Resubmissions
09-10-2022 16:47
221009-vatn5shdfj 1003-10-2022 04:16
221003-evv5pshaen 1030-09-2022 08:08
220930-j1j2vadghr 10Analysis
-
max time kernel
211s -
max time network
214s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
09-10-2022 16:47
Behavioral task
behavioral1
Sample
1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
Resource
win10v2004-20220901-en
General
-
Target
1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
-
Size
200KB
-
MD5
7372c9a138bb854972452263abab1dc5
-
SHA1
ad247b2428fac6d07bdd9628cddaa18004840e6c
-
SHA256
1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77
-
SHA512
3c882b3514c6314ebde04d35748464d4aba3eceb567c1b7ee87f4cf565cf192af3195d21151ef024b2fd19f151beb449fbd28105354a71764b46dbfba5fc1184
-
SSDEEP
3072:dbOTRwYckApvw14pcODvX/kyeAYcWNzs2C3Zm4YvrCtMNX/eTvpdXfabI5F8lbj4:lOsZiKRJWWYj7eTxdH5qlGuqJH
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1568 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1548 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: 33 1200 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1200 AUDIODG.EXE Token: 33 1200 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1200 AUDIODG.EXE Token: SeIncreaseQuotaPrivilege 732 WMIC.exe Token: SeSecurityPrivilege 732 WMIC.exe Token: SeTakeOwnershipPrivilege 732 WMIC.exe Token: SeLoadDriverPrivilege 732 WMIC.exe Token: SeSystemProfilePrivilege 732 WMIC.exe Token: SeSystemtimePrivilege 732 WMIC.exe Token: SeProfSingleProcessPrivilege 732 WMIC.exe Token: SeIncBasePriorityPrivilege 732 WMIC.exe Token: SeCreatePagefilePrivilege 732 WMIC.exe Token: SeBackupPrivilege 732 WMIC.exe Token: SeRestorePrivilege 732 WMIC.exe Token: SeShutdownPrivilege 732 WMIC.exe Token: SeDebugPrivilege 732 WMIC.exe Token: SeSystemEnvironmentPrivilege 732 WMIC.exe Token: SeRemoteShutdownPrivilege 732 WMIC.exe Token: SeUndockPrivilege 732 WMIC.exe Token: SeManageVolumePrivilege 732 WMIC.exe Token: 33 732 WMIC.exe Token: 34 732 WMIC.exe Token: 35 732 WMIC.exe Token: SeBackupPrivilege 1136 vssvc.exe Token: SeRestorePrivilege 1136 vssvc.exe Token: SeAuditPrivilege 1136 vssvc.exe Token: SeIncreaseQuotaPrivilege 732 WMIC.exe Token: SeSecurityPrivilege 732 WMIC.exe Token: SeTakeOwnershipPrivilege 732 WMIC.exe Token: SeLoadDriverPrivilege 732 WMIC.exe Token: SeSystemProfilePrivilege 732 WMIC.exe Token: SeSystemtimePrivilege 732 WMIC.exe Token: SeProfSingleProcessPrivilege 732 WMIC.exe Token: SeIncBasePriorityPrivilege 732 WMIC.exe Token: SeCreatePagefilePrivilege 732 WMIC.exe Token: SeBackupPrivilege 732 WMIC.exe Token: SeRestorePrivilege 732 WMIC.exe Token: SeShutdownPrivilege 732 WMIC.exe Token: SeDebugPrivilege 732 WMIC.exe Token: SeSystemEnvironmentPrivilege 732 WMIC.exe Token: SeRemoteShutdownPrivilege 732 WMIC.exe Token: SeUndockPrivilege 732 WMIC.exe Token: SeManageVolumePrivilege 732 WMIC.exe Token: 33 732 WMIC.exe Token: 34 732 WMIC.exe Token: 35 732 WMIC.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1548 wrote to memory of 1840 1548 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 29 PID 1548 wrote to memory of 1840 1548 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 29 PID 1548 wrote to memory of 1840 1548 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 29 PID 1548 wrote to memory of 1840 1548 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 29 PID 1548 wrote to memory of 1308 1548 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 31 PID 1548 wrote to memory of 1308 1548 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 31 PID 1548 wrote to memory of 1308 1548 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 31 PID 1548 wrote to memory of 1308 1548 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 31 PID 1548 wrote to memory of 1032 1548 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 33 PID 1548 wrote to memory of 1032 1548 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 33 PID 1548 wrote to memory of 1032 1548 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 33 PID 1548 wrote to memory of 1032 1548 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 33 PID 1840 wrote to memory of 1568 1840 cmd.exe 34 PID 1840 wrote to memory of 1568 1840 cmd.exe 34 PID 1840 wrote to memory of 1568 1840 cmd.exe 34 PID 1840 wrote to memory of 1568 1840 cmd.exe 34 PID 1548 wrote to memory of 380 1548 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 36 PID 1548 wrote to memory of 380 1548 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 36 PID 1548 wrote to memory of 380 1548 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 36 PID 1548 wrote to memory of 380 1548 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 36 PID 1548 wrote to memory of 2032 1548 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 38 PID 1548 wrote to memory of 2032 1548 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 38 PID 1548 wrote to memory of 2032 1548 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 38 PID 1548 wrote to memory of 2032 1548 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 38 PID 1548 wrote to memory of 992 1548 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 40 PID 1548 wrote to memory of 992 1548 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 40 PID 1548 wrote to memory of 992 1548 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 40 PID 1548 wrote to memory of 992 1548 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 40 PID 380 wrote to memory of 732 380 cmd.exe 42 PID 380 wrote to memory of 732 380 cmd.exe 42 PID 380 wrote to memory of 732 380 cmd.exe 42 PID 380 wrote to memory of 732 380 cmd.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe"C:\Users\Admin\AppData\Local\Temp\1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "vssadmin delete shadows /all /quiet"2⤵
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1568
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"2⤵PID:1308
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "wbadmin DELETE BACKUP -keepVersions:0"2⤵PID:1032
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "wmic SHADOWCOPY DELETE"2⤵
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
PID:732
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"2⤵PID:2032
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"2⤵PID:992
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1c41⤵
- Suspicious use of AdjustPrivilegeToken
PID:1200
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1136