00cfd74bda276fc285531388aa47ca54f2f91a913151210c7fe230cb10ac6293

General

Target

00cfd74bda276fc285531388aa47ca54f2f91a913151210c7fe230cb10ac6293.exe
Size

339KB
MD5

77026c261d89b144c50926276d7754db
SHA1

a545e8dd93814c4cf4b5dbaf979b32bf31081f9f
SHA256

00cfd74bda276fc285531388aa47ca54f2f91a913151210c7fe230cb10ac6293
SHA512

adf1ba9cd4a3877b884e6fbce0af00a5d2c2ce22bb3d84b579eb6e5ca53a6d1ba001b0b0d42d301e0288762b544cf64dd71b6aa1aedb2537cff4bb4a5804b906

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

C:\Users\Admin\AppData\Local\Temp\00cfd74bda276fc285531388aa47ca54f2f91a913151210c7fe230cb10ac6293.exe
"C:\Users\Admin\AppData\Local\Temp\00cfd74bda276fc285531388aa47ca54f2f91a913151210c7fe230cb10ac6293.exe"
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\00cfd74bda276fc285531388aa47ca54f2f91a913151210c7fe230cb10ac6293.exe
  "C:\Users\Admin\AppData\Local\Temp\00cfd74bda276fc285531388aa47ca54f2f91a913151210c7fe230cb10ac6293.exe"
  2⤵
  PID:1220
- - C:\Windows\hkkefqbqgggo.exe
    C:\Windows\hkkefqbqgggo.exe
    3⤵
    PID:1628
  - - C:\Windows\hkkefqbqgggo.exe
      C:\Windows\hkkefqbqgggo.exe
      4⤵
      PID:768
    - - C:\Windows\System32\wbem\WMIC.exe
        
        "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
        5⤵
        
        PID:1068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\00CFD7~1.EXE
    3⤵
    PID:1768

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

1

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\hkkefqbqgggo.exe

Filesize
139KB

MD5
29f1db92bf0ccb6dabaf5c8b32d17cd2

SHA1
18d03d46b6817226ca0e6f9f76ee80a71ae0fbce

SHA256
0575616e12e18c98f19b3d1d4ab3c3c8ae5899d12feed7f5c81bb8879be87743

SHA512
2d8e985b99c05265f618da2a10fd292f88ce39f022748c31c2b7a6d2820a7db38e833b2d12c03ef49095526bb3a6b9b15d84fc0087aee661bb64ffca53700519

Download Submit
C:\Windows\hkkefqbqgggo.exe

Filesize
68KB

MD5
4d1942d4e59907ade130173729752c8e

SHA1
c35612450c42e49c8670a115761cbab5a453c488

SHA256
19e494d6c9052a4162f55661a6803adcf2b6766bea9fa4c4ed060c35bb788a9f

SHA512
c14a0666873a69bc65a82eed80bc2e6352bfc1e405956122fc55b21d1b3040c88f35de25c2d786884b6d98eebec7ba103ed22dd94079413a1e1f0afbfb75b630

Download Submit
C:\Windows\hkkefqbqgggo.exe

Filesize
93KB

MD5
2e1b7390d9312dc9bffc09a11e551a74

SHA1
deee2069f2d8ad4aa5a59994b00e2ab0a00bac9e

SHA256
ba865aadd3d3b1bc2987d04c8faf5f33715df363335ca9b0782f7600f0837cd7

SHA512
fc7a60de9260baad947cf0fa6a607161206b5ddc857c0e0c16d96f58bd7b898b88c46a8f57647b786f6fd11fc870414394a9175c083adc92b0f16f6b6d979159

Download Submit
memory/768-92-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/768-87-0x000000000040F03C-mapping.dmp

Download
memory/768-91-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1068-93-0x0000000000000000-mapping.dmp

Download
memory/1192-54-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/1220-56-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1220-69-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1220-60-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1220-70-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1220-62-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1220-55-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1220-63-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1220-68-0x0000000076011000-0x0000000076013000-memory.dmp

Filesize
8KB

Download
memory/1220-65-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1220-66-0x000000000040F03C-mapping.dmp

Download
memory/1220-58-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1628-74-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/1628-71-0x0000000000000000-mapping.dmp

Download
memory/1768-73-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing