Analysis
-
max time kernel
81s -
max time network
87s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
28-07-2022 16:40
Behavioral task
behavioral1
Sample
svchost.exe
Resource
win7-20220715-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
svchost.exe
Resource
win10v2004-20220722-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
svchost.exe
-
Size
213KB
-
MD5
39f34aa65e3a95a53f3ec0675fc37905
-
SHA1
b8206089a3841464c72ee695951854dfe08a82cd
-
SHA256
8e7393013f240334efe2ca52c8a3554628c479becab2b691d114e1e8b3ccd51d
-
SHA512
7c45d8ba6f080cccaaa3c663d44a796c077f786f48cd392bcb9fa7e60d3b424aa90ecb1ed3c1c810b1607610db42a59eb0a9cc452579e454ca6443b2b249b2cb
Score
9/10
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 12052 1980 WerFault.exe 79 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1980 svchost.exe 1980 svchost.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1948 WMIC.exe Token: SeSecurityPrivilege 1948 WMIC.exe Token: SeTakeOwnershipPrivilege 1948 WMIC.exe Token: SeLoadDriverPrivilege 1948 WMIC.exe Token: SeSystemProfilePrivilege 1948 WMIC.exe Token: SeSystemtimePrivilege 1948 WMIC.exe Token: SeProfSingleProcessPrivilege 1948 WMIC.exe Token: SeIncBasePriorityPrivilege 1948 WMIC.exe Token: SeCreatePagefilePrivilege 1948 WMIC.exe Token: SeBackupPrivilege 1948 WMIC.exe Token: SeRestorePrivilege 1948 WMIC.exe Token: SeShutdownPrivilege 1948 WMIC.exe Token: SeDebugPrivilege 1948 WMIC.exe Token: SeSystemEnvironmentPrivilege 1948 WMIC.exe Token: SeRemoteShutdownPrivilege 1948 WMIC.exe Token: SeUndockPrivilege 1948 WMIC.exe Token: SeManageVolumePrivilege 1948 WMIC.exe Token: 33 1948 WMIC.exe Token: 34 1948 WMIC.exe Token: 35 1948 WMIC.exe Token: 36 1948 WMIC.exe Token: SeIncreaseQuotaPrivilege 1948 WMIC.exe Token: SeSecurityPrivilege 1948 WMIC.exe Token: SeTakeOwnershipPrivilege 1948 WMIC.exe Token: SeLoadDriverPrivilege 1948 WMIC.exe Token: SeSystemProfilePrivilege 1948 WMIC.exe Token: SeSystemtimePrivilege 1948 WMIC.exe Token: SeProfSingleProcessPrivilege 1948 WMIC.exe Token: SeIncBasePriorityPrivilege 1948 WMIC.exe Token: SeCreatePagefilePrivilege 1948 WMIC.exe Token: SeBackupPrivilege 1948 WMIC.exe Token: SeRestorePrivilege 1948 WMIC.exe Token: SeShutdownPrivilege 1948 WMIC.exe Token: SeDebugPrivilege 1948 WMIC.exe Token: SeSystemEnvironmentPrivilege 1948 WMIC.exe Token: SeRemoteShutdownPrivilege 1948 WMIC.exe Token: SeUndockPrivilege 1948 WMIC.exe Token: SeManageVolumePrivilege 1948 WMIC.exe Token: 33 1948 WMIC.exe Token: 34 1948 WMIC.exe Token: 35 1948 WMIC.exe Token: 36 1948 WMIC.exe Token: SeBackupPrivilege 1332 vssvc.exe Token: SeRestorePrivilege 1332 vssvc.exe Token: SeAuditPrivilege 1332 vssvc.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1980 wrote to memory of 860 1980 svchost.exe 81 PID 1980 wrote to memory of 860 1980 svchost.exe 81 PID 1980 wrote to memory of 860 1980 svchost.exe 81 PID 1980 wrote to memory of 4988 1980 svchost.exe 83 PID 1980 wrote to memory of 4988 1980 svchost.exe 83 PID 1980 wrote to memory of 4988 1980 svchost.exe 83 PID 1980 wrote to memory of 3812 1980 svchost.exe 85 PID 1980 wrote to memory of 3812 1980 svchost.exe 85 PID 1980 wrote to memory of 3812 1980 svchost.exe 85 PID 1980 wrote to memory of 4536 1980 svchost.exe 87 PID 1980 wrote to memory of 4536 1980 svchost.exe 87 PID 1980 wrote to memory of 4536 1980 svchost.exe 87 PID 1980 wrote to memory of 2348 1980 svchost.exe 89 PID 1980 wrote to memory of 2348 1980 svchost.exe 89 PID 1980 wrote to memory of 2348 1980 svchost.exe 89 PID 1980 wrote to memory of 4804 1980 svchost.exe 91 PID 1980 wrote to memory of 4804 1980 svchost.exe 91 PID 1980 wrote to memory of 4804 1980 svchost.exe 91 PID 4536 wrote to memory of 1948 4536 cmd.exe 93 PID 4536 wrote to memory of 1948 4536 cmd.exe 93 PID 4536 wrote to memory of 1948 4536 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "vssadmin delete shadows /all /quiet"2⤵PID:860
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"2⤵PID:4988
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "wbadmin DELETE BACKUP -keepVersions:0"2⤵PID:3812
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "wmic SHADOWCOPY DELETE"2⤵
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"2⤵PID:2348
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"2⤵PID:4804
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 311042⤵
- Program crash
PID:12052
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1980 -ip 19801⤵PID:12004