Resubmissions

09-10-2022 16:47

221009-vatn5shdfj 10

03-10-2022 04:16

221003-evv5pshaen 10

30-09-2022 08:08

220930-j1j2vadghr 10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30-09-2022 08:08

General

  • Target

    1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe

  • Size

    200KB

  • MD5

    7372c9a138bb854972452263abab1dc5

  • SHA1

    ad247b2428fac6d07bdd9628cddaa18004840e6c

  • SHA256

    1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77

  • SHA512

    3c882b3514c6314ebde04d35748464d4aba3eceb567c1b7ee87f4cf565cf192af3195d21151ef024b2fd19f151beb449fbd28105354a71764b46dbfba5fc1184

  • SSDEEP

    3072:dbOTRwYckApvw14pcODvX/kyeAYcWNzs2C3Zm4YvrCtMNX/eTvpdXfabI5F8lbj4:lOsZiKRJWWYj7eTxdH5qlGuqJH

Score
9/10

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
    "C:\Users\Admin\AppData\Local\Temp\1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:896
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "vssadmin delete shadows /all /quiet"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:916
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:832
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"
      2⤵
        PID:1464
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "wbadmin DELETE BACKUP -keepVersions:0"
        2⤵
          PID:628
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "wmic SHADOWCOPY DELETE"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1120
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic SHADOWCOPY DELETE
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1700
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"
          2⤵
            PID:968
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
            2⤵
              PID:1708
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1676

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/896-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

            Filesize

            8KB