Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-01-2022 15:42
Static task
static1
Behavioral task
behavioral1
Sample
a07ad47b052c812a2c2da5b1787855f4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a07ad47b052c812a2c2da5b1787855f4.exe
Resource
win10-en-20211208
General
-
Target
a07ad47b052c812a2c2da5b1787855f4.exe
-
Size
28KB
-
MD5
a07ad47b052c812a2c2da5b1787855f4
-
SHA1
bafda67a9dd19795584ed8679d3a0e5b36d2432a
-
SHA256
a0fb8417720da120c09f19ad62030bf1dc7f51b74326582f2f9d4488d426a800
-
SHA512
f0f3cfd9ecc6e5945fed89b953018460617986c4e0a3548dae07736014cd2d8f63ca1d20ea0b62606dd41c7b5bf3ea33e18f9ba66fe1531dde24f4652df03406
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1012 vssadmin.exe -
Modifies registry class 4 IoCs
Processes:
rundll32.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "ENCRYPTEDFILE" cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2044 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1784 vssvc.exe Token: SeRestorePrivilege 1784 vssvc.exe Token: SeAuditPrivilege 1784 vssvc.exe Token: SeIncreaseQuotaPrivilege 964 WMIC.exe Token: SeSecurityPrivilege 964 WMIC.exe Token: SeTakeOwnershipPrivilege 964 WMIC.exe Token: SeLoadDriverPrivilege 964 WMIC.exe Token: SeSystemProfilePrivilege 964 WMIC.exe Token: SeSystemtimePrivilege 964 WMIC.exe Token: SeProfSingleProcessPrivilege 964 WMIC.exe Token: SeIncBasePriorityPrivilege 964 WMIC.exe Token: SeCreatePagefilePrivilege 964 WMIC.exe Token: SeBackupPrivilege 964 WMIC.exe Token: SeRestorePrivilege 964 WMIC.exe Token: SeShutdownPrivilege 964 WMIC.exe Token: SeDebugPrivilege 964 WMIC.exe Token: SeSystemEnvironmentPrivilege 964 WMIC.exe Token: SeRemoteShutdownPrivilege 964 WMIC.exe Token: SeUndockPrivilege 964 WMIC.exe Token: SeManageVolumePrivilege 964 WMIC.exe Token: 33 964 WMIC.exe Token: 34 964 WMIC.exe Token: 35 964 WMIC.exe Token: SeIncreaseQuotaPrivilege 964 WMIC.exe Token: SeSecurityPrivilege 964 WMIC.exe Token: SeTakeOwnershipPrivilege 964 WMIC.exe Token: SeLoadDriverPrivilege 964 WMIC.exe Token: SeSystemProfilePrivilege 964 WMIC.exe Token: SeSystemtimePrivilege 964 WMIC.exe Token: SeProfSingleProcessPrivilege 964 WMIC.exe Token: SeIncBasePriorityPrivilege 964 WMIC.exe Token: SeCreatePagefilePrivilege 964 WMIC.exe Token: SeBackupPrivilege 964 WMIC.exe Token: SeRestorePrivilege 964 WMIC.exe Token: SeShutdownPrivilege 964 WMIC.exe Token: SeDebugPrivilege 964 WMIC.exe Token: SeSystemEnvironmentPrivilege 964 WMIC.exe Token: SeRemoteShutdownPrivilege 964 WMIC.exe Token: SeUndockPrivilege 964 WMIC.exe Token: SeManageVolumePrivilege 964 WMIC.exe Token: 33 964 WMIC.exe Token: 34 964 WMIC.exe Token: 35 964 WMIC.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AcroRd32.exepid process 2044 AcroRd32.exe 2044 AcroRd32.exe 2044 AcroRd32.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
a07ad47b052c812a2c2da5b1787855f4.execmd.exerundll32.exedescription pid process target process PID 740 wrote to memory of 468 740 a07ad47b052c812a2c2da5b1787855f4.exe cmd.exe PID 740 wrote to memory of 468 740 a07ad47b052c812a2c2da5b1787855f4.exe cmd.exe PID 740 wrote to memory of 468 740 a07ad47b052c812a2c2da5b1787855f4.exe cmd.exe PID 740 wrote to memory of 468 740 a07ad47b052c812a2c2da5b1787855f4.exe cmd.exe PID 468 wrote to memory of 1012 468 cmd.exe vssadmin.exe PID 468 wrote to memory of 1012 468 cmd.exe vssadmin.exe PID 468 wrote to memory of 1012 468 cmd.exe vssadmin.exe PID 468 wrote to memory of 1012 468 cmd.exe vssadmin.exe PID 468 wrote to memory of 964 468 cmd.exe WMIC.exe PID 468 wrote to memory of 964 468 cmd.exe WMIC.exe PID 468 wrote to memory of 964 468 cmd.exe WMIC.exe PID 468 wrote to memory of 964 468 cmd.exe WMIC.exe PID 740 wrote to memory of 1524 740 a07ad47b052c812a2c2da5b1787855f4.exe cmd.exe PID 740 wrote to memory of 1524 740 a07ad47b052c812a2c2da5b1787855f4.exe cmd.exe PID 740 wrote to memory of 1524 740 a07ad47b052c812a2c2da5b1787855f4.exe cmd.exe PID 740 wrote to memory of 1524 740 a07ad47b052c812a2c2da5b1787855f4.exe cmd.exe PID 740 wrote to memory of 788 740 a07ad47b052c812a2c2da5b1787855f4.exe cmd.exe PID 740 wrote to memory of 788 740 a07ad47b052c812a2c2da5b1787855f4.exe cmd.exe PID 740 wrote to memory of 788 740 a07ad47b052c812a2c2da5b1787855f4.exe cmd.exe PID 740 wrote to memory of 788 740 a07ad47b052c812a2c2da5b1787855f4.exe cmd.exe PID 740 wrote to memory of 992 740 a07ad47b052c812a2c2da5b1787855f4.exe cmd.exe PID 740 wrote to memory of 992 740 a07ad47b052c812a2c2da5b1787855f4.exe cmd.exe PID 740 wrote to memory of 992 740 a07ad47b052c812a2c2da5b1787855f4.exe cmd.exe PID 740 wrote to memory of 992 740 a07ad47b052c812a2c2da5b1787855f4.exe cmd.exe PID 740 wrote to memory of 2032 740 a07ad47b052c812a2c2da5b1787855f4.exe rundll32.exe PID 740 wrote to memory of 2032 740 a07ad47b052c812a2c2da5b1787855f4.exe rundll32.exe PID 740 wrote to memory of 2032 740 a07ad47b052c812a2c2da5b1787855f4.exe rundll32.exe PID 740 wrote to memory of 2032 740 a07ad47b052c812a2c2da5b1787855f4.exe rundll32.exe PID 740 wrote to memory of 2032 740 a07ad47b052c812a2c2da5b1787855f4.exe rundll32.exe PID 740 wrote to memory of 2032 740 a07ad47b052c812a2c2da5b1787855f4.exe rundll32.exe PID 740 wrote to memory of 2032 740 a07ad47b052c812a2c2da5b1787855f4.exe rundll32.exe PID 2032 wrote to memory of 1100 2032 rundll32.exe AcroRd32.exe PID 2032 wrote to memory of 1100 2032 rundll32.exe AcroRd32.exe PID 2032 wrote to memory of 1100 2032 rundll32.exe AcroRd32.exe PID 2032 wrote to memory of 1100 2032 rundll32.exe AcroRd32.exe PID 740 wrote to memory of 2044 740 a07ad47b052c812a2c2da5b1787855f4.exe AcroRd32.exe PID 740 wrote to memory of 2044 740 a07ad47b052c812a2c2da5b1787855f4.exe AcroRd32.exe PID 740 wrote to memory of 2044 740 a07ad47b052c812a2c2da5b1787855f4.exe AcroRd32.exe PID 740 wrote to memory of 2044 740 a07ad47b052c812a2c2da5b1787855f4.exe AcroRd32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a07ad47b052c812a2c2da5b1787855f4.exe"C:\Users\Admin\AppData\Local\Temp\a07ad47b052c812a2c2da5b1787855f4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C assoc .exe=ENCRYPTEDFILE2⤵
- Modifies registry class
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\System32\cmd.exe2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Windows\System32\cmd.exe"3⤵
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Windows\System32\cmd.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/468-58-0x0000000000000000-mapping.dmp
-
memory/740-56-0x0000000000FA0000-0x0000000000FAE000-memory.dmpFilesize
56KB
-
memory/740-57-0x0000000004C50000-0x0000000004C51000-memory.dmpFilesize
4KB
-
memory/740-55-0x0000000000FA0000-0x0000000000FAE000-memory.dmpFilesize
56KB
-
memory/788-62-0x0000000000000000-mapping.dmp
-
memory/964-60-0x0000000000000000-mapping.dmp
-
memory/992-64-0x00000000763B1000-0x00000000763B3000-memory.dmpFilesize
8KB
-
memory/992-63-0x0000000000000000-mapping.dmp
-
memory/1012-59-0x0000000000000000-mapping.dmp
-
memory/1100-67-0x0000000000000000-mapping.dmp
-
memory/1524-61-0x0000000000000000-mapping.dmp
-
memory/2032-65-0x0000000000000000-mapping.dmp
-
memory/2044-69-0x0000000000000000-mapping.dmp