Resubmissions

09-10-2022 16:47

221009-vatn5shdfj 10

03-10-2022 04:16

221003-evv5pshaen 10

30-09-2022 08:08

220930-j1j2vadghr 10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-10-2022 16:47

General

  • Target

    1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe

  • Size

    200KB

  • MD5

    7372c9a138bb854972452263abab1dc5

  • SHA1

    ad247b2428fac6d07bdd9628cddaa18004840e6c

  • SHA256

    1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77

  • SHA512

    3c882b3514c6314ebde04d35748464d4aba3eceb567c1b7ee87f4cf565cf192af3195d21151ef024b2fd19f151beb449fbd28105354a71764b46dbfba5fc1184

  • SSDEEP

    3072:dbOTRwYckApvw14pcODvX/kyeAYcWNzs2C3Zm4YvrCtMNX/eTvpdXfabI5F8lbj4:lOsZiKRJWWYj7eTxdH5qlGuqJH

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops desktop.ini file(s) 29 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
    "C:\Users\Admin\AppData\Local\Temp\1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Drops startup file
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1052
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "vssadmin delete shadows /all /quiet"
      2⤵
        PID:3608
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"
        2⤵
          PID:2376
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "wbadmin DELETE BACKUP -keepVersions:0"
          2⤵
            PID:4632
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c "wmic SHADOWCOPY DELETE"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3540
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic SHADOWCOPY DELETE
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3496
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"
            2⤵
              PID:4160
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
              2⤵
                PID:3432
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4308
            • C:\Windows\System32\rundll32.exe
              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
              1⤵
                PID:4104
              • C:\Windows\SysWOW64\mshta.exe
                "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\how_to_decrypt.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                1⤵
                • Suspicious use of FindShellTrayWindow
                PID:8936

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini

                Filesize

                935B

                MD5

                81e668c5ebaf2e43805a6e5b868cfe07

                SHA1

                e9b2befbea440df40ba09212a2e9a26dcb185b2a

                SHA256

                fba9d8512c3210858e33191fe1da3b6d39d33be4ceb69ed500350214da111a3a

                SHA512

                bfb37b3f4eeb1d295a12c1ff962ec28c5d9ef894ddc0c9f8e12efdd54eb7b786508f47037e151b126f87c845d52471ba672a5a3fc4bc4e98b25f6f6d2878cfa9

              • C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini

                Filesize

                935B

                MD5

                13409c6683976f6c32b5f9f0e61e5d78

                SHA1

                b8e3a35289f5fe612f64553e7236830ede083e76

                SHA256

                b1855c0ae029174838bd0f74cb686ca09e72cdfb83046873a244b7f331d72ed0

                SHA512

                e6826b55f8a35867e0b3c7bcc80e3b122912d94d524f93970802575e3174921c76209a83da51f0fc2a03066e1c115dbf002294fd129eba1e850425576173f875

              • C:\Users\Admin\Desktop\how_to_decrypt.hta

                Filesize

                5KB

                MD5

                b2f40fed23a467dbc77444c95ee1c201

                SHA1

                2357c995006321221e972f8f45d825928e189992

                SHA256

                db756eb4feaa4cfd13573dc5078a9d32a7dcb661dd93f1dcdd7b5c6bb8d7590d

                SHA512

                517a5406a5a05b539d2eb73d679e843b612f3286eedeb2c3c23471499830ef99414f01f237044047c8ba100bc4096934c9549c46a5156a0cbab1064aa7605541