58290a95e1795ec7312e4ce26bfff7e0fb7a620a3aac2627d3ae6c83f5a4bf60

General

Target

ransomware.exe
Size

678KB
MD5

35271695a6202c514fef4520d49886ea
SHA1

8a7cc5c0f41ae45064a88ec67ab0e8a3ca2514f2
SHA256

58290a95e1795ec7312e4ce26bfff7e0fb7a620a3aac2627d3ae6c83f5a4bf60
SHA512

ff9e77f83fc28c4461cd335bb41b762e93ac57ad15c2489631ed4869a0c1d0fb94b1491629fcb29bb96629a5dcaaeedc9b31b07055d1465a14a685235fd8d4f9

Score

10^/10

evasion trojan ransomware spyware persistence

Malware Config

Signatures

Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

1016 vssadmin.exe
1780 vssadmin.exe
1908 vssadmin.exe

pid	process
1016	vssadmin.exe
1780	vssadmin.exe
1908	vssadmin.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

ransomware.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	ransomware.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Suspicious behavior: EnumeratesProcesses 1125 IoCs

Processes:

ransomware.exe

pid	process
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe
1496	ransomware.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

vssvc.exewmic.exewmic.exewmic.exe

description	pid	process
Token: SeBackupPrivilege	1044	vssvc.exe
Token: SeRestorePrivilege	1044	vssvc.exe
Token: SeAuditPrivilege	1044	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1520	wmic.exe
Token: SeSecurityPrivilege	1520	wmic.exe
Token: SeTakeOwnershipPrivilege	1520	wmic.exe
Token: SeLoadDriverPrivilege	1520	wmic.exe
Token: SeSystemProfilePrivilege	1520	wmic.exe
Token: SeSystemtimePrivilege	1520	wmic.exe
Token: SeProfSingleProcessPrivilege	1520	wmic.exe
Token: SeIncBasePriorityPrivilege	1520	wmic.exe
Token: SeCreatePagefilePrivilege	1520	wmic.exe
Token: SeBackupPrivilege	1520	wmic.exe
Token: SeRestorePrivilege	1520	wmic.exe
Token: SeShutdownPrivilege	1520	wmic.exe
Token: SeDebugPrivilege	1520	wmic.exe
Token: SeSystemEnvironmentPrivilege	1520	wmic.exe
Token: SeRemoteShutdownPrivilege	1520	wmic.exe
Token: SeUndockPrivilege	1520	wmic.exe
Token: SeManageVolumePrivilege	1520	wmic.exe
Token: 33	1520	wmic.exe
Token: 34	1520	wmic.exe
Token: 35	1520	wmic.exe
Token: SeIncreaseQuotaPrivilege	1852	wmic.exe
Token: SeSecurityPrivilege	1852	wmic.exe
Token: SeTakeOwnershipPrivilege	1852	wmic.exe
Token: SeLoadDriverPrivilege	1852	wmic.exe
Token: SeSystemProfilePrivilege	1852	wmic.exe
Token: SeSystemtimePrivilege	1852	wmic.exe
Token: SeProfSingleProcessPrivilege	1852	wmic.exe
Token: SeIncBasePriorityPrivilege	1852	wmic.exe
Token: SeCreatePagefilePrivilege	1852	wmic.exe
Token: SeBackupPrivilege	1852	wmic.exe
Token: SeRestorePrivilege	1852	wmic.exe
Token: SeShutdownPrivilege	1852	wmic.exe
Token: SeDebugPrivilege	1852	wmic.exe
Token: SeSystemEnvironmentPrivilege	1852	wmic.exe
Token: SeRemoteShutdownPrivilege	1852	wmic.exe
Token: SeUndockPrivilege	1852	wmic.exe
Token: SeManageVolumePrivilege	1852	wmic.exe
Token: 33	1852	wmic.exe
Token: 34	1852	wmic.exe
Token: 35	1852	wmic.exe
Token: SeIncreaseQuotaPrivilege	1824	wmic.exe
Token: SeSecurityPrivilege	1824	wmic.exe
Token: SeTakeOwnershipPrivilege	1824	wmic.exe
Token: SeLoadDriverPrivilege	1824	wmic.exe
Token: SeSystemProfilePrivilege	1824	wmic.exe
Token: SeSystemtimePrivilege	1824	wmic.exe
Token: SeProfSingleProcessPrivilege	1824	wmic.exe
Token: SeIncBasePriorityPrivilege	1824	wmic.exe
Token: SeCreatePagefilePrivilege	1824	wmic.exe
Token: SeBackupPrivilege	1824	wmic.exe
Token: SeRestorePrivilege	1824	wmic.exe
Token: SeShutdownPrivilege	1824	wmic.exe
Token: SeDebugPrivilege	1824	wmic.exe
Token: SeSystemEnvironmentPrivilege	1824	wmic.exe
Token: SeRemoteShutdownPrivilege	1824	wmic.exe
Token: SeUndockPrivilege	1824	wmic.exe
Token: SeManageVolumePrivilege	1824	wmic.exe
Token: 33	1824	wmic.exe
Token: 34	1824	wmic.exe
Token: 35	1824	wmic.exe

Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

784 svhost.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

ransomware.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ransomware.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Drops desktop.ini file(s) 1 IoCs

Processes:

ransomware.exe

description ioc process

File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-1131729243-447456001-3632642222-1000\desktop.ini ransomware.exe

pid	process
784	svhost.exe

description	ioc	process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-1131729243-447456001-3632642222-1000\desktop.ini	ransomware.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

ransomware.exetaskeng.exe

description	pid	process	target process
PID 1496 wrote to memory of 1016	1496	ransomware.exe	vssadmin.exe
PID 1496 wrote to memory of 1016	1496	ransomware.exe	vssadmin.exe
PID 1496 wrote to memory of 1016	1496	ransomware.exe	vssadmin.exe
PID 1496 wrote to memory of 1016	1496	ransomware.exe	vssadmin.exe
PID 1496 wrote to memory of 1520	1496	ransomware.exe	wmic.exe
PID 1496 wrote to memory of 1520	1496	ransomware.exe	wmic.exe
PID 1496 wrote to memory of 1520	1496	ransomware.exe	wmic.exe
PID 1496 wrote to memory of 1520	1496	ransomware.exe	wmic.exe
PID 1496 wrote to memory of 1780	1496	ransomware.exe	vssadmin.exe
PID 1496 wrote to memory of 1780	1496	ransomware.exe	vssadmin.exe
PID 1496 wrote to memory of 1780	1496	ransomware.exe	vssadmin.exe
PID 1496 wrote to memory of 1780	1496	ransomware.exe	vssadmin.exe
PID 1496 wrote to memory of 1852	1496	ransomware.exe	wmic.exe
PID 1496 wrote to memory of 1852	1496	ransomware.exe	wmic.exe
PID 1496 wrote to memory of 1852	1496	ransomware.exe	wmic.exe
PID 1496 wrote to memory of 1852	1496	ransomware.exe	wmic.exe
PID 1496 wrote to memory of 1908	1496	ransomware.exe	vssadmin.exe
PID 1496 wrote to memory of 1908	1496	ransomware.exe	vssadmin.exe
PID 1496 wrote to memory of 1908	1496	ransomware.exe	vssadmin.exe
PID 1496 wrote to memory of 1908	1496	ransomware.exe	vssadmin.exe
PID 1496 wrote to memory of 1824	1496	ransomware.exe	wmic.exe
PID 1496 wrote to memory of 1824	1496	ransomware.exe	wmic.exe
PID 1496 wrote to memory of 1824	1496	ransomware.exe	wmic.exe
PID 1496 wrote to memory of 1824	1496	ransomware.exe	wmic.exe
PID 612 wrote to memory of 784	612	taskeng.exe	svhost.exe
PID 612 wrote to memory of 784	612	taskeng.exe	svhost.exe
PID 612 wrote to memory of 784	612	taskeng.exe	svhost.exe
PID 612 wrote to memory of 784	612	taskeng.exe	svhost.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

ransomware.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ransomware.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ransomware.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Users\Admin\AppData\Local\Temp\ransomware.exe
"C:\Users\Admin\AppData\Local\Temp\ransomware.exe"
1⤵
- System policy modification
- Suspicious behavior: EnumeratesProcesses
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
- UAC bypass
PID:1496

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:1016

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:1780

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:1908

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\system32\taskeng.exe
taskeng.exe {03A0AD7B-8A07-43C1-BFC9-ACCA638BE6F9} S-1-5-21-1131729243-447456001-3632642222-1000:AVGLFESB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:612