Analysis
-
max time kernel
177s -
max time network
176s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 01:57
Static task
static1
Behavioral task
behavioral1
Sample
6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe
Resource
win10-en-20211208
General
-
Target
6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe
-
Size
164KB
-
MD5
81e18adcd3a5e0b04b6e481ace819c4d
-
SHA1
100ca210bc67bc51b8671f0679c103a3769b8402
-
SHA256
6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed
-
SHA512
1309b195c753100d89a370687d87d8d352dd4355b1575e33af64c615c4f85df35d2749fa45c9667ae618db84efd247a687f42b3adca5061fdca6231d754a0ad8
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exedescription ioc process File opened (read-only) \??\F: 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe File opened (read-only) \??\M: 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe File opened (read-only) \??\N: 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe File opened (read-only) \??\P: 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe File opened (read-only) \??\R: 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe File opened (read-only) \??\W: 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe File opened (read-only) \??\A: 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe File opened (read-only) \??\K: 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe File opened (read-only) \??\O: 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe File opened (read-only) \??\Q: 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe File opened (read-only) \??\J: 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe File opened (read-only) \??\L: 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe File opened (read-only) \??\S: 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe File opened (read-only) \??\Y: 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe File opened (read-only) \??\B: 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe File opened (read-only) \??\E: 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe File opened (read-only) \??\H: 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe File opened (read-only) \??\I: 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe File opened (read-only) \??\X: 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe File opened (read-only) \??\Z: 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe File opened (read-only) \??\G: 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe File opened (read-only) \??\T: 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe File opened (read-only) \??\U: 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe File opened (read-only) \??\V: 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 392 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exepid process 1204 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe 1204 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2008 vssvc.exe Token: SeRestorePrivilege 2008 vssvc.exe Token: SeAuditPrivilege 2008 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.execmd.exedescription pid process target process PID 1204 wrote to memory of 3900 1204 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe cmd.exe PID 1204 wrote to memory of 3900 1204 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe cmd.exe PID 1204 wrote to memory of 3900 1204 6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe cmd.exe PID 3900 wrote to memory of 392 3900 cmd.exe vssadmin.exe PID 3900 wrote to memory of 392 3900 cmd.exe vssadmin.exe PID 3900 wrote to memory of 392 3900 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe"C:\Users\Admin\AppData\Local\Temp\6007d53e43e65fa9639c92f30158b8d1e810e0f0c691a412a2030e4748e29aed.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken