a0fb8417720da120c09f19ad62030bf1dc7f51b74326582f2f9d4488d426a800

General

Target

a07ad47b052c812a2c2da5b1787855f4.exe
Size

28KB
MD5

a07ad47b052c812a2c2da5b1787855f4
SHA1

bafda67a9dd19795584ed8679d3a0e5b36d2432a
SHA256

a0fb8417720da120c09f19ad62030bf1dc7f51b74326582f2f9d4488d426a800
SHA512

f0f3cfd9ecc6e5945fed89b953018460617986c4e0a3548dae07736014cd2d8f63ca1d20ea0b62606dd41c7b5bf3ea33e18f9ba66fe1531dde24f4652df03406

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1012 vssadmin.exe

pid	process
1012	vssadmin.exe

Modifies registry class 4 IoCs

Processes:

rundll32.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "ENCRYPTEDFILE"	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2044 AcroRd32.exe

pid	process
2044	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

vssvc.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	1784	vssvc.exe
Token: SeRestorePrivilege	1784	vssvc.exe
Token: SeAuditPrivilege	1784	vssvc.exe
Token: SeIncreaseQuotaPrivilege	964	WMIC.exe
Token: SeSecurityPrivilege	964	WMIC.exe
Token: SeTakeOwnershipPrivilege	964	WMIC.exe
Token: SeLoadDriverPrivilege	964	WMIC.exe
Token: SeSystemProfilePrivilege	964	WMIC.exe
Token: SeSystemtimePrivilege	964	WMIC.exe
Token: SeProfSingleProcessPrivilege	964	WMIC.exe
Token: SeIncBasePriorityPrivilege	964	WMIC.exe
Token: SeCreatePagefilePrivilege	964	WMIC.exe
Token: SeBackupPrivilege	964	WMIC.exe
Token: SeRestorePrivilege	964	WMIC.exe
Token: SeShutdownPrivilege	964	WMIC.exe
Token: SeDebugPrivilege	964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	964	WMIC.exe
Token: SeRemoteShutdownPrivilege	964	WMIC.exe
Token: SeUndockPrivilege	964	WMIC.exe
Token: SeManageVolumePrivilege	964	WMIC.exe
Token: 33	964	WMIC.exe
Token: 34	964	WMIC.exe
Token: 35	964	WMIC.exe
Token: SeIncreaseQuotaPrivilege	964	WMIC.exe
Token: SeSecurityPrivilege	964	WMIC.exe
Token: SeTakeOwnershipPrivilege	964	WMIC.exe
Token: SeLoadDriverPrivilege	964	WMIC.exe
Token: SeSystemProfilePrivilege	964	WMIC.exe
Token: SeSystemtimePrivilege	964	WMIC.exe
Token: SeProfSingleProcessPrivilege	964	WMIC.exe
Token: SeIncBasePriorityPrivilege	964	WMIC.exe
Token: SeCreatePagefilePrivilege	964	WMIC.exe
Token: SeBackupPrivilege	964	WMIC.exe
Token: SeRestorePrivilege	964	WMIC.exe
Token: SeShutdownPrivilege	964	WMIC.exe
Token: SeDebugPrivilege	964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	964	WMIC.exe
Token: SeRemoteShutdownPrivilege	964	WMIC.exe
Token: SeUndockPrivilege	964	WMIC.exe
Token: SeManageVolumePrivilege	964	WMIC.exe
Token: 33	964	WMIC.exe
Token: 34	964	WMIC.exe
Token: 35	964	WMIC.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

2044 AcroRd32.exe
2044 AcroRd32.exe
2044 AcroRd32.exe

pid	process
2044	AcroRd32.exe
2044	AcroRd32.exe
2044	AcroRd32.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

