Analysis
-
max time kernel
152s -
max time network
65s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
04-06-2022 03:37
Static task
static1
Behavioral task
behavioral1
Sample
117da274f4076bdd7f3aa6e6b1d96c44100ccaef59194202fc166ee5f4be78b2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
117da274f4076bdd7f3aa6e6b1d96c44100ccaef59194202fc166ee5f4be78b2.exe
Resource
win10v2004-20220414-en
General
-
Target
117da274f4076bdd7f3aa6e6b1d96c44100ccaef59194202fc166ee5f4be78b2.exe
-
Size
654KB
-
MD5
0b40a2fff66d3c7f728b2d0e9ae861a6
-
SHA1
91f89d87f92ba4f96d16a96c35e56e039adf6979
-
SHA256
117da274f4076bdd7f3aa6e6b1d96c44100ccaef59194202fc166ee5f4be78b2
-
SHA512
dec02943bb4dfae04c0fcce7cb644aa60277f33cd4747270b4a2d3feb5ca53cf6a5d037eb618bc4c27e3ea266089a2fa8b0ae1fb68f9180fb9b4a15522834c5a
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
117da274f4076bdd7f3aa6e6b1d96c44100ccaef59194202fc166ee5f4be78b2.exedescription ioc process File opened for modification \??\c:\Users\Admin\Pictures\DenyOpen.tiff 117da274f4076bdd7f3aa6e6b1d96c44100ccaef59194202fc166ee5f4be78b2.exe File opened for modification \??\c:\Users\Admin\Pictures\ResetSend.tiff 117da274f4076bdd7f3aa6e6b1d96c44100ccaef59194202fc166ee5f4be78b2.exe File opened for modification \??\c:\Users\Admin\Pictures\TestEnter.tiff 117da274f4076bdd7f3aa6e6b1d96c44100ccaef59194202fc166ee5f4be78b2.exe File opened for modification \??\c:\Users\Admin\Pictures\WatchPublish.tiff 117da274f4076bdd7f3aa6e6b1d96c44100ccaef59194202fc166ee5f4be78b2.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 900 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1696 vssvc.exe Token: SeRestorePrivilege 1696 vssvc.exe Token: SeAuditPrivilege 1696 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
taskeng.exedescription pid process target process PID 288 wrote to memory of 900 288 taskeng.exe vssadmin.exe PID 288 wrote to memory of 900 288 taskeng.exe vssadmin.exe PID 288 wrote to memory of 900 288 taskeng.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\117da274f4076bdd7f3aa6e6b1d96c44100ccaef59194202fc166ee5f4be78b2.exe"C:\Users\Admin\AppData\Local\Temp\117da274f4076bdd7f3aa6e6b1d96c44100ccaef59194202fc166ee5f4be78b2.exe"1⤵
- Modifies extensions of user files
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {6811CA29-F10F-440D-9831-44E3260DD8D6} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All2⤵
- Interacts with shadow copies
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/900-57-0x0000000000000000-mapping.dmp
-
memory/1788-54-0x0000000000400000-0x00000000004A6000-memory.dmpFilesize
664KB
-
memory/1788-55-0x0000000000400000-0x00000000004A6000-memory.dmpFilesize
664KB
-
memory/1788-56-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB