1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77

General

Target

1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
Size

200KB
MD5

7372c9a138bb854972452263abab1dc5
SHA1

ad247b2428fac6d07bdd9628cddaa18004840e6c
SHA256

1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77
SHA512

3c882b3514c6314ebde04d35748464d4aba3eceb567c1b7ee87f4cf565cf192af3195d21151ef024b2fd19f151beb449fbd28105354a71764b46dbfba5fc1184
SSDEEP

3072:dbOTRwYckApvw14pcODvX/kyeAYcWNzs2C3Zm4YvrCtMNX/eTvpdXfabI5F8lbj4:lOsZiKRJWWYj7eTxdH5qlGuqJH

Score

9^/10

discovery ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

832 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe

pid process

896 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe

pid	process
832	vssadmin.exe

pid	process
896	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

WMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1700	WMIC.exe
Token: SeSecurityPrivilege	1700	WMIC.exe
Token: SeTakeOwnershipPrivilege	1700	WMIC.exe
Token: SeLoadDriverPrivilege	1700	WMIC.exe
Token: SeSystemProfilePrivilege	1700	WMIC.exe
Token: SeSystemtimePrivilege	1700	WMIC.exe
Token: SeProfSingleProcessPrivilege	1700	WMIC.exe
Token: SeIncBasePriorityPrivilege	1700	WMIC.exe
Token: SeCreatePagefilePrivilege	1700	WMIC.exe
Token: SeBackupPrivilege	1700	WMIC.exe
Token: SeRestorePrivilege	1700	WMIC.exe
Token: SeShutdownPrivilege	1700	WMIC.exe
Token: SeDebugPrivilege	1700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1700	WMIC.exe
Token: SeRemoteShutdownPrivilege	1700	WMIC.exe
Token: SeUndockPrivilege	1700	WMIC.exe
Token: SeManageVolumePrivilege	1700	WMIC.exe
Token: 33	1700	WMIC.exe
Token: 34	1700	WMIC.exe
Token: 35	1700	WMIC.exe
Token: SeBackupPrivilege	1676	vssvc.exe
Token: SeRestorePrivilege	1676	vssvc.exe
Token: SeAuditPrivilege	1676	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1700	WMIC.exe
Token: SeSecurityPrivilege	1700	WMIC.exe
Token: SeTakeOwnershipPrivilege	1700	WMIC.exe
Token: SeLoadDriverPrivilege	1700	WMIC.exe
Token: SeSystemProfilePrivilege	1700	WMIC.exe
Token: SeSystemtimePrivilege	1700	WMIC.exe
Token: SeProfSingleProcessPrivilege	1700	WMIC.exe
Token: SeIncBasePriorityPrivilege	1700	WMIC.exe
Token: SeCreatePagefilePrivilege	1700	WMIC.exe
Token: SeBackupPrivilege	1700	WMIC.exe
Token: SeRestorePrivilege	1700	WMIC.exe
Token: SeShutdownPrivilege	1700	WMIC.exe
Token: SeDebugPrivilege	1700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1700	WMIC.exe
Token: SeRemoteShutdownPrivilege	1700	WMIC.exe
Token: SeUndockPrivilege	1700	WMIC.exe
Token: SeManageVolumePrivilege	1700	WMIC.exe
Token: 33	1700	WMIC.exe
Token: 34	1700	WMIC.exe
Token: 35	1700	WMIC.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.execmd.execmd.exe

description	pid	process	target process
PID 896 wrote to memory of 916	896	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 896 wrote to memory of 916	896	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 896 wrote to memory of 916	896	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 896 wrote to memory of 916	896	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 896 wrote to memory of 1464	896	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 896 wrote to memory of 1464	896	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 896 wrote to memory of 1464	896	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 896 wrote to memory of 1464	896	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 916 wrote to memory of 832	916	cmd.exe	vssadmin.exe
PID 916 wrote to memory of 832	916	cmd.exe	vssadmin.exe
PID 916 wrote to memory of 832	916	cmd.exe	vssadmin.exe
PID 916 wrote to memory of 832	916	cmd.exe	vssadmin.exe
PID 896 wrote to memory of 628	896	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 896 wrote to memory of 628	896	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 896 wrote to memory of 628	896	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 896 wrote to memory of 628	896	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 896 wrote to memory of 1120	896	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 896 wrote to memory of 1120	896	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 896 wrote to memory of 1120	896	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 896 wrote to memory of 1120	896	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 896 wrote to memory of 968	896	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 896 wrote to memory of 968	896	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 896 wrote to memory of 968	896	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 896 wrote to memory of 968	896	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 1120 wrote to memory of 1700	1120	cmd.exe	WMIC.exe
PID 1120 wrote to memory of 1700	1120	cmd.exe	WMIC.exe
PID 1120 wrote to memory of 1700	1120	cmd.exe	WMIC.exe
PID 1120 wrote to memory of 1700	1120	cmd.exe	WMIC.exe
PID 896 wrote to memory of 1708	896	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 896 wrote to memory of 1708	896	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 896 wrote to memory of 1708	896	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 896 wrote to memory of 1708	896	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
"C:\Users\Admin\AppData\Local\Temp\1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:896
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "vssadmin delete shadows /all /quiet"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:832
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"
  2⤵
  PID:1464
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "wbadmin DELETE BACKUP -keepVersions:0"
  2⤵
  PID:628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "wmic SHADOWCOPY DELETE"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"
  2⤵
  PID:968
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
  2⤵
  PID:1708

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Network Service Scanning

1

T1046

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/628-58-0x0000000000000000-mapping.dmp

Download
memory/832-57-0x0000000000000000-mapping.dmp

Download
memory/896-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/916-55-0x0000000000000000-mapping.dmp

Download
memory/968-60-0x0000000000000000-mapping.dmp

Download
memory/1120-59-0x0000000000000000-mapping.dmp

Download
memory/1464-56-0x0000000000000000-mapping.dmp

Download
memory/1700-61-0x0000000000000000-mapping.dmp

Download
memory/1708-62-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing