f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093

General

Target

f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
Size

1.8MB
MD5

10d7151b9ee53b8da8ee6f85001ffb20
SHA1

76d33ef58ea7b012342d975d871db64840da9675
SHA256

f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093
SHA512

1c6d2d7f509b462b5d48db61817ee42a7204d10141c59394eb190d0dba733b831a6344bb85197dfac358939379e640c9f38732d376e28f92e187806ca574d10f

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\UseInstall.tif.REDROMAN	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\BlockSave.tiff	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
File created	C:\Users\Admin\Pictures\BlockSave.tiff.REDROMAN	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe

Drops startup file 1 IoCs

Processes:

f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPENTHIS.html	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1168 vssadmin.exe
2516 vssadmin.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1492 powershell.exe
580 powershell.exe

pid	process
1168	vssadmin.exe
2516	vssadmin.exe

pid	process
1492	powershell.exe
580	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeBackupPrivilege	2392	vssvc.exe
Token: SeRestorePrivilege	2392	vssvc.exe
Token: SeAuditPrivilege	2392	vssvc.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exepowershell.execmd.exenet.exenet.exe

description	pid	process	target process
PID 756 wrote to memory of 1492	756	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe	powershell.exe
PID 756 wrote to memory of 1492	756	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe	powershell.exe
PID 756 wrote to memory of 1492	756	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe	powershell.exe
PID 756 wrote to memory of 580	756	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe	powershell.exe
PID 756 wrote to memory of 580	756	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe	powershell.exe
PID 756 wrote to memory of 580	756	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe	powershell.exe
PID 580 wrote to memory of 768	580	powershell.exe	cmd.exe
PID 580 wrote to memory of 768	580	powershell.exe	cmd.exe
PID 580 wrote to memory of 768	580	powershell.exe	cmd.exe
PID 768 wrote to memory of 1168	768	cmd.exe	vssadmin.exe
PID 768 wrote to memory of 1168	768	cmd.exe	vssadmin.exe
PID 768 wrote to memory of 1168	768	cmd.exe	vssadmin.exe
PID 768 wrote to memory of 2516	768	cmd.exe	vssadmin.exe
PID 768 wrote to memory of 2516	768	cmd.exe	vssadmin.exe
PID 768 wrote to memory of 2516	768	cmd.exe	vssadmin.exe
PID 768 wrote to memory of 2548	768	cmd.exe	net.exe
PID 768 wrote to memory of 2548	768	cmd.exe	net.exe
PID 768 wrote to memory of 2548	768	cmd.exe	net.exe
PID 2548 wrote to memory of 2560	2548	net.exe	net1.exe
PID 2548 wrote to memory of 2560	2548	net.exe	net1.exe
PID 2548 wrote to memory of 2560	2548	net.exe	net1.exe
PID 768 wrote to memory of 2588	768	cmd.exe	net.exe
PID 768 wrote to memory of 2588	768	cmd.exe	net.exe
PID 768 wrote to memory of 2588	768	cmd.exe	net.exe
PID 2588 wrote to memory of 2600	2588	net.exe	net1.exe
PID 2588 wrote to memory of 2600	2588	net.exe	net1.exe
PID 2588 wrote to memory of 2600	2588	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -WindowStyle Hidden get-wmiobject win32_computersystem | "fl model"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Process C:\ProgramData\amdkey.bat -Verb runas
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\ProgramData\amdkey.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1168

C:\Windows\system32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB
4⤵
- Interacts with shadow copies
PID:2516

C:\Windows\system32\net.exe
net user /add RedROMAN p4zzaub71h
4⤵
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add RedROMAN p4zzaub71h
5⤵
PID:2560

C:\Windows\system32\net.exe
net localgroup administrators RedROMAN /add
4⤵
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators RedROMAN /add
5⤵
PID:2600

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2392

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

1

T1098

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\amdkey.bat
MD5
e1ccfa2c9fccc3306d6a2beafee97e88

SHA1
769a6f5692364611fb1c97b7f8909e305df46b0c

SHA256
8c6a13f418d0c11640ea15a0c42a4edc9f4175c4c924573c35b86929a7d25aaf

SHA512
f5ecf42ded57faa60cd98f7e43438c7b7158afb7061b836805469840880ae6b980dfe99f66bce8b52f2fa27eb0d07a48631da8f8fb82a3f12754a2024d70460c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
a04b904ec4a4fd5c196bc393d6909e61

SHA1
5f9caea37f8f29f80e3840bcdc2bca718da1dfa0

SHA256
1b860670ed085ad5181b2d54e06b4540130c6ae50d12e2caa0eeb5f93404732a

SHA512
d2fa346c81c036a83aeb26aad639e0b4ff396421f968e0a3fe82bdc293214946c28b71a817f9c888ac01e1d5431d8e0c1f371272489228e5d4c50282716c75c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
9f4fb4e2047da217377c0ad64ef5b008

SHA1
2ecec5eedcec1a1a6b065e33a8260bb5cf6116a0

SHA256
36fc811b999c5b690cd9bf4ebdbd39c984a94136dd0aa5746a3edaf2c7c50923

SHA512
d66ccd4a90e6b509cbe5379a28f098d2cf2f05ab3de3b90321e956a1080c470f852cdf5f8181a494e34bba5f22b61529bc8915d6017a528ad56b9afeefdef6d4

Download Submit
memory/580-12-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/580-14-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/580-17-0x000000001BC40000-0x000000001BC41000-memory.dmp

Filesize
4KB

Download
memory/580-15-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/580-13-0x000000001AE40000-0x000000001AE41000-memory.dmp

Filesize
4KB

Download
memory/580-11-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp

Filesize
9.9MB

Download
memory/580-9-0x0000000000000000-mapping.dmp

Download
memory/756-0-0x000000013F8A0000-0x000000013FA71000-memory.dmp

Filesize
1.8MB

Download
memory/768-19-0x0000000000000000-mapping.dmp

Download
memory/1168-20-0x0000000000000000-mapping.dmp

Download
memory/1492-1-0x0000000000000000-mapping.dmp

Download
memory/1492-4-0x000000001AC60000-0x000000001AC61000-memory.dmp

Filesize
4KB

Download
memory/1492-6-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/1492-2-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

Filesize
9.9MB

Download
memory/1492-5-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1492-3-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1492-7-0x000000001B6C0000-0x000000001B6C1000-memory.dmp

Filesize
4KB

Download
memory/1492-8-0x000000001C4F0000-0x000000001C4F1000-memory.dmp

Filesize
4KB

Download
memory/2516-21-0x0000000000000000-mapping.dmp

Download
memory/2548-22-0x0000000000000000-mapping.dmp

Download
memory/2560-23-0x0000000000000000-mapping.dmp

Download
memory/2588-24-0x0000000000000000-mapping.dmp

Download
memory/2600-25-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads