1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77

General

Target

1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
Size

200KB
MD5

7372c9a138bb854972452263abab1dc5
SHA1

ad247b2428fac6d07bdd9628cddaa18004840e6c
SHA256

1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77
SHA512

3c882b3514c6314ebde04d35748464d4aba3eceb567c1b7ee87f4cf565cf192af3195d21151ef024b2fd19f151beb449fbd28105354a71764b46dbfba5fc1184
SSDEEP

3072:dbOTRwYckApvw14pcODvX/kyeAYcWNzs2C3Zm4YvrCtMNX/eTvpdXfabI5F8lbj4:lOsZiKRJWWYj7eTxdH5qlGuqJH

Score

9^/10

discovery ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1568 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe

pid process

1548 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe

pid	process
1568	vssadmin.exe

pid	process
1548	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

AUDIODG.EXEWMIC.exevssvc.exe

description	pid	process
Token: 33	1200	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1200	AUDIODG.EXE
Token: 33	1200	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1200	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	732	WMIC.exe
Token: SeSecurityPrivilege	732	WMIC.exe
Token: SeTakeOwnershipPrivilege	732	WMIC.exe
Token: SeLoadDriverPrivilege	732	WMIC.exe
Token: SeSystemProfilePrivilege	732	WMIC.exe
Token: SeSystemtimePrivilege	732	WMIC.exe
Token: SeProfSingleProcessPrivilege	732	WMIC.exe
Token: SeIncBasePriorityPrivilege	732	WMIC.exe
Token: SeCreatePagefilePrivilege	732	WMIC.exe
Token: SeBackupPrivilege	732	WMIC.exe
Token: SeRestorePrivilege	732	WMIC.exe
Token: SeShutdownPrivilege	732	WMIC.exe
Token: SeDebugPrivilege	732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	732	WMIC.exe
Token: SeRemoteShutdownPrivilege	732	WMIC.exe
Token: SeUndockPrivilege	732	WMIC.exe
Token: SeManageVolumePrivilege	732	WMIC.exe
Token: 33	732	WMIC.exe
Token: 34	732	WMIC.exe
Token: 35	732	WMIC.exe
Token: SeBackupPrivilege	1136	vssvc.exe
Token: SeRestorePrivilege	1136	vssvc.exe
Token: SeAuditPrivilege	1136	vssvc.exe
Token: SeIncreaseQuotaPrivilege	732	WMIC.exe
Token: SeSecurityPrivilege	732	WMIC.exe
Token: SeTakeOwnershipPrivilege	732	WMIC.exe
Token: SeLoadDriverPrivilege	732	WMIC.exe
Token: SeSystemProfilePrivilege	732	WMIC.exe
Token: SeSystemtimePrivilege	732	WMIC.exe
Token: SeProfSingleProcessPrivilege	732	WMIC.exe
Token: SeIncBasePriorityPrivilege	732	WMIC.exe
Token: SeCreatePagefilePrivilege	732	WMIC.exe
Token: SeBackupPrivilege	732	WMIC.exe
Token: SeRestorePrivilege	732	WMIC.exe
Token: SeShutdownPrivilege	732	WMIC.exe
Token: SeDebugPrivilege	732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	732	WMIC.exe
Token: SeRemoteShutdownPrivilege	732	WMIC.exe
Token: SeUndockPrivilege	732	WMIC.exe
Token: SeManageVolumePrivilege	732	WMIC.exe
Token: 33	732	WMIC.exe
Token: 34	732	WMIC.exe
Token: 35	732	WMIC.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.execmd.execmd.exe

description	pid	process	target process
PID 1548 wrote to memory of 1840	1548	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 1548 wrote to memory of 1840	1548	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 1548 wrote to memory of 1840	1548	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 1548 wrote to memory of 1840	1548	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 1548 wrote to memory of 1308	1548	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 1548 wrote to memory of 1308	1548	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 1548 wrote to memory of 1308	1548	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 1548 wrote to memory of 1308	1548	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 1548 wrote to memory of 1032	1548	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 1548 wrote to memory of 1032	1548	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 1548 wrote to memory of 1032	1548	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 1548 wrote to memory of 1032	1548	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 1840 wrote to memory of 1568	1840	cmd.exe	vssadmin.exe
PID 1840 wrote to memory of 1568	1840	cmd.exe	vssadmin.exe
PID 1840 wrote to memory of 1568	1840	cmd.exe	vssadmin.exe
PID 1840 wrote to memory of 1568	1840	cmd.exe	vssadmin.exe
PID 1548 wrote to memory of 380	1548	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 1548 wrote to memory of 380	1548	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 1548 wrote to memory of 380	1548	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 1548 wrote to memory of 380	1548	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 1548 wrote to memory of 2032	1548	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 1548 wrote to memory of 2032	1548	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 1548 wrote to memory of 2032	1548	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 1548 wrote to memory of 2032	1548	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 1548 wrote to memory of 992	1548	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 1548 wrote to memory of 992	1548	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 1548 wrote to memory of 992	1548	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 1548 wrote to memory of 992	1548	1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe	cmd.exe
PID 380 wrote to memory of 732	380	cmd.exe	WMIC.exe
PID 380 wrote to memory of 732	380	cmd.exe	WMIC.exe
PID 380 wrote to memory of 732	380	cmd.exe	WMIC.exe
PID 380 wrote to memory of 732	380	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
"C:\Users\Admin\AppData\Local\Temp\1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "vssadmin delete shadows /all /quiet"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"
  2⤵
  PID:1308
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "wbadmin DELETE BACKUP -keepVersions:0"
  2⤵
  PID:1032
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "wmic SHADOWCOPY DELETE"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:732
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"
  2⤵
  PID:2032
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
  2⤵
  PID:992

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1c4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Network Service Scanning

1

T1046

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/380-59-0x0000000000000000-mapping.dmp

Download
memory/732-62-0x0000000000000000-mapping.dmp

Download
memory/992-61-0x0000000000000000-mapping.dmp

Download
memory/1032-57-0x0000000000000000-mapping.dmp

Download
memory/1308-56-0x0000000000000000-mapping.dmp

Download
memory/1548-54-0x0000000076701000-0x0000000076703000-memory.dmp

Filesize
8KB

Download
memory/1568-58-0x0000000000000000-mapping.dmp

Download
memory/1840-55-0x0000000000000000-mapping.dmp

Download
memory/2032-60-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing