3a64d8f4f91013a46b8114092a5d691a93a9e559be43f9f7b4ceb3bd6a1a1876

General

Target

ewin.exe
Size

79KB
MD5

b1506fec2b3988ff33fb5e6c5076439d
SHA1

295b9010c3eb13496b3a1379e73c5d2317c2134d
SHA256

3a64d8f4f91013a46b8114092a5d691a93a9e559be43f9f7b4ceb3bd6a1a1876
SHA512

104d342628253247aff4edbc9b3d801c69d89de9f16045055575d8ddf5b80a15e9a3bfcfaec5667035a30c5809eca57286be748c3d775fc4dc1be51c39642323

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\RenameRestart.tiff	ewin.exe
File opened for modification	C:\Users\Admin\Pictures\ProtectConfirm.png.REDTM	ewin.exe
File opened for modification	C:\Users\Admin\Pictures\RegisterUninstall.png.REDTM	ewin.exe
File renamed	C:\Users\Admin\Pictures\StopInvoke.png => C:\Users\Admin\Pictures\StopInvoke.png.REDTM	ewin.exe
File opened for modification	C:\Users\Admin\Pictures\StopInvoke.png.REDTM	ewin.exe
File renamed	C:\Users\Admin\Pictures\RenameRestart.tiff => C:\Users\Admin\Pictures\RenameRestart.tiff.REDTM	ewin.exe
File renamed	C:\Users\Admin\Pictures\RenameStep.png => C:\Users\Admin\Pictures\RenameStep.png.REDTM	ewin.exe
File opened for modification	C:\Users\Admin\Pictures\RenameRestart.tiff.REDTM	ewin.exe
File opened for modification	C:\Users\Admin\Pictures\RenameStep.png.REDTM	ewin.exe
File renamed	C:\Users\Admin\Pictures\CompleteResolve.crw => C:\Users\Admin\Pictures\CompleteResolve.crw.REDTM	ewin.exe
File opened for modification	C:\Users\Admin\Pictures\CompleteResolve.crw.REDTM	ewin.exe
File renamed	C:\Users\Admin\Pictures\ProtectConfirm.png => C:\Users\Admin\Pictures\ProtectConfirm.png.REDTM	ewin.exe
File renamed	C:\Users\Admin\Pictures\RegisterUninstall.png => C:\Users\Admin\Pictures\RegisterUninstall.png.REDTM	ewin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	ewin.exe
File opened (read-only)	\??\G:	ewin.exe
File opened (read-only)	\??\H:	ewin.exe
File opened (read-only)	\??\J:	ewin.exe
File opened (read-only)	\??\V:	ewin.exe
File opened (read-only)	\??\R:	ewin.exe
File opened (read-only)	\??\S:	ewin.exe
File opened (read-only)	\??\F:	ewin.exe
File opened (read-only)	\??\Z:	ewin.exe
File opened (read-only)	\??\X:	ewin.exe
File opened (read-only)	\??\N:	ewin.exe
File opened (read-only)	\??\Q:	ewin.exe
File opened (read-only)	\??\Y:	ewin.exe
File opened (read-only)	\??\U:	ewin.exe
File opened (read-only)	\??\I:	ewin.exe
File opened (read-only)	\??\A:	ewin.exe
File opened (read-only)	\??\K:	ewin.exe
File opened (read-only)	\??\L:	ewin.exe
File opened (read-only)	\??\B:	ewin.exe
File opened (read-only)	\??\W:	ewin.exe
File opened (read-only)	\??\M:	ewin.exe
File opened (read-only)	\??\T:	ewin.exe
File opened (read-only)	\??\O:	ewin.exe
File opened (read-only)	\??\E:	ewin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1084	vssadmin.exe
1888	vssadmin.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
960	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1100	ewin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1812	vssvc.exe
Token: SeRestorePrivilege	1812	vssvc.exe
Token: SeAuditPrivilege	1812	vssvc.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 2040	1100	ewin.exe	27
PID 1100 wrote to memory of 2040	1100	ewin.exe	27
PID 1100 wrote to memory of 2040	1100	ewin.exe	27
PID 1100 wrote to memory of 2040	1100	ewin.exe	27
PID 2040 wrote to memory of 1084	2040	cmd.exe	29
PID 2040 wrote to memory of 1084	2040	cmd.exe	29
PID 2040 wrote to memory of 1084	2040	cmd.exe	29
PID 1100 wrote to memory of 1940	1100	ewin.exe	33
PID 1100 wrote to memory of 1940	1100	ewin.exe	33
PID 1100 wrote to memory of 1940	1100	ewin.exe	33
PID 1100 wrote to memory of 1940	1100	ewin.exe	33
PID 1940 wrote to memory of 1888	1940	cmd.exe	35
PID 1940 wrote to memory of 1888	1940	cmd.exe	35
PID 1940 wrote to memory of 1888	1940	cmd.exe	35
PID 472 wrote to memory of 960	472	rundll32.exe	37
PID 472 wrote to memory of 960	472	rundll32.exe	37
PID 472 wrote to memory of 960	472	rundll32.exe	37

C:\Users\Admin\AppData\Local\Temp\ewin.exe
"C:\Users\Admin\AppData\Local\Temp\ewin.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1084
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1888

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\WaitStep.wma.REDTM
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:472
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WaitStep.wma.REDTM
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\WaitStep.wma.REDTM

Filesize
755KB

MD5
ebbead8564bbc08c6a8760a694c99df6

SHA1
8d0dd0f0577175e55f92ccc40d7cf1e672c04c95

SHA256
d1f907483f075b574bb71dde537fcfd1411d5fb91b0afda1fdd42fc40e624d49

SHA512
1afb3276bc129f0c8a6939db74d884e2474cc045aa4e743e66e0e55bc8976d6a08d0082a1f58a67fbc1f3725fe27b58fc5c974685212e39c044b7f657cd9a840

Download Submit
memory/472-59-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

Filesize
8KB

Download
memory/1100-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads