Analysis
-
max time kernel
266s -
max time network
297s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2022 18:01
Static task
static1
Behavioral task
behavioral1
Sample
9272022_diav1.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
9272022_diav1.exe
Resource
win10v2004-20220901-en
General
-
Target
9272022_diav1.exe
-
Size
227KB
-
MD5
2f62c5385dc49b91f5bd5e2a42f75fe6
-
SHA1
fdfdfacde0b898d13b01b1ab95d09d55196a13f5
-
SHA256
28b3ecf298a47f0e3db76f087e056f30736dab5a0d0a367cb48651897fa617d7
-
SHA512
45aa5c281ab9d0e5c01b8da10a96416b2d01f0d57662ccbc1394b8f0dea1baa9d349675bd58a069e6ad005bf7601452bba17edefdb8f309c9bcc909d2364b351
-
SSDEEP
3072:v+HwIahsiDzTvGvJTkwEluO9GYSFR8HenNGmeu9+hvwG:GHZs/LeJTkz0YGYSz1n1id
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\WARNING.TXT
https://www.zscaler.com/resources/security-terms-glossary/what-is-double-extortion-ransomware
https://7ypnbv3snejqmgce4kbewwvym4cm5j6lkzf2hra2hyhtsvwjaxwipkyd.onion/
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
9272022_diav1.exedescription ioc process File renamed C:\Users\Admin\Pictures\SyncCompress.raw => \??\c:\users\admin\pictures\synccompress.raw.bully 9272022_diav1.exe File renamed C:\Users\Admin\Pictures\UnprotectConvertFrom.tiff => \??\c:\users\admin\pictures\unprotectconvertfrom.tiff.bully 9272022_diav1.exe File opened for modification \??\c:\users\admin\pictures\unprotectconvertfrom.tiff 9272022_diav1.exe File renamed C:\Users\Admin\Pictures\FindClear.png => \??\c:\users\admin\pictures\findclear.png.bully 9272022_diav1.exe File renamed C:\Users\Admin\Pictures\LimitDisable.tif => \??\c:\users\admin\pictures\limitdisable.tif.bully 9272022_diav1.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9272022_diav1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 9272022_diav1.exe -
Drops startup file 2 IoCs
Processes:
9272022_diav1.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\WARNING.TXT 9272022_diav1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\WARNING.TXT 9272022_diav1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
9272022_diav1.exedescription ioc process File opened for modification \??\c:\users\admin\desktop\desktop.ini 9272022_diav1.exe File opened for modification \??\c:\users\public\desktop\desktop.ini 9272022_diav1.exe -
Drops file in Program Files directory 64 IoCs
Processes:
9272022_diav1.exedescription ioc process File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\WARNING.TXT 9272022_diav1.exe File opened for modification \??\c:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\hxmailsplashlogo.scale-400.png 9272022_diav1.exe File opened for modification \??\c:\program files\windowsapps\microsoft.zunemusic_10.19071.19011.0_x64__8wekyb3d8bbwe\assets\contrast-black\widelogo.scale-200_contrast-black.png 9272022_diav1.exe File opened for modification \??\c:\program files\common files\system\ado\msado25.tlb 9272022_diav1.exe File opened for modification \??\c:\program files\microsoft office\root\licenses16\o365proplusr_subscription1-ppd.xrm-ms 9272022_diav1.exe File opened for modification \??\c:\program files\microsoft office\root\licenses16\onenotevl_kms_client-ul.xrm-ms 9272022_diav1.exe File opened for modification \??\c:\program files\microsoft office\root\office16\1033\quickstyles\word2013.dotx 9272022_diav1.exe File opened for modification \??\c:\program files\windowsapps\deletedalluserpackages\microsoft.windowsstore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\appxmanifest.xml 9272022_diav1.exe File opened for modification \??\c:\program files\windowsapps\microsoft.windows.photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\assets\photosapplist.targetsize-48_altform-colorize.png 9272022_diav1.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\WARNING.TXT 9272022_diav1.exe File opened for modification \??\c:\program files\windowsapps\microsoft.microsoftofficehub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\square44x44logo.scale-200.png 9272022_diav1.exe File opened for modification \??\c:\program files\windowsapps\microsoft.windowsalarms_10.1906.2182.0_x64__8wekyb3d8bbwe\assets\alarmsapplist.targetsize-30_altform-lightunplated.png 9272022_diav1.exe File opened for modification \??