Analysis
-
max time kernel
117s -
max time network
126s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:58
Static task
static1
Behavioral task
behavioral1
Sample
d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe
Resource
win10-en-20211208
General
-
Target
d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe
-
Size
164KB
-
MD5
a516f397c9082f002550effe26f31628
-
SHA1
806784793ead7a2dadf85c257398d27a502e829a
-
SHA256
d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3
-
SHA512
874901ef785aaf38586633c3f1968b33522f5e79dfd542b571bd720f63b954823b39aba9d4ffb4ee11657d8befc10eed06cc297fa9e05dc0fe9ec31366eaf812
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exedescription ioc process File opened (read-only) \??\P: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\R: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\V: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\G: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\K: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\O: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\M: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\S: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\T: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\W: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\X: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\A: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\B: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\F: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\Y: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\Z: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\N: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\Q: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\H: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\J: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\L: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\E: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\I: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe File opened (read-only) \??\U: d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1028 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exepid process 852 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe 852 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3056 vssvc.exe Token: SeRestorePrivilege 3056 vssvc.exe Token: SeAuditPrivilege 3056 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.execmd.exedescription pid process target process PID 852 wrote to memory of 640 852 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe cmd.exe PID 852 wrote to memory of 640 852 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe cmd.exe PID 852 wrote to memory of 640 852 d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe cmd.exe PID 640 wrote to memory of 1028 640 cmd.exe vssadmin.exe PID 640 wrote to memory of 1028 640 cmd.exe vssadmin.exe PID 640 wrote to memory of 1028 640 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe"C:\Users\Admin\AppData\Local\Temp\d48768e88cecdf0a5aea8862d748fb5be1a468da404a64b6a7fc9e94efd594e3.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1028
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3836
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3056