Analysis
-
max time kernel
117s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
15-02-2022 08:35
Static task
static1
Behavioral task
behavioral1
Sample
6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe
Resource
win10v2004-en-20220112
General
-
Target
6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe
-
Size
27KB
-
MD5
77b7e9ffa41774dd3b2947628ee4a6e1
-
SHA1
80cd3cda8a7794050d73a8c00e388b3ac27c2493
-
SHA256
6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702
-
SHA512
ac13223c483cca0404974487825f82e3390041bc6d4d3896fe4b97898c1542bb83d7324fd71a0af0caed031aee75a46df00f1605bf8363b5024f284476ec09a7
Malware Config
Extracted
C:\Users\Admin\Links\HELP_DECRYPT_YOUR_FILES.txt
CCWhite@onionmail.org
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exedescription ioc process File renamed C:\Users\Admin\Pictures\NewConnect.png => C:\Users\Admin\Pictures\NewConnect.png.cantopen 6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe File renamed C:\Users\Admin\Pictures\RequestCopy.png => C:\Users\Admin\Pictures\RequestCopy.png.cantopen 6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe File renamed C:\Users\Admin\Pictures\SyncRead.raw => C:\Users\Admin\Pictures\SyncRead.raw.cantopen 6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1952 vssadmin.exe 272 vssadmin.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1492 vssvc.exe Token: SeRestorePrivilege 1492 vssvc.exe Token: SeAuditPrivilege 1492 vssvc.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.execmd.execmd.execmd.exedescription pid process target process PID 804 wrote to memory of 368 804 6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe cmd.exe PID 804 wrote to memory of 368 804 6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe cmd.exe PID 804 wrote to memory of 368 804 6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe cmd.exe PID 804 wrote to memory of 320 804 6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe cmd.exe PID 804 wrote to memory of 320 804 6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe cmd.exe PID 804 wrote to memory of 320 804 6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe cmd.exe PID 320 wrote to memory of 272 320 cmd.exe vssadmin.exe PID 320 wrote to memory of 272 320 cmd.exe vssadmin.exe PID 320 wrote to memory of 272 320 cmd.exe vssadmin.exe PID 368 wrote to memory of 1116 368 cmd.exe reg.exe PID 368 wrote to memory of 1116 368 cmd.exe reg.exe PID 368 wrote to memory of 1116 368 cmd.exe reg.exe PID 804 wrote to memory of 1548 804 6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe cmd.exe PID 804 wrote to memory of 1548 804 6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe cmd.exe PID 804 wrote to memory of 1548 804 6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe cmd.exe PID 1548 wrote to memory of 1952 1548 cmd.exe vssadmin.exe PID 1548 wrote to memory of 1952 1548 cmd.exe vssadmin.exe PID 1548 wrote to memory of 1952 1548 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe"C:\Users\Admin\AppData\Local\Temp\6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe"1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exe"cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken