a0fb8417720da120c09f19ad62030bf1dc7f51b74326582f2f9d4488d426a800

Analysis

max time kernel
121s
max time network
122s
platform
windows10_x64
resource
win10-en-20211208
submitted
01/01/2022, 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a07ad47b052c812a2c2da5b1787855f4.exe
Size

28KB
MD5

a07ad47b052c812a2c2da5b1787855f4
SHA1

bafda67a9dd19795584ed8679d3a0e5b36d2432a
SHA256

a0fb8417720da120c09f19ad62030bf1dc7f51b74326582f2f9d4488d426a800
SHA512

f0f3cfd9ecc6e5945fed89b953018460617986c4e0a3548dae07736014cd2d8f63ca1d20ea0b62606dd41c7b5bf3ea33e18f9ba66fe1531dde24f4652df03406

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Desktop\desktop.ini	a07ad47b052c812a2c2da5b1787855f4.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\8514fix.fon	a07ad47b052c812a2c2da5b1787855f4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2068	2656	WerFault.exe	68

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1184	vssadmin.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	a07ad47b052c812a2c2da5b1787855f4.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "ENCRYPTEDFILE"	cmd.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeBackupPrivilege	1992	vssvc.exe
Token: SeRestorePrivilege	1992	vssvc.exe
Token: SeAuditPrivilege	1992	vssvc.exe
Token: SeIncreaseQuotaPrivilege	760	WMIC.exe
Token: SeSecurityPrivilege	760	WMIC.exe
Token: SeTakeOwnershipPrivilege	760	WMIC.exe
Token: SeLoadDriverPrivilege	760	WMIC.exe
Token: SeSystemProfilePrivilege	760	WMIC.exe
Token: SeSystemtimePrivilege	760	WMIC.exe
Token: SeProfSingleProcessPrivilege	760	WMIC.exe
Token: SeIncBasePriorityPrivilege	760	WMIC.exe
Token: SeCreatePagefilePrivilege	760	WMIC.exe
Token: SeBackupPrivilege	760	WMIC.exe
Token: SeRestorePrivilege	760	WMIC.exe
Token: SeShutdownPrivilege	760	WMIC.exe
Token: SeDebugPrivilege	760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	760	WMIC.exe
Token: SeRemoteShutdownPrivilege	760	WMIC.exe
Token: SeUndockPrivilege	760	WMIC.exe
Token: SeManageVolumePrivilege	760	WMIC.exe
Token: 33	760	WMIC.exe
Token: 34	760	WMIC.exe
Token: 35	760	WMIC.exe
Token: 36	760	WMIC.exe
Token: SeIncreaseQuotaPrivilege	760	WMIC.exe
Token: SeSecurityPrivilege	760	WMIC.exe
Token: SeTakeOwnershipPrivilege	760	WMIC.exe
Token: SeLoadDriverPrivilege	760	WMIC.exe
Token: SeSystemProfilePrivilege	760	WMIC.exe
Token: SeSystemtimePrivilege	760	WMIC.exe
Token: SeProfSingleProcessPrivilege	760	WMIC.exe
Token: SeIncBasePriorityPrivilege	760	WMIC.exe
Token: SeCreatePagefilePrivilege	760	WMIC.exe
Token: SeBackupPrivilege	760	WMIC.exe
Token: SeRestorePrivilege	760	WMIC.exe
Token: SeShutdownPrivilege	760	WMIC.exe
Token: SeDebugPrivilege	760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	760	WMIC.exe
Token: SeRemoteShutdownPrivilege	760	WMIC.exe
Token: SeUndockPrivilege	760	WMIC.exe
Token: SeManageVolumePrivilege	760	WMIC.exe
Token: 33	760	WMIC.exe
Token: 34	760	WMIC.exe
Token: 35	760	WMIC.exe
Token: 36	760	WMIC.exe
Token: SeRestorePrivilege	2068	WerFault.exe
Token: SeBackupPrivilege	2068	WerFault.exe
Token: SeDebugPrivilege	2068	WerFault.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
372	OpenWith.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 4060	2656	a07ad47b052c812a2c2da5b1787855f4.exe	69
PID 2656 wrote to memory of 4060	2656	a07ad47b052c812a2c2da5b1787855f4.exe	69
PID 2656 wrote to memory of 4060	2656	a07ad47b052c812a2c2da5b1787855f4.exe	69
PID 4060 wrote to memory of 1184	4060	cmd.exe	71
PID 4060 wrote to memory of 1184	4060	cmd.exe	71
PID 4060 wrote to memory of 1184	4060	cmd.exe	71
PID 4060 wrote to memory of 760	4060	cmd.exe	73
PID 4060 wrote to memory of 760	4060	cmd.exe	73
PID 4060 wrote to memory of 760	4060	cmd.exe	73
PID 2656 wrote to memory of 3996	2656	a07ad47b052c812a2c2da5b1787855f4.exe	75
PID 2656 wrote to memory of 3996	2656	a07ad47b052c812a2c2da5b1787855f4.exe	75
PID 2656 wrote to memory of 3996	2656	a07ad47b052c812a2c2da5b1787855f4.exe	75
PID 2656 wrote to memory of 2660	2656	a07ad47b052c812a2c2da5b1787855f4.exe	77
PID 2656 wrote to memory of 2660	2656	a07ad47b052c812a2c2da5b1787855f4.exe	77
PID 2656 wrote to memory of 2660	2656	a07ad47b052c812a2c2da5b1787855f4.exe	77
PID 2656 wrote to memory of 676	2656	a07ad47b052c812a2c2da5b1787855f4.exe	79
PID 2656 wrote to memory of 676	2656	a07ad47b052c812a2c2da5b1787855f4.exe	79
PID 2656 wrote to memory of 676	2656	a07ad47b052c812a2c2da5b1787855f4.exe	79

C:\Users\Admin\AppData\Local\Temp\a07ad47b052c812a2c2da5b1787855f4.exe
"C:\Users\Admin\AppData\Local\Temp\a07ad47b052c812a2c2da5b1787855f4.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1184
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:760
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
  2⤵
  PID:3996
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:2660
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C assoc .exe=ENCRYPTEDFILE
  2⤵
  - Modifies registry class
  PID:676
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 1664
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2068

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2656-115-0x0000000000970000-0x000000000097E000-memory.dmp

Filesize
56KB

Download
memory/2656-116-0x0000000000970000-0x000000000097E000-memory.dmp

Filesize
56KB

Download
memory/2656-117-0x00000000058D0000-0x0000000005DCE000-memory.dmp

Filesize
5.0MB

Download
memory/2656-118-0x0000000005320000-0x00000000053B2000-memory.dmp

Filesize
584KB

Download
memory/2656-119-0x00000000052F0000-0x00000000052FA000-memory.dmp

Filesize
40KB

Download
memory/2656-120-0x00000000053D0000-0x00000000058CE000-memory.dmp

Filesize
5.0MB

Download