c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132

General

Target

c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
Size

840KB
MD5

6490aefbaf3e6a708269d771d8fd4136
SHA1

2ae6c5f0ec0faca746bf6ba3f5c7682a454de78c
SHA256

c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132
SHA512

6ef2fdfaae7db2dfc82c1600de2818c86b1be42bab42682aa27c37fd853a97e3316ac71081075994b3fa29a52c6f94cc29445dc2e5248d3e37ae31275f1e16f6

Score

9^/10

discovery ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

3388 icacls.exe

pid	process
3388	icacls.exe

Drops desktop.ini file(s) 26 IoCs

Processes:

c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Links\desktop.ini	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
File opened for modification	C:\Users\Public\desktop.ini	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
File created	C:\Users\Admin\AppData\Local\Temp\desktop.ini	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\desktop.ini	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4492 vssadmin.exe

pid	process
4492	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

WMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1856	WMIC.exe
Token: SeSecurityPrivilege	1856	WMIC.exe
Token: SeTakeOwnershipPrivilege	1856	WMIC.exe
Token: SeLoadDriverPrivilege	1856	WMIC.exe
Token: SeSystemProfilePrivilege	1856	WMIC.exe
Token: SeSystemtimePrivilege	1856	WMIC.exe
Token: SeProfSingleProcessPrivilege	1856	WMIC.exe
Token: SeIncBasePriorityPrivilege	1856	WMIC.exe
Token: SeCreatePagefilePrivilege	1856	WMIC.exe
Token: SeBackupPrivilege	1856	WMIC.exe
Token: SeRestorePrivilege	1856	WMIC.exe
Token: SeShutdownPrivilege	1856	WMIC.exe
Token: SeDebugPrivilege	1856	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1856	WMIC.exe
Token: SeRemoteShutdownPrivilege	1856	WMIC.exe
Token: SeUndockPrivilege	1856	WMIC.exe
Token: SeManageVolumePrivilege	1856	WMIC.exe
Token: 33	1856	WMIC.exe
Token: 34	1856	WMIC.exe
Token: 35	1856	WMIC.exe
Token: 36	1856	WMIC.exe
Token: SeBackupPrivilege	4580	vssvc.exe
Token: SeRestorePrivilege	4580	vssvc.exe
Token: SeAuditPrivilege	4580	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1856	WMIC.exe
Token: SeSecurityPrivilege	1856	WMIC.exe
Token: SeTakeOwnershipPrivilege	1856	WMIC.exe
Token: SeLoadDriverPrivilege	1856	WMIC.exe
Token: SeSystemProfilePrivilege	1856	WMIC.exe
Token: SeSystemtimePrivilege	1856	WMIC.exe
Token: SeProfSingleProcessPrivilege	1856	WMIC.exe
Token: SeIncBasePriorityPrivilege	1856	WMIC.exe
Token: SeCreatePagefilePrivilege	1856	WMIC.exe
Token: SeBackupPrivilege	1856	WMIC.exe
Token: SeRestorePrivilege	1856	WMIC.exe
Token: SeShutdownPrivilege	1856	WMIC.exe
Token: SeDebugPrivilege	1856	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1856	WMIC.exe
Token: SeRemoteShutdownPrivilege	1856	WMIC.exe
Token: SeUndockPrivilege	1856	WMIC.exe
Token: SeManageVolumePrivilege	1856	WMIC.exe
Token: 33	1856	WMIC.exe
Token: 34	1856	WMIC.exe
Token: 35	1856	WMIC.exe
Token: 36	1856	WMIC.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4776 wrote to memory of 3908	4776	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe	cmd.exe
PID 4776 wrote to memory of 3908	4776	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe	cmd.exe
PID 4776 wrote to memory of 3908	4776	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe	cmd.exe
PID 3908 wrote to memory of 3388	3908	cmd.exe	icacls.exe
PID 3908 wrote to memory of 3388	3908	cmd.exe	icacls.exe
PID 3908 wrote to memory of 3388	3908	cmd.exe	icacls.exe
PID 4776 wrote to memory of 4168	4776	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe	cmd.exe
PID 4776 wrote to memory of 4168	4776	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe	cmd.exe
PID 4776 wrote to memory of 4168	4776	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe	cmd.exe
PID 4776 wrote to memory of 4192	4776	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe	cmd.exe
PID 4776 wrote to memory of 4192	4776	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe	cmd.exe
PID 4776 wrote to memory of 4192	4776	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe	cmd.exe
PID 4776 wrote to memory of 3256	4776	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe	cmd.exe
PID 4776 wrote to memory of 3256	4776	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe	cmd.exe
PID 4776 wrote to memory of 3256	4776	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe	cmd.exe
PID 4776 wrote to memory of 3336	4776	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe	cmd.exe
PID 4776 wrote to memory of 3336	4776	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe	cmd.exe
PID 4776 wrote to memory of 3336	4776	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe	cmd.exe
PID 4776 wrote to memory of 4008	4776	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe	cmd.exe
PID 4776 wrote to memory of 4008	4776	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe	cmd.exe
PID 4776 wrote to memory of 4008	4776	c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe	cmd.exe
PID 3336 wrote to memory of 1856	3336	cmd.exe	WMIC.exe
PID 3336 wrote to memory of 1856	3336	cmd.exe	WMIC.exe
PID 3336 wrote to memory of 1856	3336	cmd.exe	WMIC.exe
PID 4008 wrote to memory of 4492	4008	cmd.exe	vssadmin.exe
PID 4008 wrote to memory of 4492	4008	cmd.exe	vssadmin.exe
PID 4008 wrote to memory of 4492	4008	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
"C:\Users\Admin\AppData\Local\Temp\c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C "icacls . /grant Everyone:F /T /C /Q"
2⤵
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:3388

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C "wbadmin delete catalog - quiet"
2⤵
PID:4168

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C "bcdedit /set { default } bootstatuspolicy ignoreallfailures"
2⤵
PID:3256

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C "bcdedit /set { default } recoveryenabled no"
2⤵
PID:4192

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C "wmic shadowcopy delete"
2⤵
- Suspicious use of WriteProcessMemory
PID:3336

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C "vssadmin delete shadows /All /Quiet"
2⤵
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:4492

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4580

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1856-121-0x0000000000000000-mapping.dmp

Download
memory/3256-118-0x0000000000000000-mapping.dmp

Download
memory/3336-119-0x0000000000000000-mapping.dmp

Download
memory/3388-115-0x0000000000000000-mapping.dmp

Download
memory/3908-114-0x0000000000000000-mapping.dmp

Download
memory/4008-120-0x0000000000000000-mapping.dmp

Download
memory/4168-116-0x0000000000000000-mapping.dmp

Download
memory/4192-117-0x0000000000000000-mapping.dmp

Download
memory/4492-122-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads