6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc

General

Target

6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
Size

492KB
MD5

dbd11e3affbd1133b53c56d8fe202aa1
SHA1

eeb49894bb2646305e3fbc79c34dd518bc0f89ba
SHA256

6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc
SHA512

91d0417f9e212344b622917e4aacc275a83426d9a3e436e2dd3dc8d5299494226eb88e6a7b9b6389caa24706531db628e8e1bd3f905ccd938fa16d9002fb40a8
SSDEEP

12288:afG0XhhRpfWThnjhrHI2OmeIMcX5n0h2++:XAFpWVNYqJnr

Score

9^/10

discovery ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

628 vssadmin.exe

pid	process
628	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe

pid	process
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

vssvc.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	1696	vssvc.exe
Token: SeRestorePrivilege	1696	vssvc.exe
Token: SeAuditPrivilege	1696	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1556	WMIC.exe
Token: SeSecurityPrivilege	1556	WMIC.exe
Token: SeTakeOwnershipPrivilege	1556	WMIC.exe
Token: SeLoadDriverPrivilege	1556	WMIC.exe
Token: SeSystemProfilePrivilege	1556	WMIC.exe
Token: SeSystemtimePrivilege	1556	WMIC.exe
Token: SeProfSingleProcessPrivilege	1556	WMIC.exe
Token: SeIncBasePriorityPrivilege	1556	WMIC.exe
Token: SeCreatePagefilePrivilege	1556	WMIC.exe
Token: SeBackupPrivilege	1556	WMIC.exe
Token: SeRestorePrivilege	1556	WMIC.exe
Token: SeShutdownPrivilege	1556	WMIC.exe
Token: SeDebugPrivilege	1556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1556	WMIC.exe
Token: SeRemoteShutdownPrivilege	1556	WMIC.exe
Token: SeUndockPrivilege	1556	WMIC.exe
Token: SeManageVolumePrivilege	1556	WMIC.exe
Token: 33	1556	WMIC.exe
Token: 34	1556	WMIC.exe
Token: 35	1556	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1556	WMIC.exe
Token: SeSecurityPrivilege	1556	WMIC.exe
Token: SeTakeOwnershipPrivilege	1556	WMIC.exe
Token: SeLoadDriverPrivilege	1556	WMIC.exe
Token: SeSystemProfilePrivilege	1556	WMIC.exe
Token: SeSystemtimePrivilege	1556	WMIC.exe
Token: SeProfSingleProcessPrivilege	1556	WMIC.exe
Token: SeIncBasePriorityPrivilege	1556	WMIC.exe
Token: SeCreatePagefilePrivilege	1556	WMIC.exe
Token: SeBackupPrivilege	1556	WMIC.exe
Token: SeRestorePrivilege	1556	WMIC.exe
Token: SeShutdownPrivilege	1556	WMIC.exe
Token: SeDebugPrivilege	1556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1556	WMIC.exe
Token: SeRemoteShutdownPrivilege	1556	WMIC.exe
Token: SeUndockPrivilege	1556	WMIC.exe
Token: SeManageVolumePrivilege	1556	WMIC.exe
Token: 33	1556	WMIC.exe
Token: 34	1556	WMIC.exe
Token: 35	1556	WMIC.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.execmd.execmd.exe

description	pid	process	target process
PID 1468 wrote to memory of 1216	1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe	cmd.exe
PID 1468 wrote to memory of 1216	1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe	cmd.exe
PID 1468 wrote to memory of 1216	1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe	cmd.exe
PID 1468 wrote to memory of 1216	1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe	cmd.exe
PID 1468 wrote to memory of 1532	1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe	cmd.exe
PID 1468 wrote to memory of 1532	1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe	cmd.exe
PID 1468 wrote to memory of 1532	1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe	cmd.exe
PID 1468 wrote to memory of 1532	1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe	cmd.exe
PID 1216 wrote to memory of 628	1216	cmd.exe	vssadmin.exe
PID 1216 wrote to memory of 628	1216	cmd.exe	vssadmin.exe
PID 1216 wrote to memory of 628	1216	cmd.exe	vssadmin.exe
PID 1216 wrote to memory of 628	1216	cmd.exe	vssadmin.exe
PID 1468 wrote to memory of 884	1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe	cmd.exe
PID 1468 wrote to memory of 884	1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe	cmd.exe
PID 1468 wrote to memory of 884	1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe	cmd.exe
PID 1468 wrote to memory of 884	1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe	cmd.exe
PID 1468 wrote to memory of 1652	1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe	cmd.exe
PID 1468 wrote to memory of 1652	1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe	cmd.exe
PID 1468 wrote to memory of 1652	1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe	cmd.exe
PID 1468 wrote to memory of 1652	1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe	cmd.exe
PID 1468 wrote to memory of 1036	1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe	cmd.exe
PID 1468 wrote to memory of 1036	1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe	cmd.exe
PID 1468 wrote to memory of 1036	1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe	cmd.exe
PID 1468 wrote to memory of 1036	1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe	cmd.exe
PID 1468 wrote to memory of 872	1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe	cmd.exe
PID 1468 wrote to memory of 872	1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe	cmd.exe
PID 1468 wrote to memory of 872	1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe	cmd.exe
PID 1468 wrote to memory of 872	1468	6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe	cmd.exe
PID 1652 wrote to memory of 1556	1652	cmd.exe	WMIC.exe
PID 1652 wrote to memory of 1556	1652	cmd.exe	WMIC.exe
PID 1652 wrote to memory of 1556	1652	cmd.exe	WMIC.exe
PID 1652 wrote to memory of 1556	1652	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
"C:\Users\Admin\AppData\Local\Temp\6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "vssadmin delete shadows /all /quiet"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"
  2⤵
  PID:1532
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "wbadmin DELETE BACKUP -keepVersions:0"
  2⤵
  PID:884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "wmic SHADOWCOPY DELETE"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1556
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"
  2⤵
  PID:1036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
  2⤵
  PID:872

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Network Service Scanning

1

T1046

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/628-57-0x0000000000000000-mapping.dmp

Download
memory/872-61-0x0000000000000000-mapping.dmp

Download
memory/884-58-0x0000000000000000-mapping.dmp

Download
memory/1036-60-0x0000000000000000-mapping.dmp

Download
memory/1216-55-0x0000000000000000-mapping.dmp

Download
memory/1468-54-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download
memory/1532-56-0x0000000000000000-mapping.dmp

Download
memory/1556-62-0x0000000000000000-mapping.dmp

Download
memory/1652-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads