a0fb8417720da120c09f19ad62030bf1dc7f51b74326582f2f9d4488d426a800

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-en-20211208
submitted
01/01/2022, 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a07ad47b052c812a2c2da5b1787855f4.exe
Size

28KB
MD5

a07ad47b052c812a2c2da5b1787855f4
SHA1

bafda67a9dd19795584ed8679d3a0e5b36d2432a
SHA256

a0fb8417720da120c09f19ad62030bf1dc7f51b74326582f2f9d4488d426a800
SHA512

f0f3cfd9ecc6e5945fed89b953018460617986c4e0a3548dae07736014cd2d8f63ca1d20ea0b62606dd41c7b5bf3ea33e18f9ba66fe1531dde24f4652df03406

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1012	vssadmin.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "ENCRYPTEDFILE"	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2044	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeBackupPrivilege	1784	vssvc.exe
Token: SeRestorePrivilege	1784	vssvc.exe
Token: SeAuditPrivilege	1784	vssvc.exe
Token: SeIncreaseQuotaPrivilege	964	WMIC.exe
Token: SeSecurityPrivilege	964	WMIC.exe
Token: SeTakeOwnershipPrivilege	964	WMIC.exe
Token: SeLoadDriverPrivilege	964	WMIC.exe
Token: SeSystemProfilePrivilege	964	WMIC.exe
Token: SeSystemtimePrivilege	964	WMIC.exe
Token: SeProfSingleProcessPrivilege	964	WMIC.exe
Token: SeIncBasePriorityPrivilege	964	WMIC.exe
Token: SeCreatePagefilePrivilege	964	WMIC.exe
Token: SeBackupPrivilege	964	WMIC.exe
Token: SeRestorePrivilege	964	WMIC.exe
Token: SeShutdownPrivilege	964	WMIC.exe
Token: SeDebugPrivilege	964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	964	WMIC.exe
Token: SeRemoteShutdownPrivilege	964	WMIC.exe
Token: SeUndockPrivilege	964	WMIC.exe
Token: SeManageVolumePrivilege	964	WMIC.exe
Token: 33	964	WMIC.exe
Token: 34	964	WMIC.exe
Token: 35	964	WMIC.exe
Token: SeIncreaseQuotaPrivilege	964	WMIC.exe
Token: SeSecurityPrivilege	964	WMIC.exe
Token: SeTakeOwnershipPrivilege	964	WMIC.exe
Token: SeLoadDriverPrivilege	964	WMIC.exe
Token: SeSystemProfilePrivilege	964	WMIC.exe
Token: SeSystemtimePrivilege	964	WMIC.exe
Token: SeProfSingleProcessPrivilege	964	WMIC.exe
Token: SeIncBasePriorityPrivilege	964	WMIC.exe
Token: SeCreatePagefilePrivilege	964	WMIC.exe
Token: SeBackupPrivilege	964	WMIC.exe
Token: SeRestorePrivilege	964	WMIC.exe
Token: SeShutdownPrivilege	964	WMIC.exe
Token: SeDebugPrivilege	964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	964	WMIC.exe
Token: SeRemoteShutdownPrivilege	964	WMIC.exe
Token: SeUndockPrivilege	964	WMIC.exe
Token: SeManageVolumePrivilege	964	WMIC.exe
Token: 33	964	WMIC.exe
Token: 34	964	WMIC.exe
Token: 35	964	WMIC.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2044	AcroRd32.exe
2044	AcroRd32.exe
2044	AcroRd32.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 468	740	a07ad47b052c812a2c2da5b1787855f4.exe	27
PID 740 wrote to memory of 468	740	a07ad47b052c812a2c2da5b1787855f4.exe	27
PID 740 wrote to memory of 468	740	a07ad47b052c812a2c2da5b1787855f4.exe	27
PID 740 wrote to memory of 468	740	a07ad47b052c812a2c2da5b1787855f4.exe	27
PID 468 wrote to memory of 1012	468	cmd.exe	29
PID 468 wrote to memory of 1012	468	cmd.exe	29
