686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f

General

Target

686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe
Size

322KB
MD5

a3f4d926dd9e36327ff2e467a0a930bb
SHA1

08e865fb1cf421ce39a378221b4b452c868e6f18
SHA256

686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f
SHA512

016a361a6e74a144811c6d0a022a98987a142c88c974ae6c32f1bb510308cf6f549351e0dc08bcafd99d6270c8627898d5b960e9572cf9be6e5e70ad1e2e1532

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2360 created 4440	2360	svchost.exe	84

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3940	wbadmin.exe

Loads dropped DLL 1 IoCs

pid	Process
2668	686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe\""	686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2668 set thread context of 4440	2668	686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3932	vssadmin.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2668	686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeTcbPrivilege	2360	svchost.exe
Token: SeTcbPrivilege	2360	svchost.exe
Token: SeBackupPrivilege	1340	vssvc.exe
Token: SeRestorePrivilege	1340	vssvc.exe
Token: SeAuditPrivilege	1340	vssvc.exe
Token: SeBackupPrivilege	3652	wbengine.exe
Token: SeRestorePrivilege	3652	wbengine.exe
Token: SeSecurityPrivilege	3652	wbengine.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 4440	2668	686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe	84
PID 2668 wrote to memory of 4440	2668	686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe	84
PID 2668 wrote to memory of 4440	2668	686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe	84
PID 2668 wrote to memory of 4440	2668	686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe	84
PID 2668 wrote to memory of 4440	2668	686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe	84
PID 2668 wrote to memory of 4440	2668	686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe	84
PID 2668 wrote to memory of 4440	2668	686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe	84
PID 2668 wrote to memory of 4440	2668	686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe	84
PID 2668 wrote to memory of 4440	2668	686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe	84
PID 2360 wrote to memory of 5116	2360	svchost.exe	86
PID 2360 wrote to memory of 5116	2360	svchost.exe	86
PID 2360 wrote to memory of 5116	2360	svchost.exe	86
PID 2360 wrote to memory of 5116	2360	svchost.exe	86
PID 2360 wrote to memory of 5116	2360	svchost.exe	86
PID 2360 wrote to memory of 5116	2360	svchost.exe	86
PID 2360 wrote to memory of 5116	2360	svchost.exe	86
PID 4440 wrote to memory of 2032	4440	686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe	88
PID 4440 wrote to memory of 2032	4440	686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe	88
PID 2032 wrote to memory of 3932	2032	cmd.exe	89
PID 2032 wrote to memory of 3932	2032	cmd.exe	89
PID 2032 wrote to memory of 3940	2032	cmd.exe	93
PID 2032 wrote to memory of 3940	2032	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe
"C:\Users\Admin\AppData\Local\Temp\686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe
  "C:\Users\Admin\AppData\Local\Temp\686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Users\Admin\AppData\Local\Temp\686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe
    "C:\Users\Admin\AppData\Local\Temp\686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe" n4440
    3⤵
    PID:5116
  - - C:\Users\Admin\AppData\Local\Temp\686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe
      "C:\Users\Admin\AppData\Local\Temp\686b5240e5e503528cc5ac8d764883413a260716dd290f114a60af873ee6a65f.exe" n4440
      4⤵
      PID:4248
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3932
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:3940
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:5100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3828

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\610352966

Filesize
57KB

MD5
79b711d13abb56db6b5797c7906c6bac

SHA1
454570cead3330add31d82a9e0e62e4e4b3d9be3

SHA256
5cc910a82fd4b87da24b1484d872a49130a8cc6dabfed1cc508308fa57795701

SHA512
2ccc6d9e59034566125b7854ae42c89f968e0af14667329fc22117d8f7a6fb6bb8de9977aec76dba69439e88e5d8ec7b1f25f2b5a8aa8e734589a4c4589d3ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5655.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjD206.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/4440-132-0x0000000000401000-0x0000000000407A00-memory.dmp

Filesize
26KB

Download
memory/4440-133-0x0000000000408000-0x0000000000409000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads