Overview
overview
10Static
static
80099963e72...79.exe
windows7_x64
90099963e72...79.exe
windows10_x64
9028facff67...fc.exe
windows7_x64
10028facff67...fc.exe
windows10_x64
100294114d5f...59.exe
windows7_x64
100294114d5f...59.exe
windows10_x64
1002e9883501...c3.exe
windows7_x64
902e9883501...c3.exe
windows10_x64
903110baa5a...d7.exe
windows7_x64
1003110baa5a...d7.exe
windows10_x64
100b93a024b5...2f.exe
windows7_x64
100b93a024b5...2f.exe
windows10_x64
1012c561ac82...f8.exe
windows7_x64
1012c561ac82...f8.exe
windows10_x64
1015656e1825...d3.exe
windows7_x64
1015656e1825...d3.exe
windows10_x64
1018e282e680...5f.exe
windows7_x64
1018e282e680...5f.exe
windows10_x64
101ab45a508d...38.exe
windows7_x64
101ab45a508d...38.exe
windows10_x64
101d40f42fa3...94.exe
windows7_x64
101d40f42fa3...94.exe
windows10_x64
101deb1efad2...02.exe
windows7_x64
101deb1efad2...02.exe
windows10_x64
101e24560100...90.exe
windows7_x64
101e24560100...90.exe
windows10_x64
1063b6a51be7...85.exe
windows7_x64
1063b6a51be7...85.exe
windows10_x64
10Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
15-12-2021 06:21
Static task
static1
Behavioral task
behavioral1
Sample
0099963e7285aeafc09e4214a45a6a210253d514cbd0d4b0c3997647a0afe879.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0099963e7285aeafc09e4214a45a6a210253d514cbd0d4b0c3997647a0afe879.exe
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
028facff67136de55fe200177a190da625c8e1713b4e7d95bf5fc5412a5afffc.exe
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
028facff67136de55fe200177a190da625c8e1713b4e7d95bf5fc5412a5afffc.exe
Resource
win10-en-20211208
Behavioral task
behavioral5
Sample
0294114d5f411b6c47eb255d4ed6865df99d1c5252f4f585aabf44e6cbacaa59.exe
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
0294114d5f411b6c47eb255d4ed6865df99d1c5252f4f585aabf44e6cbacaa59.exe
Resource
win10-en-20211208
Behavioral task
behavioral7
Sample
02e9883501635da9b501e715bb827a0b9d0c265991f1263f073eb6c5d9b335c3.exe
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
02e9883501635da9b501e715bb827a0b9d0c265991f1263f073eb6c5d9b335c3.exe
Resource
win10-en-20211208
Behavioral task
behavioral9
Sample
03110baa5aad9d01610293f2b8cd21b44cc7efa0a465e677d6b3f92510a4b1d7.exe
Resource
win7-en-20211208
Behavioral task
behavioral10
Sample
03110baa5aad9d01610293f2b8cd21b44cc7efa0a465e677d6b3f92510a4b1d7.exe
Resource
win10-en-20211208
Behavioral task
behavioral11
Sample
0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe
Resource
win7-en-20211208
Behavioral task
behavioral12
Sample
0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f.exe
Resource
win10-en-20211208
Behavioral task
behavioral13
Sample
12c561ac827c3f79afff026b0b1d3ddec7c4b591946e2b794a4d00c423b1c8f8.exe
Resource
win7-en-20211208
Behavioral task
behavioral14
Sample
12c561ac827c3f79afff026b0b1d3ddec7c4b591946e2b794a4d00c423b1c8f8.exe
Resource
win10-en-20211208
Behavioral task
behavioral15
Sample
15656e1825383c4749fadcc46f9825df6262ca2f1f98d895d64c840febe3d9d3.exe
Resource
win7-en-20211208
Behavioral task
behavioral16
Sample
15656e1825383c4749fadcc46f9825df6262ca2f1f98d895d64c840febe3d9d3.exe
Resource
win10-en-20211208
Behavioral task
behavioral17
Sample
18e282e6806903ff00a78b91f6d0ad1bc3aae4b4846d6a5705c036a88138605f.exe
Resource
win7-en-20211208
Behavioral task
behavioral18
Sample
18e282e6806903ff00a78b91f6d0ad1bc3aae4b4846d6a5705c036a88138605f.exe
Resource
win10-en-20211208
Behavioral task
behavioral19
Sample
1ab45a508da655ef755ad4394f869c664f664b3ac111875704a583e9485f2238.exe
Resource
win7-en-20211208
Behavioral task
behavioral20
Sample
1ab45a508da655ef755ad4394f869c664f664b3ac111875704a583e9485f2238.exe
Resource
win10-en-20211208
Behavioral task
behavioral21
Sample
1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe
Resource
win7-en-20211208
Behavioral task
behavioral22
Sample
1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994.exe
Resource
win10-en-20211208
Behavioral task
behavioral23
Sample
1deb1efad2c469198aabbb618285e2229052273cf654ee5925c2540ded224402.exe
Resource
win7-en-20211208
Behavioral task
behavioral24
Sample
1deb1efad2c469198aabbb618285e2229052273cf654ee5925c2540ded224402.exe
Resource
win10-en-20211208
Behavioral task
behavioral25
Sample
1e24560100d010c27cc19c59f9fe1531e4286ecb21fe53763165f30c5f58dc90.exe
Resource
win7-en-20211208
Behavioral task
behavioral26
Sample
1e24560100d010c27cc19c59f9fe1531e4286ecb21fe53763165f30c5f58dc90.exe
Resource
win10-en-20211208
Behavioral task
behavioral27
Sample
63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe
Resource
win7-en-20211208
Behavioral task
behavioral28
Sample
63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe
Resource
win10-en-20211208
General
-
Target
63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe
-
Size
25KB
-
MD5
a22ca06bb3a58d4ca2bca856434b96f3
-
SHA1
4a12e232b2442746334ef5d94fab4c3577b33de7
-
SHA256
63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85
-
SHA512
e0f22e150d52b22a2033a4e9a8f99f2d17a2eb496d039b11ef217a94c711f51db4f5b07d941335ace99c10d824fc547494b2b3ee2458c8239853d4780fe283c1
