Overview

overview

10

Static

static

10

fcc2921020...le.exe

windows7_x64

9

fcc2921020...le.exe

windows10_x64

9

Resubmissions

23-09-2021 15:15

210923-sm8bysege5 10

26-07-2021 12:41

210726-mpfkjgshnx 10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    23-09-2021 15:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fcc2921020690a58c60eba35df885e575669e9803212f7791d7e1956f9bf8020.sample.exe

  • Size

    21KB

  • MD5

    ce3cd1dab67814f5f153bccdaf502f4c

  • SHA1

    f246984193c927414e543d936d1fb643a2dff77b

  • SHA256

    fcc2921020690a58c60eba35df885e575669e9803212f7791d7e1956f9bf8020

  • SHA512

    015a9c54e65888cd0bf6e74ec26ddf42ba860b48ca56024a8f822be0cd56ed04fb80891ef21857f5ac65c97f6ecb050a1f1c33d1c5e9afddfcab0c59517a95e4

Score
9/10
ransomware

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fcc2921020690a58c60eba35df885e575669e9803212f7791d7e1956f9bf8020.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\fcc2921020690a58c60eba35df885e575669e9803212f7791d7e1956f9bf8020.sample.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wmic shadowcopy delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1608
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1800
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2024

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1608-61-0x0000000000000000-mapping.dmp

    Download

  • memory/1800-62-0x0000000000000000-mapping.dmp

    Download

  • memory/1820-60-0x0000000076641000-0x0000000076643000-memory.dmp

    Filesize

    8KB

    Download