a07ad47b052c812a2c2da5b1787855f4.execmd.exerundll32.exe

description	pid	process	target process
PID 740 wrote to memory of 468	740	a07ad47b052c812a2c2da5b1787855f4.exe	cmd.exe
PID 740 wrote to memory of 468	740	a07ad47b052c812a2c2da5b1787855f4.exe	cmd.exe
PID 740 wrote to memory of 468	740	a07ad47b052c812a2c2da5b1787855f4.exe	cmd.exe
PID 740 wrote to memory of 468	740	a07ad47b052c812a2c2da5b1787855f4.exe	cmd.exe
PID 468 wrote to memory of 1012	468	cmd.exe	vssadmin.exe
PID 468 wrote to memory of 1012	468	cmd.exe	vssadmin.exe
PID 468 wrote to memory of 1012	468	cmd.exe	vssadmin.exe
PID 468 wrote to memory of 1012	468	cmd.exe	vssadmin.exe
PID 468 wrote to memory of 964	468	cmd.exe	WMIC.exe
PID 468 wrote to memory of 964	468	cmd.exe	WMIC.exe
PID 468 wrote to memory of 964	468	cmd.exe	WMIC.exe
PID 468 wrote to memory of 964	468	cmd.exe	WMIC.exe
PID 740 wrote to memory of 1524	740	a07ad47b052c812a2c2da5b1787855f4.exe	cmd.exe
PID 740 wrote to memory of 1524	740	a07ad47b052c812a2c2da5b1787855f4.exe	cmd.exe
PID 740 wrote to memory of 1524	740	a07ad47b052c812a2c2da5b1787855f4.exe	cmd.exe
PID 740 wrote to memory of 1524	740	a07ad47b052c812a2c2da5b1787855f4.exe	cmd.exe
PID 740 wrote to memory of 788	740	a07ad47b052c812a2c2da5b1787855f4.exe	cmd.exe
PID 740 wrote to memory of 788	740	a07ad47b052c812a2c2da5b1787855f4.exe	cmd.exe
PID 740 wrote to memory of 788	740	a07ad47b052c812a2c2da5b1787855f4.exe	cmd.exe
PID 740 wrote to memory of 788	740	a07ad47b052c812a2c2da5b1787855f4.exe	cmd.exe
PID 740 wrote to memory of 992	740	a07ad47b052c812a2c2da5b1787855f4.exe	cmd.exe
PID 740 wrote to memory of 992	740	a07ad47b052c812a2c2da5b1787855f4.exe	cmd.exe
PID 740 wrote to memory of 992	740	a07ad47b052c812a2c2da5b1787855f4.exe	cmd.exe
PID 740 wrote to memory of 992	740	a07ad47b052c812a2c2da5b1787855f4.exe	cmd.exe
PID 740 wrote to memory of 2032	740	a07ad47b052c812a2c2da5b1787855f4.exe	rundll32.exe
PID 740 wrote to memory of 2032	740	a07ad47b052c812a2c2da5b1787855f4.exe	rundll32.exe
PID 740 wrote to memory of 2032	740	a07ad47b052c812a2c2da5b1787855f4.exe	rundll32.exe
PID 740 wrote to memory of 2032	740	a07ad47b052c812a2c2da5b1787855f4.exe	rundll32.exe
PID 740 wrote to memory of 2032	740	a07ad47b052c812a2c2da5b1787855f4.exe	rundll32.exe
PID 740 wrote to memory of 2032	740	a07ad47b052c812a2c2da5b1787855f4.exe	rundll32.exe
PID 740 wrote to memory of 2032	740	a07ad47b052c812a2c2da5b1787855f4.exe	rundll32.exe
PID 2032 wrote to memory of 1100	2032	rundll32.exe	AcroRd32.exe
PID 2032 wrote to memory of 1100	2032	rundll32.exe	AcroRd32.exe
PID 2032 wrote to memory of 1100	2032	rundll32.exe	AcroRd32.exe
PID 2032 wrote to memory of 1100	2032	rundll32.exe	AcroRd32.exe
PID 740 wrote to memory of 2044	740	a07ad47b052c812a2c2da5b1787855f4.exe	AcroRd32.exe
PID 740 wrote to memory of 2044	740	a07ad47b052c812a2c2da5b1787855f4.exe	AcroRd32.exe
PID 740 wrote to memory of 2044	740	a07ad47b052c812a2c2da5b1787855f4.exe	AcroRd32.exe
PID 740 wrote to memory of 2044	740	a07ad47b052c812a2c2da5b1787855f4.exe	AcroRd32.exe

C:\Users\Admin\AppData\Local\Temp\a07ad47b052c812a2c2da5b1787855f4.exe
"C:\Users\Admin\AppData\Local\Temp\a07ad47b052c812a2c2da5b1787855f4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
2⤵
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1012

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
2⤵
PID:1524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
2⤵
PID:788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C assoc .exe=ENCRYPTEDFILE
2⤵
- Modifies registry class
PID:992

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\System32\cmd.exe
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2032

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Windows\System32\cmd.exe"
3⤵
PID:1100

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Windows\System32\cmd.exe"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2044

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1784

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/468-58-0x0000000000000000-mapping.dmp

Download
memory/740-56-0x0000000000FA0000-0x0000000000FAE000-memory.dmp

Filesize
56KB

Download
memory/740-57-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/740-55-0x0000000000FA0000-0x0000000000FAE000-memory.dmp

Filesize
56KB

Download
memory/788-62-0x0000000000000000-mapping.dmp

Download
memory/964-60-0x0000000000000000-mapping.dmp

Download
memory/992-64-0x00000000763B1000-0x00000000763B3000-memory.dmp

Filesize
8KB

Download
memory/992-63-0x0000000000000000-mapping.dmp

Download
memory/1012-59-0x0000000000000000-mapping.dmp

Download
memory/1100-67-0x0000000000000000-mapping.dmp

Download
memory/1524-61-0x0000000000000000-mapping.dmp

Download
memory/2032-65-0x0000000000000000-mapping.dmp

Download
memory/2044-69-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads