Overview
overview
10Static
static
6DUMP_00A10...iR.exe
windows7-x64
7DgH5SjZFle...DI.exe
windows7-x64
10Dumped_.exe
windows7-x64
7EntrateSetup.exe
windows7-x64
9ErrorFileRemover.exe
windows7-x64
10ExtraTools.exe
windows7-x64
7F45F47EDCE...54.exe
windows7-x64
10decrypt_00...00.exe
windows7-x64
6dffde400ad...3d.exe
windows7-x64
10dircrypt.deobf.exe
windows7-x64
10dma locker 4.0.exe
windows7-x64
9downloader.js
windows7-x64
10dump.mem.exe
windows7-x64
6e0ff79cc94...ss.exe
windows7-x64
7e37dc428ec...ad.vbs
windows7-x64
1e5df2d114c...8a.exe
windows7-x64
10e6c4ae4709...ss.exe
windows7-x64
7e77df2ce34...2d.exe
windows7-x64
1e8e07496df...d2.exe
windows7-x64
ea8292721a...1e.exe
windows7-x64
5eaa857c95f...er.dll
windows7-x64
1ed3a685ca6...91.exe
windows7-x64
9edffa07d66...9d5.js
windows7-x64
10encrypter.exe
windows7-x64
10encryptor_...81.exe
windows7-x64
9f002618c01...35.apk
windows7-x64
3f213e54c85...ea.exe
windows7-x64
1f2c8eee2cd...3f.exe
windows7-x64
10f31bfe95e3...7_.exe
windows7-x64
7f6a8d7a429...da.exe
windows7-x64
10f915110765...da.exe
windows7-x64
7fb8823e949...-0.dll
windows7-x64
1Analysis
-
max time kernel
599s -
max time network
601s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:25
Behavioral task
behavioral1
Sample
DUMP_00A10000-00A1D000.exe.ViR.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
Resource
win7-20240708-en
Behavioral task
behavioral3
Sample
Dumped_.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
EntrateSetup.exe
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
ErrorFileRemover.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
ExtraTools.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
F45F47EDCED7FAC5A99C45AB4B8C2D54.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
decrypt_0000000000000020-000A0000.exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
dircrypt.deobf.exe
Resource
win7-20241023-en
Behavioral task
behavioral11
Sample
dma locker 4.0.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
downloader.js
Resource
win7-20241010-en
Behavioral task
behavioral13
Sample
dump.mem.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe
Resource
win7-20240708-en
Behavioral task
behavioral15
Sample
e37dc428ec65a38707ad9e247950f3501a94e4abccb737a3562d69032c8505ad.vbs
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe
Resource
win7-20240729-en
Behavioral task
behavioral17
Sample
e6c4ae470977aa78d1005746ae05deea0bf3b4260f88865662a35f99b2559dbc_not_packed_maybe_useless.exe
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
e77df2ce34949eb11290445a411a47fb927e8871e2580897581981d17730032d.exe
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
e8e07496df5370d2e49ecce5a47c1fd2.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
ea8292721a34ca2f1831447868bbe91e.exe
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
eaa857c95fca38ca08411b757f4ad2a841cfb9782deca8abf64aada445923c0d_Stealer.dll
Resource
win7-20241010-en
Behavioral task
behavioral22
Sample
ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe
Resource
win7-20240903-en
Behavioral task
behavioral23
Sample
edffa07d667dbd224682639f56eb1b913e4ffeac874999e02c23e86eeb6489d5.js
Resource
win7-20241023-en
Behavioral task
behavioral24
Sample
encrypter.exe
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
f002618c01fe652f7f00eabd0e890e4992ccce818dfb2863e82c43f793685635.apk
Resource
win7-20240729-en
Behavioral task
behavioral27
Sample
f213e54c8520e7458751020edf15a5ea.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
f2c8eee2cd88b834e9d4c0eb4930f03f.exe
Resource
win7-20241023-en
Behavioral task
behavioral29
Sample
f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
f6a8d7a4291c55020101d046371a8bda.exe
Resource
win7-20240903-en
Behavioral task
behavioral31
Sample
f9151107655aaa6db995888a7cb69ada.exe
Resource
win7-20240708-en
Behavioral task
behavioral32
Sample
fb8823e9494016f59ab25ec6cc0961da_api-ms-win-system-softpub-l1-1-0.dll
Resource
win7-20241010-en
General
-
Target
EntrateSetup.exe
-
Size
261KB
-
MD5
cd6258b33207e85f20fec5f39d9ba09f
-
SHA1
fc132ed8922a767061abfd372dfb6f23bd8c0b62
-
SHA256
103bc884dce60ec680dd00bcd2d45721319b526b2f6ae7ebe75c73a5c977dafe
-
SHA512
2d0f5c0ee81b050fa99dc40fd5ea1864ae68f4d08a7610ea08f8c99e589d90d917a009ff25286d4351b133cf466a408e442c99a8b8cca99d81a81af8e4c6ab49
-
SSDEEP
6144:oxagl7jMOfUsQgatPpi9SQG7q94Al6HnIpOLoG7SYQ5SFZ:oxagRjM+JQ1Pp2y1Al6HesZ7Sl8Z
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\apoloqop = "\"C:\\Windows\\uricvwef.exe\"" explorer.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EntrateSetup.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2384 set thread context of 2104 2384 EntrateSetup.exe 30 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\uricvwef.exe explorer.exe File created C:\Windows\uricvwef.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EntrateSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 636 vssadmin.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PhishingFilter explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" explorer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2384 EntrateSetup.exe 2384 EntrateSetup.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 3012 vssvc.exe Token: SeRestorePrivilege 3012 vssvc.exe Token: SeAuditPrivilege 3012 vssvc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2104 2384 EntrateSetup.exe 30 PID 2384 wrote to memory of 2104 2384 EntrateSetup.exe 30 PID 2384 wrote to memory of 2104 2384 EntrateSetup.exe 30 PID 2384 wrote to memory of 2104 2384 EntrateSetup.exe 30 PID 2384 wrote to memory of 2104 2384 EntrateSetup.exe 30 PID 2104 wrote to memory of 636 2104 explorer.exe 31 PID 2104 wrote to memory of 636 2104 explorer.exe 31 PID 2104 wrote to memory of 636 2104 explorer.exe 31 PID 2104 wrote to memory of 636 2104 explorer.exe 31 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe"C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe"1⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"2⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:636
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3012
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
261KB
MD5344d179eff7427801b599847c63d232a
SHA1d363462418f38d8f75361469429a4143b2f803f4
SHA25699a0358cbbd42544801443e0d729cc1ac6d983da93d248c99170b57c66fd31bc
SHA512e2e5e6784fe9ff7fbebc118354b1989552b41a650413a2723a402d2f1badabebb72399ff9bfc405a3cedfd03dddf6a4e7144b319eca05dff726cc52369dacc03