Analysis
-
max time kernel
146s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
28-06-2022 11:05
Static task
static1
Behavioral task
behavioral1
Sample
ewin.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ewin.exe
Resource
win10v2004-20220414-en
General
-
Target
ewin.exe
-
Size
79KB
-
MD5
b1506fec2b3988ff33fb5e6c5076439d
-
SHA1
295b9010c3eb13496b3a1379e73c5d2317c2134d
-
SHA256
3a64d8f4f91013a46b8114092a5d691a93a9e559be43f9f7b4ceb3bd6a1a1876
-
SHA512
104d342628253247aff4edbc9b3d801c69d89de9f16045055575d8ddf5b80a15e9a3bfcfaec5667035a30c5809eca57286be748c3d775fc4dc1be51c39642323
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 13 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ewin.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\RenameRestart.tiff ewin.exe File opened for modification C:\Users\Admin\Pictures\ProtectConfirm.png.REDTM ewin.exe File opened for modification C:\Users\Admin\Pictures\RegisterUninstall.png.REDTM ewin.exe File renamed C:\Users\Admin\Pictures\StopInvoke.png => C:\Users\Admin\Pictures\StopInvoke.png.REDTM ewin.exe File opened for modification C:\Users\Admin\Pictures\StopInvoke.png.REDTM ewin.exe File renamed C:\Users\Admin\Pictures\RenameRestart.tiff => C:\Users\Admin\Pictures\RenameRestart.tiff.REDTM ewin.exe File renamed C:\Users\Admin\Pictures\RenameStep.png => C:\Users\Admin\Pictures\RenameStep.png.REDTM ewin.exe File opened for modification C:\Users\Admin\Pictures\RenameRestart.tiff.REDTM ewin.exe File opened for modification C:\Users\Admin\Pictures\RenameStep.png.REDTM ewin.exe File renamed C:\Users\Admin\Pictures\CompleteResolve.crw => C:\Users\Admin\Pictures\CompleteResolve.crw.REDTM ewin.exe File opened for modification C:\Users\Admin\Pictures\CompleteResolve.crw.REDTM ewin.exe File renamed C:\Users\Admin\Pictures\ProtectConfirm.png => C:\Users\Admin\Pictures\ProtectConfirm.png.REDTM ewin.exe File renamed C:\Users\Admin\Pictures\RegisterUninstall.png => C:\Users\Admin\Pictures\RegisterUninstall.png.REDTM ewin.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ewin.exedescription ioc process File opened (read-only) \??\P: ewin.exe File opened (read-only) \??\G: ewin.exe File opened (read-only) \??\H: ewin.exe File opened (read-only) \??\J: ewin.exe File opened (read-only) \??\V: ewin.exe File opened (read-only) \??\R: ewin.exe File opened (read-only) \??\S: ewin.exe File opened (read-only) \??\F: ewin.exe File opened (read-only) \??\Z: ewin.exe File opened (read-only) \??\X: ewin.exe File opened (read-only) \??\N: ewin.exe File opened (read-only) \??\Q: ewin.exe File opened (read-only) \??\Y: ewin.exe File opened (read-only) \??\U: ewin.exe File opened (read-only) \??\I: ewin.exe File opened (read-only) \??\A: ewin.exe File opened (read-only) \??\K: ewin.exe File opened (read-only) \??\L: ewin.exe File opened (read-only) \??\B: ewin.exe File opened (read-only) \??\W: ewin.exe File opened (read-only) \??\M: ewin.exe File opened (read-only) \??\T: ewin.exe File opened (read-only) \??\O: ewin.exe File opened (read-only) \??\E: ewin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1084 vssadmin.exe 1888 vssadmin.exe -
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 960 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
ewin.exepid process 1100 ewin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1812 vssvc.exe Token: SeRestorePrivilege 1812 vssvc.exe Token: SeAuditPrivilege 1812 vssvc.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
ewin.execmd.execmd.exerundll32.exedescription pid process target process PID 1100 wrote to memory of 2040 1100 ewin.exe cmd.exe PID 1100 wrote to memory of 2040 1100 ewin.exe cmd.exe PID 1100 wrote to memory of 2040 1100 ewin.exe cmd.exe PID 1100 wrote to memory of 2040 1100 ewin.exe cmd.exe PID 2040 wrote to memory of 1084 2040 cmd.exe vssadmin.exe PID 2040 wrote to memory of 1084 2040 cmd.exe vssadmin.exe PID 2040 wrote to memory of 1084 2040 cmd.exe vssadmin.exe PID 1100 wrote to memory of 1940 1100 ewin.exe cmd.exe PID 1100 wrote to memory of 1940 1100 ewin.exe cmd.exe PID 1100 wrote to memory of 1940 1100 ewin.exe cmd.exe PID 1100 wrote to memory of 1940 1100 ewin.exe cmd.exe PID 1940 wrote to memory of 1888 1940 cmd.exe vssadmin.exe PID 1940 wrote to memory of 1888 1940 cmd.exe vssadmin.exe PID 1940 wrote to memory of 1888 1940 cmd.exe vssadmin.exe PID 472 wrote to memory of 960 472 rundll32.exe NOTEPAD.EXE PID 472 wrote to memory of 960 472 rundll32.exe NOTEPAD.EXE PID 472 wrote to memory of 960 472 rundll32.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ewin.exe"C:\Users\Admin\AppData\Local\Temp\ewin.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\WaitStep.wma.REDTM1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WaitStep.wma.REDTM2⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\WaitStep.wma.REDTMFilesize
755KB
MD5ebbead8564bbc08c6a8760a694c99df6
SHA18d0dd0f0577175e55f92ccc40d7cf1e672c04c95
SHA256d1f907483f075b574bb71dde537fcfd1411d5fb91b0afda1fdd42fc40e624d49
SHA5121afb3276bc129f0c8a6939db74d884e2474cc045aa4e743e66e0e55bc8976d6a08d0082a1f58a67fbc1f3725fe27b58fc5c974685212e39c044b7f657cd9a840
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/472-59-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmpFilesize
8KB
-
memory/960-61-0x0000000000000000-mapping.dmp
-
memory/1084-56-0x0000000000000000-mapping.dmp
-
memory/1100-54-0x0000000074B51000-0x0000000074B53000-memory.dmpFilesize
8KB
-
memory/1888-58-0x0000000000000000-mapping.dmp
-
memory/1940-57-0x0000000000000000-mapping.dmp
-
memory/2040-55-0x0000000000000000-mapping.dmp