Malware Config
Extracted
C:\Help Restore Your Files.txt
3JG36KY6abZTnHBdQCon1hheC3Wa2bdyqs
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exedescription ioc Process File renamed C:\Users\Admin\Pictures\ResumeApprove.png => C:\Users\Admin\Pictures\ResumeApprove.png.doydo 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File opened for modification C:\Users\Admin\Pictures\ResumeApprove.png.doydo 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File renamed C:\Users\Admin\Pictures\ResumeDisable.png => C:\Users\Admin\Pictures\ResumeDisable.png.doydo 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File opened for modification C:\Users\Admin\Pictures\ResumeDisable.png.doydo 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File renamed C:\Users\Admin\Pictures\SaveSplit.png => C:\Users\Admin\Pictures\SaveSplit.png.doydo 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File opened for modification C:\Users\Admin\Pictures\SaveSplit.png.doydo 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File renamed C:\Users\Admin\Pictures\SkipDeny.crw => C:\Users\Admin\Pictures\SkipDeny.crw.doydo 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File opened for modification C:\Users\Admin\Pictures\SkipDeny.crw.doydo 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exedescription ioc Process File opened (read-only) \??\Q: 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File opened (read-only) \??\R: 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File opened (read-only) \??\O: 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File opened (read-only) \??\S: 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File opened (read-only) \??\J: 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File opened (read-only) \??\L: 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File opened (read-only) \??\V: 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File opened (read-only) \??\B: 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File opened (read-only) \??\W: 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File opened (read-only) \??\T: 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File opened (read-only) \??\G: 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File opened (read-only) \??\Y: 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File opened (read-only) \??\I: 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File opened (read-only) \??\P: 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File opened (read-only) \??\A: 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File opened (read-only) \??\F: 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File opened (read-only) \??\H: 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File opened (read-only) \??\K: 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File opened (read-only) \??\E: 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File opened (read-only) \??\U: 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File opened (read-only) \??\Z: 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File opened (read-only) \??\X: 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File opened (read-only) \??\N: 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe File opened (read-only) \??\M: 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid Process 844 vssadmin.exe 1528 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exepid Process 1612 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid Process Token: SeBackupPrivilege 816 vssvc.exe Token: SeRestorePrivilege 816 vssvc.exe Token: SeAuditPrivilege 816 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.execmd.execmd.exedescription pid Process procid_target PID 1612 wrote to memory of 1748 1612 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe 27 PID 1612 wrote to memory of 1748 1612 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe 27 PID 1612 wrote to memory of 1748 1612 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe 27 PID 1612 wrote to memory of 1748 1612 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe 27 PID 1748 wrote to memory of 844 1748 cmd.exe 29 PID 1748 wrote to memory of 844 1748 cmd.exe 29 PID 1748 wrote to memory of 844 1748 cmd.exe 29 PID 1612 wrote to memory of 1084 1612 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe 32 PID 1612 wrote to memory of 1084 1612 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe 32 PID 1612 wrote to memory of 1084 1612 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe 32 PID 1612 wrote to memory of 1084 1612 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe 32 PID 1084 wrote to memory of 1528 1084 cmd.exe 34 PID 1084 wrote to memory of 1528 1084 cmd.exe 34 PID 1084 wrote to memory of 1528 1084 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe"C:\Users\Admin\AppData\Local\Temp\63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:844
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1528
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:816