79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea

General

Target

79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe
Size

207KB
MD5

b961eb350e94cead67efae131b3fff4c
SHA1

f22185fd187244b96f96184359b4f7a7ad8542b0
SHA256

79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea
SHA512

d2a1a1255f8313a1125c59218be8fecbb46604663c964477b8cd381c78381ffc0aca518f781be87d355d4d0e043dc5d773ae1bb4af2c8716b0f56f293cd4956c

Score

9^/10

persistence ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe

description	ioc	process
File opened for modification	\??\c:\users\admin\pictures\RemoveStart.tiff	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\143001 = "143001"	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\DB577955-A70528A9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe\" -id \"DB577955-A70528A9\" -wid \"1\""	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

396 vssadmin.exe

pid	process
396	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe

pid	process
1420	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe
1420	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe
1420	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

WMIC.exevssvc.exe79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	632	WMIC.exe
Token: SeSecurityPrivilege	632	WMIC.exe
Token: SeTakeOwnershipPrivilege	632	WMIC.exe
Token: SeLoadDriverPrivilege	632	WMIC.exe
Token: SeSystemProfilePrivilege	632	WMIC.exe
Token: SeSystemtimePrivilege	632	WMIC.exe
Token: SeProfSingleProcessPrivilege	632	WMIC.exe
Token: SeIncBasePriorityPrivilege	632	WMIC.exe
Token: SeCreatePagefilePrivilege	632	WMIC.exe
Token: SeBackupPrivilege	632	WMIC.exe
Token: SeRestorePrivilege	632	WMIC.exe
Token: SeShutdownPrivilege	632	WMIC.exe
Token: SeDebugPrivilege	632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	632	WMIC.exe
Token: SeRemoteShutdownPrivilege	632	WMIC.exe
Token: SeUndockPrivilege	632	WMIC.exe
Token: SeManageVolumePrivilege	632	WMIC.exe
Token: 33	632	WMIC.exe
Token: 34	632	WMIC.exe
Token: 35	632	WMIC.exe
Token: SeBackupPrivilege	896	vssvc.exe
Token: SeRestorePrivilege	896	vssvc.exe
Token: SeAuditPrivilege	896	vssvc.exe
Token: SeIncreaseQuotaPrivilege	632	WMIC.exe
Token: SeSecurityPrivilege	632	WMIC.exe
Token: SeTakeOwnershipPrivilege	632	WMIC.exe
Token: SeLoadDriverPrivilege	632	WMIC.exe
Token: SeSystemProfilePrivilege	632	WMIC.exe
Token: SeSystemtimePrivilege	632	WMIC.exe
Token: SeProfSingleProcessPrivilege	632	WMIC.exe
Token: SeIncBasePriorityPrivilege	632	WMIC.exe
Token: SeCreatePagefilePrivilege	632	WMIC.exe
Token: SeBackupPrivilege	632	WMIC.exe
Token: SeRestorePrivilege	632	WMIC.exe
Token: SeShutdownPrivilege	632	WMIC.exe
Token: SeDebugPrivilege	632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	632	WMIC.exe
Token: SeRemoteShutdownPrivilege	632	WMIC.exe
Token: SeUndockPrivilege	632	WMIC.exe
Token: SeManageVolumePrivilege	632	WMIC.exe
Token: 33	632	WMIC.exe
Token: 34	632	WMIC.exe
Token: 35	632	WMIC.exe
Token: SeDebugPrivilege	1420	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.execmd.execmd.exe

description	pid	process	target process
PID 1420 wrote to memory of 1704	1420	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe	cmd.exe
PID 1420 wrote to memory of 1704	1420	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe	cmd.exe
PID 1420 wrote to memory of 1704	1420	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe	cmd.exe
PID 1420 wrote to memory of 1704	1420	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe	cmd.exe
PID 1420 wrote to memory of 1164	1420	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe	cmd.exe
PID 1420 wrote to memory of 1164	1420	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe	cmd.exe
PID 1420 wrote to memory of 1164	1420	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe	cmd.exe
PID 1420 wrote to memory of 1164	1420	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe	cmd.exe
PID 1420 wrote to memory of 748	1420	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe	cmd.exe
PID 1420 wrote to memory of 748	1420	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe	cmd.exe
PID 1420 wrote to memory of 748	1420	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe	cmd.exe
PID 1420 wrote to memory of 748	1420	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe	cmd.exe
PID 1704 wrote to memory of 396	1704	cmd.exe	vssadmin.exe
PID 1704 wrote to memory of 396	1704	cmd.exe	vssadmin.exe
PID 1704 wrote to memory of 396	1704	cmd.exe	vssadmin.exe
PID 1704 wrote to memory of 396	1704	cmd.exe	vssadmin.exe
PID 1420 wrote to memory of 1004	1420	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe	cmd.exe
PID 1420 wrote to memory of 1004	1420	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe	cmd.exe
PID 1420 wrote to memory of 1004	1420	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe	cmd.exe
PID 1420 wrote to memory of 1004	1420	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe	cmd.exe
PID 1420 wrote to memory of 984	1420	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe	cmd.exe
PID 1420 wrote to memory of 984	1420	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe	cmd.exe
PID 1420 wrote to memory of 984	1420	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe	cmd.exe
PID 1420 wrote to memory of 984	1420	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe	cmd.exe
PID 1420 wrote to memory of 536	1420	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe	cmd.exe
PID 1420 wrote to memory of 536	1420	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe	cmd.exe
PID 1420 wrote to memory of 536	1420	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe	cmd.exe
PID 1420 wrote to memory of 536	1420	79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe	cmd.exe
PID 1004 wrote to memory of 632	1004	cmd.exe	WMIC.exe
PID 1004 wrote to memory of 632	1004	cmd.exe	WMIC.exe
PID 1004 wrote to memory of 632	1004	cmd.exe	WMIC.exe
PID 1004 wrote to memory of 632	1004	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe
"C:\Users\Admin\AppData\Local\Temp\79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "vssadmin delete shadows /all /quiet"
2⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"
2⤵
PID:1164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "wbadmin DELETE BACKUP -keepVersions:0"
2⤵
PID:748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "wmic SHADOWCOPY DELETE"
2⤵
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic SHADOWCOPY DELETE
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"
2⤵
PID:984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
2⤵
PID:536

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/396-64-0x0000000000000000-mapping.dmp

Download
memory/536-67-0x0000000000000000-mapping.dmp

Download
memory/632-68-0x0000000000000000-mapping.dmp

Download
memory/748-63-0x0000000000000000-mapping.dmp

Download
memory/984-66-0x0000000000000000-mapping.dmp

Download
memory/1004-65-0x0000000000000000-mapping.dmp

Download
memory/1164-62-0x0000000000000000-mapping.dmp

Download
memory/1420-60-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download
memory/1704-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads