Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
01-01-2022 15:42
Static task
static1
Behavioral task
behavioral1
Sample
a07ad47b052c812a2c2da5b1787855f4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a07ad47b052c812a2c2da5b1787855f4.exe
Resource
win10-en-20211208
General
-
Target
a07ad47b052c812a2c2da5b1787855f4.exe
-
Size
28KB
-
MD5
a07ad47b052c812a2c2da5b1787855f4
-
SHA1
bafda67a9dd19795584ed8679d3a0e5b36d2432a
-
SHA256
a0fb8417720da120c09f19ad62030bf1dc7f51b74326582f2f9d4488d426a800
-
SHA512
f0f3cfd9ecc6e5945fed89b953018460617986c4e0a3548dae07736014cd2d8f63ca1d20ea0b62606dd41c7b5bf3ea33e18f9ba66fe1531dde24f4652df03406
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops desktop.ini file(s) 1 IoCs
Processes:
a07ad47b052c812a2c2da5b1787855f4.exedescription ioc process File created C:\Users\Admin\Desktop\desktop.ini a07ad47b052c812a2c2da5b1787855f4.exe -
Drops file in Windows directory 1 IoCs
Processes:
a07ad47b052c812a2c2da5b1787855f4.exedescription ioc process File created C:\Windows\Fonts\8514fix.fon a07ad47b052c812a2c2da5b1787855f4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2068 2656 WerFault.exe a07ad47b052c812a2c2da5b1787855f4.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1184 vssadmin.exe -
Modifies registry class 4 IoCs
Processes:
a07ad47b052c812a2c2da5b1787855f4.exeOpenWith.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings a07ad47b052c812a2c2da5b1787855f4.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "ENCRYPTEDFILE" cmd.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
vssvc.exeWMIC.exeWerFault.exedescription pid process Token: SeBackupPrivilege 1992 vssvc.exe Token: SeRestorePrivilege 1992 vssvc.exe Token: SeAuditPrivilege 1992 vssvc.exe Token: SeIncreaseQuotaPrivilege 760 WMIC.exe Token: SeSecurityPrivilege 760 WMIC.exe Token: SeTakeOwnershipPrivilege 760 WMIC.exe Token: SeLoadDriverPrivilege 760 WMIC.exe Token: SeSystemProfilePrivilege 760 WMIC.exe Token: SeSystemtimePrivilege 760 WMIC.exe Token: SeProfSingleProcessPrivilege 760 WMIC.exe Token: SeIncBasePriorityPrivilege 760 WMIC.exe Token: SeCreatePagefilePrivilege 760 WMIC.exe Token: SeBackupPrivilege 760 WMIC.exe Token: SeRestorePrivilege 760 WMIC.exe Token: SeShutdownPrivilege 760 WMIC.exe Token: SeDebugPrivilege 760 WMIC.exe Token: SeSystemEnvironmentPrivilege 760 WMIC.exe Token: SeRemoteShutdownPrivilege 760 WMIC.exe Token: SeUndockPrivilege 760 WMIC.exe Token: SeManageVolumePrivilege 760 WMIC.exe Token: 33 760 WMIC.exe Token: 34 760 WMIC.exe Token: 35 760 WMIC.exe Token: 36 760 WMIC.exe Token: SeIncreaseQuotaPrivilege 760 WMIC.exe Token: SeSecurityPrivilege 760 WMIC.exe Token: SeTakeOwnershipPrivilege 760 WMIC.exe Token: SeLoadDriverPrivilege 760 WMIC.exe Token: SeSystemProfilePrivilege 760 WMIC.exe Token: SeSystemtimePrivilege 760 WMIC.exe Token: SeProfSingleProcessPrivilege 760 WMIC.exe Token: SeIncBasePriorityPrivilege 760 WMIC.exe Token: SeCreatePagefilePrivilege 760 WMIC.exe Token: SeBackupPrivilege 760 WMIC.exe Token: SeRestorePrivilege 760 WMIC.exe Token: SeShutdownPrivilege 760 WMIC.exe Token: SeDebugPrivilege 760 WMIC.exe Token: SeSystemEnvironmentPrivilege 760 WMIC.exe Token: SeRemoteShutdownPrivilege 760 WMIC.exe Token: SeUndockPrivilege 760 WMIC.exe Token: SeManageVolumePrivilege 760 WMIC.exe Token: 33 760 WMIC.exe Token: 34 760 WMIC.exe Token: 35 760 WMIC.exe Token: 36 760 WMIC.exe Token: SeRestorePrivilege 2068 WerFault.exe Token: SeBackupPrivilege 2068 WerFault.exe Token: SeDebugPrivilege 2068 WerFault.