1283836cc0ed21b535ca654611d87e766538b81b02e61289ecc94188602aaf2a

Resubmissions

17/05/2022, 11:03

220517-m5xqaadeen 9

17/05/2022, 11:02

220517-m5frrsdedl 1

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17/05/2022, 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quickbuck.exe
Size

3.0MB
MD5

5764e41fede27bf9c984242c2b7bfd33
SHA1

e5b4178bdebf7a59e97c56235cff472b18440359
SHA256

1283836cc0ed21b535ca654611d87e766538b81b02e61289ecc94188602aaf2a
SHA512

a3610ca12b1ebfd0a618fae7c0e8f655d879156a0b850c4dd8e0e8827d6719f67ad5facad7496aac3adcafbf79f0195adb5ab62d900202f07ed4ec380e516379

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 1 IoCs

pid	Process
688	WINWORD.EXE

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1124	1916	WerFault.exe	21

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4520	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
916	quickbuck.exe
916	quickbuck.exe
916	quickbuck.exe
916	quickbuck.exe
2408	quickbuck.exe
2408	quickbuck.exe
2408	quickbuck.exe
2408	quickbuck.exe
688	WINWORD.EXE
688	WINWORD.EXE
688	WINWORD.EXE
688	WINWORD.EXE
4100	quickbuck.exe
4100	quickbuck.exe
4100	quickbuck.exe
4100	quickbuck.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	820	vssvc.exe
Token: SeRestorePrivilege	820	vssvc.exe
Token: SeAuditPrivilege	820	vssvc.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 2408	4404	cmd.exe	101
PID 4404 wrote to memory of 2408	4404	cmd.exe	101
PID 2408 wrote to memory of 688	2408	quickbuck.exe	102
PID 2408 wrote to memory of 688	2408	quickbuck.exe	102
PID 688 wrote to memory of 5096	688	WINWORD.EXE	103
PID 688 wrote to memory of 5096	688	WINWORD.EXE	103
PID 5096 wrote to memory of 4100	5096	cmd.exe	104
PID 5096 wrote to memory of 4100	5096	cmd.exe	104
PID 4100 wrote to memory of 4520	4100	quickbuck.exe	105
PID 4100 wrote to memory of 4520	4100	quickbuck.exe	105

C:\Users\Admin\AppData\Local\Temp\quickbuck.exe
C:\Users\Admin\AppData\Local\Temp\quickbuck.exe run
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2952

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Users\Admin\AppData\Local\Temp\quickbuck.exe
  quickbuck.exe run
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Users\Admin\AppData\Local\Temp\WINWORD.EXE
    C:\Users\Admin\AppData\Local\Temp\WINWORD.EXE stage quickbuck.exe run --disable-macro-simulation
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:688
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c "quickbuck.exe run --disable-macro-simulation"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5096
    - - C:\Users\Admin\AppData\Local\Temp\quickbuck.exe
        
        quickbuck.exe run --disable-macro-simulation
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4100
      - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /for=norealvolume /all /quiet
        6⤵
        Interacts with shadow copies
        
        PID:4520

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 1916 -ip 1916
1⤵
PID:4092

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1916 -s 1940
1⤵
- Program crash
PID:1124

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WINWORD.EXE

Filesize
3.0MB

MD5
5764e41fede27bf9c984242c2b7bfd33

SHA1
e5b4178bdebf7a59e97c56235cff472b18440359

SHA256
1283836cc0ed21b535ca654611d87e766538b81b02e61289ecc94188602aaf2a

SHA512
a3610ca12b1ebfd0a618fae7c0e8f655d879156a0b850c4dd8e0e8827d6719f67ad5facad7496aac3adcafbf79f0195adb5ab62d900202f07ed4ec380e516379

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINWORD.EXE

Filesize
3.0MB

MD5
5764e41fede27bf9c984242c2b7bfd33

SHA1
e5b4178bdebf7a59e97c56235cff472b18440359

SHA256
1283836cc0ed21b535ca654611d87e766538b81b02e61289ecc94188602aaf2a

SHA512
a3610ca12b1ebfd0a618fae7c0e8f655d879156a0b850c4dd8e0e8827d6719f67ad5facad7496aac3adcafbf79f0195adb5ab62d900202f07ed4ec380e516379

Download Submit