvmsetup.tmp	103
PID 3132 wrote to memory of 2660	3132	wolvmsetup.tmp	104
PID 3132 wrote to memory of 2660	3132	wolvmsetup.tmp	104
PID 3132 wrote to memory of 2660	3132	wolvmsetup.tmp	104
PID 3132 wrote to memory of 1216	3132	wolvmsetup.tmp	105
PID 3132 wrote to memory of 1216	3132	wolvmsetup.tmp	105
PID 3132 wrote to memory of 1216	3132	wolvmsetup.tmp	105

C:\Users\Admin\AppData\Local\Temp\wolvmsetup.exe
"C:\Users\Admin\AppData\Local\Temp\wolvmsetup.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Users\Admin\AppData\Local\Temp\is-U1NEH.tmp\wolvmsetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-U1NEH.tmp\wolvmsetup.tmp" /SL5="$11006C,4921663,426496,C:\Users\Admin\AppData\Local\Temp\wolvmsetup.exe"
  2⤵
  - Modifies firewall policy service
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3132
- - C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\config.wvm
    "C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\config.wvm" add-path "C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine"
    3⤵
    - Executes dropped EXE
    PID:3420
- - C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\config.wvm
    "C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\config.wvm" profile "Software\Alexander Yarovy\Wake-On-LAN Virtual Machine"
    3⤵
    - Executes dropped EXE
    PID:2660
- - C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\config.wvm
    "C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\config.wvm" hyperv
    3⤵
    - Executes dropped EXE
    PID:1216

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39aa855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\config.wvm

Filesize
487KB

MD5
61407e0bdba752adee5d18a3081c2d5b

SHA1
18ae5793dcb26d964aa5c1fd24757638852733c3

SHA256
8451669e0e5be2f3de0a546bf6c44878b40646ffaaf04dbd5cee40d9078dd51e

SHA512
148cbce8ece81239cbb4e415936ca1fbf100aed844c49f7e09cdfdd266a333addf000a308b8de1c870745e4569df53895c615f495895ae23924b157e7905b9a4

Download Submit
C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\config.wvm

Filesize
487KB

MD5
61407e0bdba752adee5d18a3081c2d5b

SHA1
18ae5793dcb26d964aa5c1fd24757638852733c3

SHA256
8451669e0e5be2f3de0a546bf6c44878b40646ffaaf04dbd5cee40d9078dd51e

SHA512
148cbce8ece81239cbb4e415936ca1fbf100aed844c49f7e09cdfdd266a333addf000a308b8de1c870745e4569df53895c615f495895ae23924b157e7905b9a4

Download Submit
C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\config.wvm

Filesize
487KB

MD5
61407e0bdba752adee5d18a3081c2d5b

SHA1
18ae5793dcb26d964aa5c1fd24757638852733c3

SHA256
8451669e0e5be2f3de0a546bf6c44878b40646ffaaf04dbd5cee40d9078dd51e

SHA512
148cbce8ece81239cbb4e415936ca1fbf100aed844c49f7e09cdfdd266a333addf000a308b8de1c870745e4569df53895c615f495895ae23924b157e7905b9a4

Download Submit
C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\config.wvm

Filesize
487KB

MD5
61407e0bdba752adee5d18a3081c2d5b

SHA1
18ae5793dcb26d964aa5c1fd24757638852733c3

SHA256
8451669e0e5be2f3de0a546bf6c44878b40646ffaaf04dbd5cee40d9078dd51e

SHA512
148cbce8ece81239cbb4e415936ca1fbf100aed844c49f7e09cdfdd266a333addf000a308b8de1c870745e4569df53895c615f495895ae23924b157e7905b9a4

Download Submit
C:\Program Files (x86)\Alexander Yarovy\Wake-On-LAN Virtual Machine\wolvm.exe

Filesize
3.4MB

MD5
c400c9d6c7a7dcb8e222178858971b12

SHA1
a61c614dfaf93fc0e2eb546ae7561d1386343b5b

SHA256
7fb8f3630cd4f86faaa8810c074291e58c6bbaf6ebca6627d490110d8b463e8e

SHA512
e512fcd3e00ce8573c8dc526a6230ec997124e09adb4200e7951e5df4893b6588280f87598c6296c4fbc66145e872818c8bfd4a074e084eae3b71fed9fe78ce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-42484.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-42484.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U1NEH.tmp\wolvmsetup.tmp

Filesize
1.0MB

MD5
e62acfb305d84b03ad658d7f9c381d70

SHA1
1d54a851275f33ab21bf4a1090bec8fdba234f1f

SHA256
bed1bebbf281e3ba15d45c2dee6c3389f861c02f295173b287bd77a298fa6cde

SHA512
2ab823ca94269d26cd3181457a365a7703cd3fd25f784ea793569da4462348c0251c3e1f1757e5d914032441c06060a86e3a2eb446a15b78f5c7f0e3ee6c35bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U1NEH.tmp\wolvmsetup.tmp

Filesize
1.0MB

MD5
e62acfb305d84b03ad658d7f9c381d70

SHA1
1d54a851275f33ab21bf4a1090bec8fdba234f1f

SHA256
bed1bebbf281e3ba15d45c2dee6c3389f861c02f295173b287bd77a298fa6cde

SHA512
2ab823ca94269d26cd3181457a365a7703cd3fd25f784ea793569da4462348c0251c3e1f1757e5d914032441c06060a86e3a2eb446a15b78f5c7f0e3ee6c35bc

Download Submit
memory/1216-210-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1392-146-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1392-214-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1392-133-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2660-208-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3132-157-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/3132-199-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/3132-155-0x0000000003A90000-0x0000000003ACC000-memory.dmp

Filesize
240KB

Download
memory/3132-154-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/3132-149-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/3132-148-0x0000000003A90000-0x0000000003ACC000-memory.dmp

Filesize
240KB

Download
memory/3132-147-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/3132-145-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/3132-213-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/3132-143-0x0000000003A90000-0x0000000003ACC000-memory.dmp

Filesize
240KB

Download
memory/3420-206-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

Errors