Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-05-2022 15:45
Static task
static1
Behavioral task
behavioral1
Sample
ransomware.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ransomware.exe
Resource
win10v2004-20220414-en
General
-
Target
ransomware.exe
-
Size
117KB
-
MD5
bced4f87dbacf3f37886e2e08d933b11
-
SHA1
d685d1a46456d4c47099b1b25d4a84ec96dcd612
-
SHA256
cc1e56d32ad111cff31ecf7a53efeeaedfaa2d93ed5f85c8085b56be7643e01a
-
SHA512
410097c11a568194c5d121a8ea26184c0bf7a3a8fe3a53a27acca9013eac37b7a2da23747f3035d7d087314941755a6ecd514dd9416284e079dccf8a0448dfc8
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ransomware.exedescription ioc process File renamed C:\Users\Admin\Pictures\ProtectResolve.png => C:\Users\Admin\Pictures\ProtectResolve.png.ecrp ransomware.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ransomware.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation ransomware.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 5 IoCs
Processes:
ransomware.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\.ecrp\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ransomware.exe %1" ransomware.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\.ecrp ransomware.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\.ecrp\shell\open\command ransomware.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\.ecrp\shell ransomware.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\.ecrp\shell\open ransomware.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ransomware.exepid process 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe 2124 ransomware.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
ransomware.exevssvc.exedescription pid process Token: SeDebugPrivilege 2124 ransomware.exe Token: SeBackupPrivilege 864 vssvc.exe Token: SeRestorePrivilege 864 vssvc.exe Token: SeAuditPrivilege 864 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ransomware.execmd.exedescription pid process target process PID 2124 wrote to memory of 2388 2124 ransomware.exe cmd.exe PID 2124 wrote to memory of 2388 2124 ransomware.exe cmd.exe PID 2124 wrote to memory of 2388 2124 ransomware.exe cmd.exe PID 2388 wrote to memory of 3128 2388 cmd.exe chcp.com PID 2388 wrote to memory of 3128 2388 cmd.exe chcp.com PID 2388 wrote to memory of 3128 2388 cmd.exe chcp.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\ransomware.exe"C:\Users\Admin\AppData\Local\Temp\ransomware.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2124-130-0x0000000000210000-0x0000000000234000-memory.dmpFilesize
144KB
-
memory/2124-131-0x00000000051E0000-0x0000000005784000-memory.dmpFilesize
5.6MB
-
memory/2124-132-0x0000000004C30000-0x0000000004CC2000-memory.dmpFilesize
584KB
-
memory/2124-133-0x0000000004E40000-0x0000000004EA6000-memory.dmpFilesize
408KB
-
memory/2124-136-0x00000000065A0000-0x00000000065AA000-memory.dmpFilesize
40KB
-
memory/2388-134-0x0000000000000000-mapping.dmp
-
memory/3128-135-0x0000000000000000-mapping.dmp