Analysis
-
max time kernel
155s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
11-02-2022 06:24
Static task
static1
Behavioral task
behavioral1
Sample
ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe
Resource
win10v2004-en-20220113
General
-
Target
ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe
-
Size
110KB
-
MD5
f3443f0a0582171901df76c68c12c11d
-
SHA1
70e06b78060b8dc09946080dbdd83a2811acff3b
-
SHA256
ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3
-
SHA512
14e3d4767b32079fe416cf74c04aa0b3dc5663ceddbb03fb727f9f1b99e9398d0d8c25bd4f8db358284c923d587db42ead3ca2cdb93183991c988198f79c53d7
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExpandUnlock.crw => C:\Users\Admin\Pictures\ExpandUnlock.crw.707 ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File renamed C:\Users\Admin\Pictures\SetExit.crw => C:\Users\Admin\Pictures\SetExit.crw.707 ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File renamed C:\Users\Admin\Pictures\TestConfirm.tif => C:\Users\Admin\Pictures\TestConfirm.tif.707 ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File renamed C:\Users\Admin\Pictures\UpdateUninstall.tif => C:\Users\Admin\Pictures\UpdateUninstall.tif.707 ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File renamed C:\Users\Admin\Pictures\BlockSkip.crw => C:\Users\Admin\Pictures\BlockSkip.crw.707 ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File renamed C:\Users\Admin\Pictures\BlockSync.png => C:\Users\Admin\Pictures\BlockSync.png.707 ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File opened for modification C:\Users\Admin\Pictures\GrantReceive.tiff ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File renamed C:\Users\Admin\Pictures\GrantReceive.tiff => C:\Users\Admin\Pictures\GrantReceive.tiff.707 ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File renamed C:\Users\Admin\Pictures\MountLimit.png => C:\Users\Admin\Pictures\MountLimit.png.707 ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File renamed C:\Users\Admin\Pictures\UnprotectSubmit.crw => C:\Users\Admin\Pictures\UnprotectSubmit.crw.707 ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\CertificatesCheck = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe" ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe -
Drops desktop.ini file(s) 26 IoCs
Processes:
ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exedescription ioc process File opened for modification C:\Users\Admin\Desktop\desktop.ini ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File opened for modification C:\Users\Public\Music\desktop.ini ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File opened for modification C:\Users\Public\Documents\desktop.ini ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File opened for modification C:\Users\Admin\Searches\desktop.ini ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File opened for modification C:\Users\Admin\Documents\desktop.ini ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File opened for modification C:\Users\Public\Downloads\desktop.ini ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File opened for modification C:\Users\Public\desktop.ini ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File opened for modification C:\Users\Public\Pictures\desktop.ini ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File opened for modification C:\Users\Admin\Music\desktop.ini ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File opened for modification C:\Users\Public\Videos\desktop.ini ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File opened for modification C:\Users\Public\Libraries\desktop.ini ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File opened for modification C:\Users\Public\Desktop\desktop.ini ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File opened for modification C:\Users\Admin\Links\desktop.ini ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 812 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exepid process 1684 ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1256 vssvc.exe Token: SeRestorePrivilege 1256 vssvc.exe Token: SeAuditPrivilege 1256 vssvc.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.execmd.exedescription pid process target process PID 1684 wrote to memory of 1572 1684 ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe cmd.exe PID 1684 wrote to memory of 1572 1684 ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe cmd.exe PID 1684 wrote to memory of 1572 1684 ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe cmd.exe PID 1684 wrote to memory of 1572 1684 ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe cmd.exe PID 1572 wrote to memory of 812 1572 cmd.exe vssadmin.exe PID 1572 wrote to memory of 812 1572 cmd.exe vssadmin.exe PID 1572 wrote to memory of 812 1572 cmd.exe vssadmin.exe PID 1572 wrote to memory of 812 1572 cmd.exe vssadmin.exe PID 1572 wrote to memory of 824 1572 cmd.exe reg.exe PID 1572 wrote to memory of 824 1572 cmd.exe reg.exe PID 1572 wrote to memory of 824 1572 cmd.exe reg.exe PID 1572 wrote to memory of 824 1572 cmd.exe reg.exe PID 1572 wrote to memory of 904 1572 cmd.exe reg.exe PID 1572 wrote to memory of 904 1572 cmd.exe reg.exe PID 1572 wrote to memory of 904 1572 cmd.exe reg.exe PID 1572 wrote to memory of 904 1572 cmd.exe reg.exe PID 1572 wrote to memory of 788 1572 cmd.exe reg.exe PID 1572 wrote to memory of 788 1572 cmd.exe reg.exe PID 1572 wrote to memory of 788 1572 cmd.exe reg.exe PID 1572 wrote to memory of 788 1572 cmd.exe reg.exe PID 1572 wrote to memory of 1764 1572 cmd.exe attrib.exe PID 1572 wrote to memory of 1764 1572 cmd.exe attrib.exe PID 1572 wrote to memory of 1764 1572 cmd.exe attrib.exe PID 1572 wrote to memory of 1764 1572 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe"C:\Users\Admin\AppData\Local\Temp\ecd3b069ea23e7905a1d4c4eff4a649cabef85bd541735ed810ab87cbf0ee9a3.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\__t4605.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f3⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib Default.rdp -s -h3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__t4605.tmp.batMD5
32d8f7a3d0c796cee45f64b63c1cca38
SHA1d58466430a2bba8641bd92c880557379e25b140c
SHA2561a6f73b5c28d1c10f63f2056068c1de61487b8cf8f1dcf7516548df144b3e9ea
SHA512288213b92a03ac750ea319bb23c52e7bdf47f5a47ecb70c905c7610a84c63a3ec0a30801b5880e6def8df2c9f577082072e342198d23a19f64e561923e1ef698