8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661

Analysis

max time kernel
150s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18-10-2022 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
Size

42KB
MD5

4a542b3b4d9160019cc5a76a881f787f
SHA1

87137f376a99baea1931fed024b76fc871590840
SHA256

8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661
SHA512

2b20847fc0fa830c3190b9084cd43fe36cae279b0e4e06760b50e16714fbaef2a4eb9634f30acad96781266a7bba74f7190d93812e3a129a0ff04d14704e68e1
SSDEEP

768:oO1oR/rVS1RzK4wbs+D/SIJX+ZZ1SQQwZuI6PzDf4rOcWNJLoYg:o5S1FKnDtkuIyjNJ8

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1604	wbadmin.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipBand.dll.mui	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mshwLatin.dll.mui	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InputPersonalization.exe.mui	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mip.exe.mui	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mshwLatin.dll.mui	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkWatson.exe.mui	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.bin	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InputPersonalization.exe.mui	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File created	C:\Program Files\7-Zip\Lang\+README-WARNING+.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwritalm.dat	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1780	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1048	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeBackupPrivilege	1764	vssvc.exe
Token: SeRestorePrivilege	1764	vssvc.exe
Token: SeAuditPrivilege	1764	vssvc.exe
Token: SeBackupPrivilege	764	wbengine.exe
Token: SeRestorePrivilege	764	wbengine.exe
Token: SeSecurityPrivilege	764	wbengine.exe
Token: SeIncreaseQuotaPrivilege	992	WMIC.exe
Token: SeSecurityPrivilege	992	WMIC.exe
Token: SeTakeOwnershipPrivilege	992	WMIC.exe
Token: SeLoadDriverPrivilege	992	WMIC.exe
Token: SeSystemProfilePrivilege	992	WMIC.exe
Token: SeSystemtimePrivilege	992	WMIC.exe
Token: SeProfSingleProcessPrivilege	992	WMIC.exe
Token: SeIncBasePriorityPrivilege	992	WMIC.exe
Token: SeCreatePagefilePrivilege	992	WMIC.exe
Token: SeBackupPrivilege	992	WMIC.exe
Token: SeRestorePrivilege	992	WMIC.exe
Token: SeShutdownPrivilege	992	WMIC.exe
Token: SeDebugPrivilege	992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	992	WMIC.exe
Token: SeRemoteShutdownPrivilege	992	WMIC.exe
Token: SeUndockPrivilege	992	WMIC.exe
Token: SeManageVolumePrivilege	992	WMIC.exe
Token: 33	992	WMIC.exe
Token: 34	992	WMIC.exe
Token: 35	992	WMIC.exe
Token: SeIncreaseQuotaPrivilege	992	WMIC.exe
Token: SeSecurityPrivilege	992	WMIC.exe
Token: SeTakeOwnershipPrivilege	992	WMIC.exe
Token: SeLoadDriverPrivilege	992	WMIC.exe
Token: SeSystemProfilePrivilege	992	WMIC.exe
Token: SeSystemtimePrivilege	992	WMIC.exe
Token: SeProfSingleProcessPrivilege	992	WMIC.exe
Token: SeIncBasePriorityPrivilege	992	WMIC.exe
Token: SeCreatePagefilePrivilege	992	WMIC.exe
Token: SeBackupPrivilege	992	WMIC.exe
Token: SeRestorePrivilege	992	WMIC.exe
Token: SeShutdownPrivilege	992	WMIC.exe
Token: SeDebugPrivilege	992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	992	WMIC.exe
Token: SeRemoteShutdownPrivilege	992	WMIC.exe
Token: SeUndockPrivilege	992	WMIC.exe
Token: SeManageVolumePrivilege	992	WMIC.exe
Token: 33	992	WMIC.exe
Token: 34	992	WMIC.exe
Token: 35	992	WMIC.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1756	1048	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe	28
PID 1048 wrote to memory of 1756	1048	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe	28
PID 1048 wrote to memory of 1756	1048	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe	28
PID 1048 wrote to memory of 1756	1048	8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe	28
PID 1756 wrote to memory of 1780	1756	cmd.exe	30
PID 1756 wrote to memory of 1780	1756	cmd.exe	30
PID 1756 wrote to memory of 1780	1756	cmd.exe	30
PID 1756 wrote to memory of 1604	1756	cmd.exe	33
PID 1756 wrote to memory of 1604	1756	cmd.exe	33
PID 1756 wrote to memory of 1604	1756	cmd.exe	33
PID 1756 wrote to memory of 992	1756	cmd.exe	37
PID 1756 wrote to memory of 992	1756	cmd.exe	37
PID 1756 wrote to memory of 992	1756	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
"C:\Users\Admin\AppData\Local\Temp\8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe
  "C:\Users\Admin\AppData\Local\Temp\8d2c9a58915d4889b93a09df0917a774309a3976cb555a8a850530433d714661.exe" n1048
  2⤵
  PID:1996
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1780
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:1604
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:992

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1724

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1636

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1048-54-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1604-59-0x000007FEFC281000-0x000007FEFC283000-memory.dmp

Filesize
8KB

Download