Analysis
-
max time kernel
134s -
max time network
137s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
20-10-2021 09:44
Static task
static1
Behavioral task
behavioral1
Sample
480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe
Resource
win10-en-20210920
General
-
Target
480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe
-
Size
156KB
-
MD5
9832040cb9c0aa58cd12d656f82420ba
-
SHA1
74a62abd145e9571e029db76c06c3100bfb3f4a9
-
SHA256
480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7
-
SHA512
f41ea39996bd4dd11d6df8250754612068e52e42da6c737340b0d73e71d487a2f9074ea0394957f34bb3cbc72a0cb3aa479b91a7c4177089ccdc1578a232cf49
Malware Config
Extracted
C:\odt\!TXDOT_READ_ME!.txt
Signatures
-
Deletes NTFS Change Journal 2 TTPs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
-
RansomEXX Ransomware
Targeted ransomware with variants which affect Windows and Linux systems.
-
Clears Windows event logs 1 TTPs
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1696 bcdedit.exe 1156 bcdedit.exe -
pid Process 2724 wbadmin.exe -
Disables use of System Restore points 1 TTPs
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\FindSuspend.tiff => C:\Users\Admin\Pictures\FindSuspend.tiff.txd0t 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe File opened for modification C:\Users\Admin\Pictures\ReadConnect.tiff 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe File renamed C:\Users\Admin\Pictures\ReadConnect.tiff => C:\Users\Admin\Pictures\ReadConnect.tiff.txd0t 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe File renamed C:\Users\Admin\Pictures\RepairOpen.png => C:\Users\Admin\Pictures\RepairOpen.png.txd0t 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe File renamed C:\Users\Admin\Pictures\AssertDisconnect.crw => C:\Users\Admin\Pictures\AssertDisconnect.crw.txd0t 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe File opened for modification C:\Users\Admin\Pictures\FindSuspend.tiff 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe File renamed C:\Users\Admin\Pictures\ClosePublish.png => C:\Users\Admin\Pictures\ClosePublish.png.txd0t 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe -
Overwrites deleted data with Cipher tool 1 TTPs
Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: cipher.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeSecurityPrivilege 2316 wevtutil.exe Token: SeBackupPrivilege 2316 wevtutil.exe Token: SeSecurityPrivilege 2408 wevtutil.exe Token: SeBackupPrivilege 2408 wevtutil.exe Token: SeSecurityPrivilege 1368 wevtutil.exe Token: SeBackupPrivilege 1368 wevtutil.exe Token: SeSecurityPrivilege 1992 wevtutil.exe Token: SeBackupPrivilege 1992 wevtutil.exe Token: SeSecurityPrivilege 1336 wevtutil.exe Token: SeBackupPrivilege 1336 wevtutil.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2132 wrote to memory of 1376 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 80 PID 2132 wrote to memory of 1580 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 82 PID 2132 wrote to memory of 1376 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 80 PID 2132 wrote to memory of 1580 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 82 PID 2132 wrote to memory of 1992 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 79 PID 2132 wrote to memory of 1992 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 79 PID 2132 wrote to memory of 1336 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 78 PID 2132 wrote to memory of 1336 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 78 PID 2132 wrote to memory of 1368 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 73 PID 2132 wrote to memory of 1368 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 73 PID 2132 wrote to memory of 2348 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 77 PID 2132 wrote to memory of 2348 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 77 PID 2132 wrote to memory of 2348 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 77 PID 2132 wrote to memory of 1696 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 76 PID 2132 wrote to memory of 1696 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 76 PID 2132 wrote to memory of 2408 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 75 PID 2132 wrote to memory of 2408 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 75 PID 2132 wrote to memory of 2724 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 83 PID 2132 wrote to memory of 2724 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 83 PID 2132 wrote to memory of 2316 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 74 PID 2132 wrote to memory of 2316 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 74 PID 2132 wrote to memory of 1156 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 81 PID 2132 wrote to memory of 1156 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 81 PID 2132 wrote to memory of 1796 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 84 PID 2132 wrote to memory of 1796 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 84 PID 2132 wrote to memory of 1796 2132 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe"C:\Users\Admin\AppData\Local\Temp\480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe"1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" cl System2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1368
-
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" sl Security /e:false2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" cl Setup2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:1696
-
-
C:\Windows\SysWOW64\cipher.exe"C:\Windows\System32\cipher.exe" /w:C:2⤵PID:2348
-
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" cl Security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1336
-
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" cl Application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
C:\Windows\System32\fsutil.exe"C:\Windows\System32\fsutil.exe" usn deletejournal /D C:2⤵PID:1376
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:1156
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:1580
-
-
C:\Windows\System32\wbadmin.exe"C:\Windows\System32\wbadmin.exe" delete catalog -quiet2⤵
- Deletes backup catalog
PID:2724
-
-
C:\Windows\SysWOW64\cipher.exe"C:\Windows\System32\cipher.exe" /w:D:2⤵
- Enumerates connected drives
PID:1796
-
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:1540
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1428
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:1036