PID 468 wrote to memory of 1012	468	cmd.exe	29
PID 468 wrote to memory of 1012	468	cmd.exe	29
PID 468 wrote to memory of 964	468	cmd.exe	31
PID 468 wrote to memory of 964	468	cmd.exe	31
PID 468 wrote to memory of 964	468	cmd.exe	31
PID 468 wrote to memory of 964	468	cmd.exe	31
PID 740 wrote to memory of 1524	740	a07ad47b052c812a2c2da5b1787855f4.exe	33
PID 740 wrote to memory of 1524	740	a07ad47b052c812a2c2da5b1787855f4.exe	33
PID 740 wrote to memory of 1524	740	a07ad47b052c812a2c2da5b1787855f4.exe	33
PID 740 wrote to memory of 1524	740	a07ad47b052c812a2c2da5b1787855f4.exe	33
PID 740 wrote to memory of 788	740	a07ad47b052c812a2c2da5b1787855f4.exe	35
PID 740 wrote to memory of 788	740	a07ad47b052c812a2c2da5b1787855f4.exe	35
PID 740 wrote to memory of 788	740	a07ad47b052c812a2c2da5b1787855f4.exe	35
PID 740 wrote to memory of 788	740	a07ad47b052c812a2c2da5b1787855f4.exe	35
PID 740 wrote to memory of 992	740	a07ad47b052c812a2c2da5b1787855f4.exe	37
PID 740 wrote to memory of 992	740	a07ad47b052c812a2c2da5b1787855f4.exe	37
PID 740 wrote to memory of 992	740	a07ad47b052c812a2c2da5b1787855f4.exe	37
PID 740 wrote to memory of 992	740	a07ad47b052c812a2c2da5b1787855f4.exe	37
PID 740 wrote to memory of 2032	740	a07ad47b052c812a2c2da5b1787855f4.exe	39
PID 740 wrote to memory of 2032	740	a07ad47b052c812a2c2da5b1787855f4.exe	39
PID 740 wrote to memory of 2032	740	a07ad47b052c812a2c2da5b1787855f4.exe	39
PID 740 wrote to memory of 2032	740	a07ad47b052c812a2c2da5b1787855f4.exe	39
PID 740 wrote to memory of 2032	740	a07ad47b052c812a2c2da5b1787855f4.exe	39
PID 740 wrote to memory of 2032	740	a07ad47b052c812a2c2da5b1787855f4.exe	39
PID 740 wrote to memory of 2032	740	a07ad47b052c812a2c2da5b1787855f4.exe	39
PID 2032 wrote to memory of 1100	2032	rundll32.exe	41
PID 2032 wrote to memory of 1100	2032	rundll32.exe	41
PID 2032 wrote to memory of 1100	2032	rundll32.exe	41
PID 2032 wrote to memory of 1100	2032	rundll32.exe	41
PID 740 wrote to memory of 2044	740	a07ad47b052c812a2c2da5b1787855f4.exe	42
PID 740 wrote to memory of 2044	740	a07ad47b052c812a2c2da5b1787855f4.exe	42
PID 740 wrote to memory of 2044	740	a07ad47b052c812a2c2da5b1787855f4.exe	42
PID 740 wrote to memory of 2044	740	a07ad47b052c812a2c2da5b1787855f4.exe	42

C:\Users\Admin\AppData\Local\Temp\a07ad47b052c812a2c2da5b1787855f4.exe
"C:\Users\Admin\AppData\Local\Temp\a07ad47b052c812a2c2da5b1787855f4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1012
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
  2⤵
  PID:1524
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:788
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C assoc .exe=ENCRYPTEDFILE
  2⤵
  - Modifies registry class
  PID:992
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\System32\cmd.exe
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Windows\System32\cmd.exe"
    3⤵
    PID:1100
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Windows\System32\cmd.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2044

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact