Overview

overview

10

Static

static

117da274f4...b2.exe

windows7_x64

9

117da274f4...b2.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    65s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    04-06-2022 03:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    117da274f4076bdd7f3aa6e6b1d96c44100ccaef59194202fc166ee5f4be78b2.exe

  • Size

    654KB

  • MD5

    0b40a2fff66d3c7f728b2d0e9ae861a6

  • SHA1

    91f89d87f92ba4f96d16a96c35e56e039adf6979

  • SHA256

    117da274f4076bdd7f3aa6e6b1d96c44100ccaef59194202fc166ee5f4be78b2

  • SHA512

    dec02943bb4dfae04c0fcce7cb644aa60277f33cd4747270b4a2d3feb5ca53cf6a5d037eb618bc4c27e3ea266089a2fa8b0ae1fb68f9180fb9b4a15522834c5a

Score
9/10
ransomware

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\117da274f4076bdd7f3aa6e6b1d96c44100ccaef59194202fc166ee5f4be78b2.exe
    "C:\Users\Admin\AppData\Local\Temp\117da274f4076bdd7f3aa6e6b1d96c44100ccaef59194202fc166ee5f4be78b2.exe"
    1⤵
    • Modifies extensions of user files
    PID:1788
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1696
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {6811CA29-F10F-440D-9831-44E3260DD8D6} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:288
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
      2⤵
      • Interacts with shadow copies
      PID:900

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1788-54-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1788-55-0x0000000000400000-0x00000000004A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/1788-56-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

    Filesize

    8KB

    Download