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid process 372 OpenWith.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
a07ad47b052c812a2c2da5b1787855f4.execmd.exedescription pid process target process PID 2656 wrote to memory of 4060 2656 a07ad47b052c812a2c2da5b1787855f4.exe cmd.exe PID 2656 wrote to memory of 4060 2656 a07ad47b052c812a2c2da5b1787855f4.exe cmd.exe PID 2656 wrote to memory of 4060 2656 a07ad47b052c812a2c2da5b1787855f4.exe cmd.exe PID 4060 wrote to memory of 1184 4060 cmd.exe vssadmin.exe PID 4060 wrote to memory of 1184 4060 cmd.exe vssadmin.exe PID 4060 wrote to memory of 1184 4060 cmd.exe vssadmin.exe PID 4060 wrote to memory of 760 4060 cmd.exe WMIC.exe PID 4060 wrote to memory of 760 4060 cmd.exe WMIC.exe PID 4060 wrote to memory of 760 4060 cmd.exe WMIC.exe PID 2656 wrote to memory of 3996 2656 a07ad47b052c812a2c2da5b1787855f4.exe cmd.exe PID 2656 wrote to memory of 3996 2656 a07ad47b052c812a2c2da5b1787855f4.exe cmd.exe PID 2656 wrote to memory of 3996 2656 a07ad47b052c812a2c2da5b1787855f4.exe cmd.exe PID 2656 wrote to memory of 2660 2656 a07ad47b052c812a2c2da5b1787855f4.exe cmd.exe PID 2656 wrote to memory of 2660 2656 a07ad47b052c812a2c2da5b1787855f4.exe cmd.exe PID 2656 wrote to memory of 2660 2656 a07ad47b052c812a2c2da5b1787855f4.exe cmd.exe PID 2656 wrote to memory of 676 2656 a07ad47b052c812a2c2da5b1787855f4.exe cmd.exe PID 2656 wrote to memory of 676 2656 a07ad47b052c812a2c2da5b1787855f4.exe cmd.exe PID 2656 wrote to memory of 676 2656 a07ad47b052c812a2c2da5b1787855f4.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a07ad47b052c812a2c2da5b1787855f4.exe"C:\Users\Admin\AppData\Local\Temp\a07ad47b052c812a2c2da5b1787855f4.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C assoc .exe=ENCRYPTEDFILE2⤵
- Modifies registry class
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 16642⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/676-126-0x0000000000000000-mapping.dmp
-
memory/760-123-0x0000000000000000-mapping.dmp
-
memory/1184-122-0x0000000000000000-mapping.dmp
-
memory/2656-115-0x0000000000970000-0x000000000097E000-memory.dmpFilesize
56KB
-
memory/2656-116-0x0000000000970000-0x000000000097E000-memory.dmpFilesize
56KB
-
memory/2656-117-0x00000000058D0000-0x0000000005DCE000-memory.dmpFilesize
5.0MB
-
memory/2656-118-0x0000000005320000-0x00000000053B2000-memory.dmpFilesize
584KB
-
memory/2656-119-0x00000000052F0000-0x00000000052FA000-memory.dmpFilesize
40KB
-
memory/2656-120-0x00000000053D0000-0x00000000058CE000-memory.dmpFilesize
5.0MB
-
memory/2660-125-0x0000000000000000-mapping.dmp
-
memory/3996-124-0x0000000000000000-mapping.dmp
-
memory/4060-121-0x0000000000000000-mapping.dmp