Overview

overview

10

Static

static

10

1e8bafd699...77.exe

windows7-x64

9

1e8bafd699...77.exe

windows10-2004-x64

9

Resubmissions

09-10-2022 16:47

221009-vatn5shdfj 10

03-10-2022 04:16

221003-evv5pshaen 10

30-09-2022 08:08

220930-j1j2vadghr 10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-09-2022 08:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe

  • Size

    200KB

  • MD5

    7372c9a138bb854972452263abab1dc5

  • SHA1

    ad247b2428fac6d07bdd9628cddaa18004840e6c

  • SHA256

    1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77

  • SHA512

    3c882b3514c6314ebde04d35748464d4aba3eceb567c1b7ee87f4cf565cf192af3195d21151ef024b2fd19f151beb449fbd28105354a71764b46dbfba5fc1184

  • SSDEEP

    3072:dbOTRwYckApvw14pcODvX/kyeAYcWNzs2C3Zm4YvrCtMNX/eTvpdXfabI5F8lbj4:lOsZiKRJWWYj7eTxdH5qlGuqJH

Score
9/10
discoveryransomwarespywarestealer

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops desktop.ini file(s) 29 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
    "C:\Users\Admin\AppData\Local\Temp\1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Drops startup file
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:544
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "vssadmin delete shadows /all /quiet"
      2⤵
        PID:2464
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"
        2⤵
          PID:4824
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "wbadmin DELETE BACKUP -keepVersions:0"
          2⤵
            PID:2008
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c "wmic SHADOWCOPY DELETE"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3632
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic SHADOWCOPY DELETE
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:5096
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"
            2⤵
              PID:3100
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
              2⤵
                PID:2000
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2392

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini
              Filesize

              935B

              MD5

              d9c7945574c0adae9012669a046542a1

              SHA1

              ed5a9872d772c7cca6659814cbc5a6485348acad

              SHA256

              c9ecda7f2042851a87a0e34e501388331ac977a33a9c6cf7abb791b6c04b390c

              SHA512

              e6699e876d3b4d746e40c45ea29b184a7977ba97c40a9779fb9cf55cbfd4615f42d0b5ea5b616db39df85095b6cd904d45e766bba1ce67e3ed8fcbfcc880a420

              Download Submit

            • memory/2000-137-0x0000000000000000-mapping.dmp

              Download

            • memory/2008-134-0x0000000000000000-mapping.dmp

              Download

            • memory/2464-132-0x0000000000000000-mapping.dmp

              Download

            • memory/3100-136-0x0000000000000000-mapping.dmp

              Download

            • memory/3632-135-0x0000000000000000-mapping.dmp

              Download

            • memory/4824-133-0x0000000000000000-mapping.dmp

              Download

            • memory/5096-138-0x0000000000000000-mapping.dmp

              Download