8b0f9d248e67199bb7f1a778a03e4caee7d267e61d8a7d70fa1c1f6d7944e96a

Analysis

max time kernel
1800s
max time network
1803s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Versamento.Pdf______________________________________________________________.exe
Size

446KB
MD5

93cbe4ed3d46abe732a124a41e7147a2
SHA1

94a24be60d90479ce27f7787a86678472aabdc6e
SHA256

89e71eb0a6403725d2f95cb9e6506b8b139a6948a61dc1c5cfedf18648241ec4
SHA512

8f46af90d8a2d78da003a8a395fd7f74cc235595238ee3a3e4d87fee2aa4c8abf6ece403bb3726122d3825437f5d079ea1f8d6b275153bb76b3b0d75c243ef09
SSDEEP

6144:XOOxeLzWoeNqagVRUvOWcTwlOcTeP8uENXIEQSdO8c/AVxYflxiW:txeHWoA/Wr0lfQ8BfLkIVxYfrd

Score

9^/10

collection defense_evasion discovery evasion execution impact persistence ransomware trojan

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	explorer.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	explorer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\apywolyd = "C:\\Windows\\ipakicad.exe"	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Versamento.Pdf______________________________________________________________.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Versamento.Pdf______________________________________________________________.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Versamento.Pdf______________________________________________________________.exeVersamento.Pdf______________________________________________________________.exe

description	pid	Process	procid_target
PID 2344 set thread context of 2060	2344	Versamento.Pdf______________________________________________________________.exe	29
PID 2060 set thread context of 2856	2060	Versamento.Pdf______________________________________________________________.exe	30

Drops file in Windows directory 2 IoCs

Processes:

explorer.exe

description	ioc	Process
File created	C:\Windows\ipakicad.exe	explorer.exe
File opened for modification	C:\Windows\ipakicad.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Versamento.Pdf______________________________________________________________.exeVersamento.Pdf______________________________________________________________.exeexplorer.exevssadmin.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Versamento.Pdf______________________________________________________________.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Versamento.Pdf______________________________________________________________.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

Processes:

vssadmin.exe

pid	Process
2872	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description	pid	Process
Token: SeBackupPrivilege	2800	vssvc.exe
Token: SeRestorePrivilege	2800	vssvc.exe
Token: SeAuditPrivilege	2800	vssvc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Versamento.Pdf______________________________________________________________.exeVersamento.Pdf______________________________________________________________.exeexplorer.exe

description	pid	Process	procid_target
PID 2344 wrote to memory of 2060	2344	Versamento.Pdf______________________________________________________________.exe	29
PID 2344 wrote to memory of 2060	2344	Versamento.Pdf______________________________________________________________.exe	29
PID 2344 wrote to memory of 2060	2344	Versamento.Pdf______________________________________________________________.exe	29
PID 2344 wrote to memory of 2060	2344	Versamento.Pdf______________________________________________________________.exe	29
PID 2344 wrote to memory of 2060	2344	Versamento.Pdf______________________________________________________________.exe	29
PID 2344 wrote to memory of 2060	2344	Versamento.Pdf______________________________________________________________.exe	29
PID 2344 wrote to memory of 2060	2344	Versamento.Pdf______________________________________________________________.exe	29
PID 2344 wrote to memory of 2060	2344	Versamento.Pdf______________________________________________________________.exe	29
PID 2344 wrote to memory of 2060	2344	Versamento.Pdf______________________________________________________________.exe	29
PID 2344 wrote to memory of 2060	2344	Versamento.Pdf______________________________________________________________.exe	29
PID 2344 wrote to memory of 2060	2344	Versamento.Pdf______________________________________________________________.exe	29
PID 2060 wrote to memory of 2856	2060	Versamento.Pdf______________________________________________________________.exe	30
PID 2060 wrote to memory of 2856	2060	Versamento.Pdf______________________________________________________________.exe	30
PID 2060 wrote to memory of 2856	2060	Versamento.Pdf______________________________________________________________.exe	30
PID 2060 wrote to memory of 2856	2060	Versamento.Pdf______________________________________________________________.exe	30
PID 2060 wrote to memory of 2856	2060	Versamento.Pdf______________________________________________________________.exe	30
PID 2856 wrote to memory of 2872	2856	explorer.exe	31
PID 2856 wrote to memory of 2872	2856	explorer.exe	31
PID 2856 wrote to memory of 2872	2856	explorer.exe	31
PID 2856 wrote to memory of 2872	2856	explorer.exe	31

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	explorer.exe

C:\Users\Admin\AppData\Local\Temp\Versamento.Pdf______________________________________________________________.exe
"C:\Users\Admin\AppData\Local\Temp\Versamento.Pdf______________________________________________________________.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Local\Temp\Versamento.Pdf______________________________________________________________.exe
  "C:\Users\Admin\AppData\Local\Temp\Versamento.Pdf______________________________________________________________.exe"
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\system32\explorer.exe"
    3⤵
    - Accesses Microsoft Outlook accounts
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    - outlook_win_path
    PID:2856
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2872

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\yvycuvufavytimur\01000000

Filesize
446KB

MD5
9db79db6cb4edab84bd158bf26e50e12

SHA1
6661cc46a228ef880446ce4e19c07cc465d8091c

SHA256
30b806f6572a13fb68c4a6112b2f16f90931fabdb4d7441b091ea4867e410061

SHA512
5dd5c3a35fd1a50fd308f8cea6dc8a5278000bdefe75b1fc1ae39af07d75a3abb61a816cfc640a40fb42b40993f2aa1b1286bdce8768152f4a68820a6b657457

Download Submit
memory/2060-5-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2060-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2060-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2060-18-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2060-12-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2060-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2060-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2060-0-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2060-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2060-2-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2060-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2856-20-0x0000000000080000-0x00000000000BD000-memory.dmp

Filesize
244KB

Download
memory/2856-28-0x0000000000080000-0x00000000000BD000-memory.dmp

Filesize
244KB

Download
memory/2856-19-0x0000000000080000-0x00000000000BD000-memory.dmp

Filesize
244KB

Download
memory/2856-31-0x0000000000080000-0x00000000000BD000-memory.dmp

Filesize
244KB

Download
memory/2856-32-0x0000000000080000-0x00000000000BD000-memory.dmp

Filesize
244KB

Download