edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf

Analysis

max time kernel
15s
max time network
17s
platform
windows7_x64
resource
win7v20210410
submitted
28/05/2021, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Size

893KB
MD5

8856669b9a76eeb19e5673db6c4491ab
SHA1

2d328721640ebb3ddeb971316141fd2b3a84ae84
SHA256

edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf
SHA512

96af5e42d4aab9ffbe10f4db0e2811d7e00ceebed7ed52b8e679164a92011bfa8eb7c33864be3b3e92358ba3b30ba87bab25cde9ee9163b325a7b542eea621e3

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Creates new service(s) 1 TTPs
persistence

New Service
T1050

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\d:	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened (read-only)	\??\d:	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\logg.bat	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
File opened for modification	\??\c:\windows\logg.bat	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2980	2996	WerFault.exe	42

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1708	vssadmin.exe
3060	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
2996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
2996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Token: SeRestorePrivilege	788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Token: SeBackupPrivilege	788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Token: SeTakeOwnershipPrivilege	788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Token: SeBackupPrivilege	788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Token: SeAuditPrivilege	788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Token: SeSecurityPrivilege	788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Token: SeBackupPrivilege	2804	vssvc.exe
Token: SeRestorePrivilege	2804	vssvc.exe
Token: SeAuditPrivilege	2804	vssvc.exe
Token: SeDebugPrivilege	2996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Token: SeRestorePrivilege	2996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Token: SeBackupPrivilege	2996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Token: SeTakeOwnershipPrivilege	2996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Token: SeBackupPrivilege	2996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Token: SeAuditPrivilege	2996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Token: SeSecurityPrivilege	2996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
Token: SeDebugPrivilege	2980	WerFault.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 788 wrote to memory of 1972	788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	26
PID 788 wrote to memory of 1972	788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	26
PID 788 wrote to memory of 1972	788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	26
PID 788 wrote to memory of 1972	788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	26
PID 788 wrote to memory of 1460	788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	32
PID 788 wrote to memory of 1460	788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	32
PID 788 wrote to memory of 1460	788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	32
PID 788 wrote to memory of 1460	788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	32
PID 788 wrote to memory of 1708	788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	33
PID 788 wrote to memory of 1708	788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	33
PID 788 wrote to memory of 1708	788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	33
PID 788 wrote to memory of 1708	788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	33
PID 788 wrote to memory of 2928	788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	38
PID 788 wrote to memory of 2928	788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	38
PID 788 wrote to memory of 2928	788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	38
PID 788 wrote to memory of 2928	788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	38
PID 788 wrote to memory of 2968	788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	40
PID 788 wrote to memory of 2968	788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	40
PID 788 wrote to memory of 2968	788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	40
PID 788 wrote to memory of 2968	788	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	40
PID 2996 wrote to memory of 3048	2996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	43
PID 2996 wrote to memory of 3048	2996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	43
PID 2996 wrote to memory of 3048	2996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	43
PID 2996 wrote to memory of 3048	2996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	43
PID 2996 wrote to memory of 3060	2996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	44
PID 2996 wrote to memory of 3060	2996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	44
PID 2996 wrote to memory of 3060	2996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	44
PID 2996 wrote to memory of 3060	2996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	44
PID 2996 wrote to memory of 2980	2996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	47
PID 2996 wrote to memory of 2980	2996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	47
PID 2996 wrote to memory of 2980	2996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	47
PID 2996 wrote to memory of 2980	2996	edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe	47

C:\Users\Admin\AppData\Local\Temp\edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
"C:\Users\Admin\AppData\Local\Temp\edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:788
- C:\windows\system32\sc.exe
  "C:\windows\system32\sc.exe" create defragsrv binpath= "C:\Users\Admin\AppData\Local\Temp\edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe" start= auto
  2⤵
  PID:1972
- \??\c:\windows\system32\cmd.exe
  "c:\windows\system32\cmd.exe" /c c:\windows\logg.bat
  2⤵
  PID:1460
- \??\c:\Windows\system32\vssadmin.exe
  "c:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1708
- \??\c:\windows\system32\sc.exe
  "c:\windows\system32\sc.exe" create defragsrv binpath= "C:\Users\Admin\AppData\Local\Temp\edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe" start= auto
  2⤵
  PID:2928
- \??\c:\windows\system32\sc.exe
  "c:\windows\system32\sc.exe" start defragsrv
  2⤵
  PID:2968

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Users\Admin\AppData\Local\Temp\edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
C:\Users\Admin\AppData\Local\Temp\edf9912bf2c8c7d9048bc6322900231810de7cc34267acc12e1a256fbecdbbdf.exe
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996
- \??\c:\windows\system32\cmd.exe
  "c:\windows\system32\cmd.exe" /c c:\windows\logg.bat
  2⤵
  PID:3048
- \??\c:\Windows\system32\vssadmin.exe
  "c:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:3060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 4196
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

New Service

T1050

Privilege Escalation

New Service

T1050

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads