Resubmissions
09-10-2022 16:47
221009-vatn5shdfj 1003-10-2022 04:16
221003-evv5pshaen 1030-09-2022 08:08
220930-j1j2vadghr 10Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
09-10-2022 16:47
Behavioral task
behavioral1
Sample
1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
Resource
win10v2004-20220901-en
General
-
Target
1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe
-
Size
200KB
-
MD5
7372c9a138bb854972452263abab1dc5
-
SHA1
ad247b2428fac6d07bdd9628cddaa18004840e6c
-
SHA256
1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77
-
SHA512
3c882b3514c6314ebde04d35748464d4aba3eceb567c1b7ee87f4cf565cf192af3195d21151ef024b2fd19f151beb449fbd28105354a71764b46dbfba5fc1184
-
SSDEEP
3072:dbOTRwYckApvw14pcODvX/kyeAYcWNzs2C3Zm4YvrCtMNX/eTvpdXfabI5F8lbj4:lOsZiKRJWWYj7eTxdH5qlGuqJH
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification \??\c:\users\admin\pictures\CopyCompare.tiff 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe -
Drops startup file 1 IoCs
description ioc Process File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\how_to_decrypt.hta 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops desktop.ini file(s) 29 IoCs
description ioc Process File opened for modification \??\c:\users\public\music\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe File opened for modification \??\c:\users\admin\contacts\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe File opened for modification \??\c:\users\admin\documents\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe File opened for modification \??\c:\users\public\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe File opened for modification \??\c:\users\admin\downloads\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe File opened for modification \??\c:\users\admin\favorites\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe File opened for modification \??\c:\users\admin\desktop\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe File opened for modification \??\c:\$recycle.bin\s-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe File opened for modification \??\c:\users\admin\3d objects\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe File opened for modification \??\c:\users\public\pictures\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe File opened for modification \??\c:\users\admin\music\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe File opened for modification \??\c:\users\public\documents\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe File opened for modification \??\c:\users\admin\pictures\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe File opened for modification \??\c:\users\admin\pictures\saved pictures\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe File opened for modification \??\c:\users\default\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe File opened for modification \??\c:\users\public\videos\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe File opened for modification \??\c:\users\admin\pictures\camera roll\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe File opened for modification \??\c:\users\public\accountpictures\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe File opened for modification \??\c:\users\public\desktop\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe File opened for modification \??\c:\users\public\downloads\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe File opened for modification \??\c:\users\admin\onedrive\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe File opened for modification \??\c:\users\admin\searches\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe File opened for modification \??\c:\users\admin\videos\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe File opened for modification \??\c:\users\admin\saved games\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe File opened for modification \??\c:\users\public\libraries\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe File opened for modification \??\c:\users\admin\favorites\links\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe File opened for modification \??\c:\users\admin\links\desktop.ini 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1052 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 1052 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 1052 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 1052 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3496 WMIC.exe Token: SeSecurityPrivilege 3496 WMIC.exe Token: SeTakeOwnershipPrivilege 3496 WMIC.exe Token: SeLoadDriverPrivilege 3496 WMIC.exe Token: SeSystemProfilePrivilege 3496 WMIC.exe Token: SeSystemtimePrivilege 3496 WMIC.exe Token: SeProfSingleProcessPrivilege 3496 WMIC.exe Token: SeIncBasePriorityPrivilege 3496 WMIC.exe Token: SeCreatePagefilePrivilege 3496 WMIC.exe Token: SeBackupPrivilege 3496 WMIC.exe Token: SeRestorePrivilege 3496 WMIC.exe Token: SeShutdownPrivilege 3496 WMIC.exe Token: SeDebugPrivilege 3496 WMIC.exe Token: SeSystemEnvironmentPrivilege 3496 WMIC.exe Token: SeRemoteShutdownPrivilege 3496 WMIC.exe Token: SeUndockPrivilege 3496 WMIC.exe Token: SeManageVolumePrivilege 3496 WMIC.exe Token: 33 3496 WMIC.exe Token: 34 3496 WMIC.exe Token: 35 3496 WMIC.exe Token: 36 3496 WMIC.exe Token: SeIncreaseQuotaPrivilege 3496 WMIC.exe Token: SeSecurityPrivilege 3496 WMIC.exe Token: SeTakeOwnershipPrivilege 3496 WMIC.exe Token: SeLoadDriverPrivilege 3496 WMIC.exe Token: SeSystemProfilePrivilege 3496 WMIC.exe Token: SeSystemtimePrivilege 3496 WMIC.exe Token: SeProfSingleProcessPrivilege 3496 WMIC.exe Token: SeIncBasePriorityPrivilege 3496 WMIC.exe Token: SeCreatePagefilePrivilege 3496 WMIC.exe Token: SeBackupPrivilege 3496 WMIC.exe Token: SeRestorePrivilege 3496 WMIC.exe Token: SeShutdownPrivilege 3496 WMIC.exe Token: SeDebugPrivilege 3496 WMIC.exe Token: SeSystemEnvironmentPrivilege 3496 WMIC.exe Token: SeRemoteShutdownPrivilege 3496 WMIC.exe Token: SeUndockPrivilege 3496 WMIC.exe Token: SeManageVolumePrivilege 3496 WMIC.exe Token: 33 3496 WMIC.exe Token: 34 3496 WMIC.exe Token: 35 3496 WMIC.exe Token: 36 3496 WMIC.exe Token: SeBackupPrivilege 4308 vssvc.exe Token: SeRestorePrivilege 4308 vssvc.exe Token: SeAuditPrivilege 4308 vssvc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe 8936 mshta.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1052 wrote to memory of 3608 1052 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 85 PID 1052 wrote to memory of 3608 1052 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 85 PID 1052 wrote to memory of 3608 1052 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 85 PID 1052 wrote to memory of 2376 1052 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 87 PID 1052 wrote to memory of 2376 1052 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 87 PID 1052 wrote to memory of 2376 1052 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 87 PID 1052 wrote to memory of 4632 1052 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 89 PID 1052 wrote to memory of 4632 1052 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 89 PID 1052 wrote to memory of 4632 1052 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 89 PID 1052 wrote to memory of 3540 1052 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 91 PID 1052 wrote to memory of 3540 1052 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 91 PID 1052 wrote to memory of 3540 1052 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 91 PID 1052 wrote to memory of 4160 1052 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 93 PID 1052 wrote to memory of 4160 1052 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 93 PID 1052 wrote to memory of 4160 1052 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 93 PID 1052 wrote to memory of 3432 1052 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 95 PID 1052 wrote to memory of 3432 1052 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 95 PID 1052 wrote to memory of 3432 1052 1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe 95 PID 3540 wrote to memory of 3496 3540 cmd.exe 97 PID 3540 wrote to memory of 3496 3540 cmd.exe 97 PID 3540 wrote to memory of 3496 3540 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe"C:\Users\Admin\AppData\Local\Temp\1e8bafd699de6d5987cfb2fdc138ae15422d8377614107348b905dd0f1bf7d77.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "vssadmin delete shadows /all /quiet"2⤵PID:3608
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"2⤵PID:2376
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "wbadmin DELETE BACKUP -keepVersions:0"2⤵PID:4632
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "wmic SHADOWCOPY DELETE"2⤵
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3496
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"2⤵PID:4160
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"2⤵PID:3432
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4308
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4104
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\how_to_decrypt.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Suspicious use of FindShellTrayWindow
PID:8936
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
935B
MD581e668c5ebaf2e43805a6e5b868cfe07
SHA1e9b2befbea440df40ba09212a2e9a26dcb185b2a
SHA256fba9d8512c3210858e33191fe1da3b6d39d33be4ceb69ed500350214da111a3a
SHA512bfb37b3f4eeb1d295a12c1ff962ec28c5d9ef894ddc0c9f8e12efdd54eb7b786508f47037e151b126f87c845d52471ba672a5a3fc4bc4e98b25f6f6d2878cfa9
-
Filesize
935B
MD513409c6683976f6c32b5f9f0e61e5d78
SHA1b8e3a35289f5fe612f64553e7236830ede083e76
SHA256b1855c0ae029174838bd0f74cb686ca09e72cdfb83046873a244b7f331d72ed0
SHA512e6826b55f8a35867e0b3c7bcc80e3b122912d94d524f93970802575e3174921c76209a83da51f0fc2a03066e1c115dbf002294fd129eba1e850425576173f875
-
Filesize
5KB
MD5b2f40fed23a467dbc77444c95ee1c201
SHA12357c995006321221e972f8f45d825928e189992
SHA256db756eb4feaa4cfd13573dc5078a9d32a7dcb661dd93f1dcdd7b5c6bb8d7590d
SHA512517a5406a5a05b539d2eb73d679e843b612f3286eedeb2c3c23471499830ef99414f01f237044047c8ba100bc4096934c9549c46a5156a0cbab1064aa7605541