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\ui-strings.js 9272022_diav1.exe File opened for modification \??\c:\program files (x86)\microsoft\edge\application\92.0.902.67\locales\pt-br.pak 9272022_diav1.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\WARNING.TXT 9272022_diav1.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\WARNING.TXT 9272022_diav1.exe File opened for modification \??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer_3.2.200.v20140827-1444.jar 9272022_diav1.exe File opened for modification \??\c:\program files\windowsapps\microsoft.bingweather_4.25.20211.0_x64__8wekyb3d8bbwe\assets\apptiles\weathericons\30x30\187.png 9272022_diav1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\WARNING.TXT 9272022_diav1.exe File opened for modification \??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\meta-inf\eclipse_.sf 9272022_diav1.exe File opened for modification \??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_zh_4.4.0.v20140623020002.jar 9272022_diav1.exe File opened for modification \??\c:\program files\microsoft office\root\office16\msipc\sr-cyrl-ba\msipc.dll.mui 9272022_diav1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\WARNING.TXT 9272022_diav1.exe File opened for modification \??\c:\program files\windowsapps\microsoft.windowsmaps_5.1906.1972.0_x64__8wekyb3d8bbwe\assets\secondarytiles\directions\car\rtl\contrast-white\widetile.scale-200.png 9272022_diav1.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\WARNING.TXT 9272022_diav1.exe File opened for modification \??\c:\program files\windowsapps\deletedalluserpackages\microsoft.xboxapp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\assets\gamesxboxhubapplist.scale-125_contrast-white.png 9272022_diav1.exe File opened for modification \??\c:\program files\windowsapps\microsoft.microsoft3dviewer_6.1908.2042.0_x64__8wekyb3d8bbwe\assets\square44x44logo.targetsize-256.png 9272022_diav1.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\contrast-standard\WARNING.TXT 9272022_diav1.exe File opened for modification \??\c:\program files\windowsapps\microsoft.webmediaextensions_1.0.20875.0_x64__8wekyb3d8bbwe\assets\medtile.scale-200.png 9272022_diav1.exe File opened for modification \??\c:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\hxa-advanced-dark.scale-125.png 9272022_diav1.exe File opened for modification \??\c:\program files\windowsapps\microsoft.windowsmaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\assets\secondarytiles\traffichub\contrast-white\widetile.scale-100.png 9272022_diav1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\WARNING.TXT 9272022_diav1.exe File opened for modification \??\c:\program files\common files\microsoft shared\ink\bg-bg\tipresx.dll.mui 9272022_diav1.exe File opened for modification \??\c:\program files\windowsapps\microsoft.office.onenote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\builtinresearcher.xml 9272022_diav1.exe File opened for modification \??\c:\program files\windowsapps\microsoft.windowscalculator_10.1906.55.0_x64__8wekyb3d8bbwe\assets\calculatorapplist.targetsize-256_altform-fullcolor.png 9272022_diav1.exe File opened for modification \??\c:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\8041_24x24x32.png 9272022_diav1.exe File opened for modification \??\c:\program files\windowsapps\microsoft.windowsmaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\assets\apptiles\contrast-white\mapsbadgelogo.scale-100.png 9272022_diav1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ja-jp\WARNING.TXT 9272022_diav1.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-us\View3d\WARNING.TXT 9272022_diav1.exe File opened for modification \??\c:\program files\windowsapps\microsoft.windowscamera_2018.826.98.0_x64__8wekyb3d8bbwe\assets\windowsicons\windowscameraapplist.targetsize-40_altform-unplated.png 9272022_diav1.exe File opened for modification \??\c:\program files\windowsapps\microsoft.yourphone_0.19051.7.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\s-1-5-21-929662420-1054238289-2961194603-1000-mergedresources-0.pri 9272022_diav1.exe File opened for modification \??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\core\dev\nls\en-ae\ui-strings.js 9272022_diav1.exe File opened for modification \??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\exportpdfupsell-app\js\plugin.js 9272022_diav1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sk-sk\WARNING.TXT 9272022_diav1.exe File opened for modification \??\c:\program files\windowsapps\deletedalluserpackages\microsoft.desktopappinstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\assets\apppackagestorelogo.scale-125.png 9272022_diav1.exe File opened for modification \??\c:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\linkedinboxsmalltile.scale-100.png 9272022_diav1.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\WARNING.TXT 9272022_diav1.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tl\WARNING.TXT 9272022_diav1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pl-pl\WARNING.TXT 9272022_diav1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ar-ae\WARNING.TXT 9272022_diav1.exe File opened for modification \??\c:\program files\java\jdk1.8.0_66\jre\lib\security\blacklisted.certs 9272022_diav1.exe File created C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\WARNING.TXT 9272022_diav1.exe File opened for modification \??\c:\program files\microsoft office\root\licenses16\powerpointr_oem_perp-pl.xrm-ms 9272022_diav1.exe File opened for modification \??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\ob-preview\images\themeless\example_icons.png 9272022_diav1.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\AppxMetadata\WARNING.TXT 9272022_diav1.exe File opened for modification \??\c:\program files\windowsapps\microsoft.xboxgameoverlay_1.46.11001.0_x64__8wekyb3d8bbwe\appxsignature.p7x 9272022_diav1.exe File opened for modification \??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\themes\dark\s_duplicate_18.svg 9272022_diav1.exe File opened for modification \??\c:\program files (x86)\microsoft\edge\application\92.0.902.67\resiliencylinks\msedge.dll.sig.data 9272022_diav1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\WARNING.TXT 9272022_diav1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\WARNING.TXT 9272022_diav1.exe File opened for modification \??\c:\program files\microsoft office\root\fre\startmenu_win7_rtl.wmv 9272022_diav1.exe File opened for modification \??\c:\program files\microsoft office\root\licenses16\o365proplusr_subscription2-ppd.xrm-ms 9272022_diav1.exe File opened for modification \??\c:\program files\windowsapps\microsoft.bingweather_4.25.20211.0_x64__8wekyb3d8bbwe\assets\apptiles\weathericons\30x30\170.png 9272022_diav1.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\WARNING.TXT 9272022_diav1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4832 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
9272022_diav1.exepid process 3284 9272022_diav1.exe 3284 9272022_diav1.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2244 vssvc.exe Token: SeRestorePrivilege 2244 vssvc.exe Token: SeAuditPrivilege 2244 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9272022_diav1.execmd.exedescription pid process target process PID 3284 wrote to memory of 1488 3284 9272022_diav1.exe cmd.exe PID 3284 wrote to memory of 1488 3284 9272022_diav1.exe cmd.exe PID 3284 wrote to memory of 4284 3284 9272022_diav1.exe cmd.exe PID 3284 wrote to memory of 4284 3284 9272022_diav1.exe cmd.exe PID 1488 wrote to memory of 4832 1488 cmd.exe vssadmin.exe PID 1488 wrote to memory of 4832 1488 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9272022_diav1.exe"C:\Users\Admin\AppData\Local\Temp\9272022_diav1.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c vssadmin Delete Shadows /All /Quiet >> NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\9272022_diav1.exe >> NUL2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1488-135-0x0000000000000000-mapping.dmp
-
memory/3284-132-0x0000000002BA0000-0x0000000002BA8000-memory.dmpFilesize
32KB
-
memory/3284-133-0x0000000002BB0000-0x0000000002BB8000-memory.dmpFilesize
32KB
-
memory/3284-134-0x0000000002BA0000-0x0000000002BA8000-memory.dmpFilesize
32KB
-
memory/3284-137-0x0000000002BA0000-0x0000000002BA8000-memory.dmpFilesize
32KB
-
memory/4284-136-0x0000000000000000-mapping.dmp
-
memory/4832-138-0x0000000000000000-mapping.dmp