cafe67023ec713f4227dad3040b08f90dc22235c1c45e1b6b6e0fd9fb6ebdf3b

General

Target

65ea49a50355ef7cca16d13478d48bd59a3e18305ccf9c3c25d174f979bf7b4b.exe
Size

2.1MB
MD5

d483bd9c3dec2b995b9047757962c448
SHA1

4769c4ea12faf9049e04196829f8e9117bf78f8a
SHA256

65ea49a50355ef7cca16d13478d48bd59a3e18305ccf9c3c25d174f979bf7b4b
SHA512

3cba348d7497577a946b98510179a241d42337dd93c69652e7db59e10aee39b77fc85869c5bab7fff81d42eab5c29d724a153af784bf85fbeaef9171b1750ca0

Score

9^/10

ransomware persistence

Malware Config

Signatures

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys_startup.exe	65ea49a50355ef7cca16d13478d48bd59a3e18305ccf9c3c25d174f979bf7b4b.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.html	65ea49a50355ef7cca16d13478d48bd59a3e18305ccf9c3c25d174f979bf7b4b.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\GetUpdate.png.silvertor	65ea49a50355ef7cca16d13478d48bd59a3e18305ccf9c3c25d174f979bf7b4b.exe
File created	C:\Users\Admin\Pictures\HideEdit.png.silvertor	65ea49a50355ef7cca16d13478d48bd59a3e18305ccf9c3c25d174f979bf7b4b.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 1424	1060	65ea49a50355ef7cca16d13478d48bd59a3e18305ccf9c3c25d174f979bf7b4b.exe	25
PID 1060 wrote to memory of 1424	1060	65ea49a50355ef7cca16d13478d48bd59a3e18305ccf9c3c25d174f979bf7b4b.exe	25
PID 1060 wrote to memory of 1424	1060	65ea49a50355ef7cca16d13478d48bd59a3e18305ccf9c3c25d174f979bf7b4b.exe	25
PID 1060 wrote to memory of 1084	1060	65ea49a50355ef7cca16d13478d48bd59a3e18305ccf9c3c25d174f979bf7b4b.exe	27
PID 1060 wrote to memory of 1084	1060	65ea49a50355ef7cca16d13478d48bd59a3e18305ccf9c3c25d174f979bf7b4b.exe	27
PID 1060 wrote to memory of 1084	1060	65ea49a50355ef7cca16d13478d48bd59a3e18305ccf9c3c25d174f979bf7b4b.exe	27
PID 1084 wrote to memory of 1688	1084	powershell.exe	28
PID 1084 wrote to memory of 1688	1084	powershell.exe	28
PID 1084 wrote to memory of 1688	1084	powershell.exe	28
PID 1688 wrote to memory of 1792	1688	cmd.exe	30
PID 1688 wrote to memory of 1792	1688	cmd.exe	30
PID 1688 wrote to memory of 1792	1688	cmd.exe	30
PID 1688 wrote to memory of 892	1688	cmd.exe	33
PID 1688 wrote to memory of 892	1688	cmd.exe	33
PID 1688 wrote to memory of 892	1688	cmd.exe	33
PID 1060 wrote to memory of 2028	1060	65ea49a50355ef7cca16d13478d48bd59a3e18305ccf9c3c25d174f979bf7b4b.exe	37
PID 1060 wrote to memory of 2028	1060	65ea49a50355ef7cca16d13478d48bd59a3e18305ccf9c3c25d174f979bf7b4b.exe	37
PID 1060 wrote to memory of 2028	1060	65ea49a50355ef7cca16d13478d48bd59a3e18305ccf9c3c25d174f979bf7b4b.exe	37
PID 1060 wrote to memory of 1208	1060	65ea49a50355ef7cca16d13478d48bd59a3e18305ccf9c3c25d174f979bf7b4b.exe	39
PID 1060 wrote to memory of 1208	1060	65ea49a50355ef7cca16d13478d48bd59a3e18305ccf9c3c25d174f979bf7b4b.exe	39
PID 1060 wrote to memory of 1208	1060	65ea49a50355ef7cca16d13478d48bd59a3e18305ccf9c3c25d174f979bf7b4b.exe	39

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeBackupPrivilege	1828	vssvc.exe
Token: SeRestorePrivilege	1828	vssvc.exe
Token: SeAuditPrivilege	1828	vssvc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1424	powershell.exe
1424	powershell.exe
1084	powershell.exe
1084	powershell.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1792	vssadmin.exe
892	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\65ea49a50355ef7cca16d13478d48bd59a3e18305ccf9c3c25d174f979bf7b4b.exe
"C:\Users\Admin\AppData\Local\Temp\65ea49a50355ef7cca16d13478d48bd59a3e18305ccf9c3c25d174f979bf7b4b.exe"
1⤵
- Drops startup file
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" get-wmiobject win32_computersystem | "fl model"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:1424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Start-Process C:\ProgramData\cmdkey.bat -Verb runas
  2⤵
  - Suspicious use of WriteProcessMemory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:1084
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\cmdkey.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:1792
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=300MB
      4⤵
      Interacts with shadow copies
      PID:892
- C:\Windows\system32\cmd.exe
  "cmd" /c time /t
  2⤵
  PID:2028
- C:\Windows\system32\cmd.exe
  "cmd" /c time /t
  2⤵
  PID:1208