Analysis
-
max time kernel
48s -
max time network
12s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
29/06/2022, 10:55
Static task
static1
Behavioral task
behavioral1
Sample
enc.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
enc.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
enc.exe
-
Size
7.7MB
-
MD5
a7ab0969bf6641cd0c7228ae95f6d217
-
SHA1
002971b6d178698bf7930b5b89c201750d80a07e
-
SHA256
117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464
-
SHA512
7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a
Score
9/10
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*aster = "C:\\Users\\Public\\enc.exe" enc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1808 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe 1416 enc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1416 enc.exe Token: SeBackupPrivilege 2036 vssvc.exe Token: SeRestorePrivilege 2036 vssvc.exe Token: SeAuditPrivilege 2036 vssvc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1416 wrote to memory of 1888 1416 enc.exe 31 PID 1416 wrote to memory of 1888 1416 enc.exe 31 PID 1416 wrote to memory of 1888 1416 enc.exe 31 PID 1888 wrote to memory of 1808 1888 cmd.exe 33 PID 1888 wrote to memory of 1808 1888 cmd.exe 33 PID 1888 wrote to memory of 1808 1888 cmd.exe 33 PID 1416 wrote to memory of 808 1416 enc.exe 22
Processes
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted1⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\enc.exe"C:\Users\Admin\AppData\Local\Temp\enc.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1808
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036