Resubmissions

28-07-2022 16:40

220728-t6m1ssaabp 10

16-01-2022 03:14

220116-drpcbafecl 10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    28-07-2022 16:40

General

  • Target

    svchost.exe

  • Size

    213KB

  • MD5

    39f34aa65e3a95a53f3ec0675fc37905

  • SHA1

    b8206089a3841464c72ee695951854dfe08a82cd

  • SHA256

    8e7393013f240334efe2ca52c8a3554628c479becab2b691d114e1e8b3ccd51d

  • SHA512

    7c45d8ba6f080cccaaa3c663d44a796c077f786f48cd392bcb9fa7e60d3b424aa90ecb1ed3c1c810b1607610db42a59eb0a9cc452579e454ca6443b2b249b2cb

Score
9/10

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "vssadmin delete shadows /all /quiet"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2036
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"
      2⤵
        PID:1232
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "wbadmin DELETE BACKUP -keepVersions:0"
        2⤵
          PID:1280
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "wmic SHADOWCOPY DELETE"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2044
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic SHADOWCOPY DELETE
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:552
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"
          2⤵
            PID:1764
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
            2⤵
              PID:1168
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1636

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Defense Evasion

          File Deletion

          2
          T1107

          Discovery

          Network Service Scanning

          1
          T1046

          System Information Discovery

          1
          T1082

          Impact

          Inhibit System Recovery

          2
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/552-62-0x0000000000000000-mapping.dmp
          • memory/1168-61-0x0000000000000000-mapping.dmp
          • memory/1232-56-0x0000000000000000-mapping.dmp
          • memory/1280-57-0x0000000000000000-mapping.dmp
          • memory/1672-54-0x00000000762B1000-0x00000000762B3000-memory.dmp
            Filesize

            8KB

          • memory/1764-59-0x0000000000000000-mapping.dmp
          • memory/1996-55-0x0000000000000000-mapping.dmp
          • memory/2036-60-0x0000000000000000-mapping.dmp
          • memory/2044-58-0x0000000000000000-mapping.dmp