Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18-10-2022 15:20
Behavioral task
behavioral1
Sample
6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
Resource
win10v2004-20220812-en
General
-
Target
6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
-
Size
492KB
-
MD5
dbd11e3affbd1133b53c56d8fe202aa1
-
SHA1
eeb49894bb2646305e3fbc79c34dd518bc0f89ba
-
SHA256
6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc
-
SHA512
91d0417f9e212344b622917e4aacc275a83426d9a3e436e2dd3dc8d5299494226eb88e6a7b9b6389caa24706531db628e8e1bd3f905ccd938fa16d9002fb40a8
-
SSDEEP
12288:afG0XhhRpfWThnjhrHI2OmeIMcX5n0h2++:XAFpWVNYqJnr
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification \??\c:\users\admin\pictures\BlockConvertFrom.tiff 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe File opened for modification \??\c:\users\admin\pictures\FormatMount.tiff 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe -
Drops startup file 1 IoCs
description ioc Process File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\how_to_decrypt.hta 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 224 WMIC.exe Token: SeSecurityPrivilege 224 WMIC.exe Token: SeTakeOwnershipPrivilege 224 WMIC.exe Token: SeLoadDriverPrivilege 224 WMIC.exe Token: SeSystemProfilePrivilege 224 WMIC.exe Token: SeSystemtimePrivilege 224 WMIC.exe Token: SeProfSingleProcessPrivilege 224 WMIC.exe Token: SeIncBasePriorityPrivilege 224 WMIC.exe Token: SeCreatePagefilePrivilege 224 WMIC.exe Token: SeBackupPrivilege 224 WMIC.exe Token: SeRestorePrivilege 224 WMIC.exe Token: SeShutdownPrivilege 224 WMIC.exe Token: SeDebugPrivilege 224 WMIC.exe Token: SeSystemEnvironmentPrivilege 224 WMIC.exe Token: SeRemoteShutdownPrivilege 224 WMIC.exe Token: SeUndockPrivilege 224 WMIC.exe Token: SeManageVolumePrivilege 224 WMIC.exe Token: 33 224 WMIC.exe Token: 34 224 WMIC.exe Token: 35 224 WMIC.exe Token: 36 224 WMIC.exe Token: SeIncreaseQuotaPrivilege 224 WMIC.exe Token: SeSecurityPrivilege 224 WMIC.exe Token: SeTakeOwnershipPrivilege 224 WMIC.exe Token: SeLoadDriverPrivilege 224 WMIC.exe Token: SeSystemProfilePrivilege 224 WMIC.exe Token: SeSystemtimePrivilege 224 WMIC.exe Token: SeProfSingleProcessPrivilege 224 WMIC.exe Token: SeIncBasePriorityPrivilege 224 WMIC.exe Token: SeCreatePagefilePrivilege 224 WMIC.exe Token: SeBackupPrivilege 224 WMIC.exe Token: SeRestorePrivilege 224 WMIC.exe Token: SeShutdownPrivilege 224 WMIC.exe Token: SeDebugPrivilege 224 WMIC.exe Token: SeSystemEnvironmentPrivilege 224 WMIC.exe Token: SeRemoteShutdownPrivilege 224 WMIC.exe Token: SeUndockPrivilege 224 WMIC.exe Token: SeManageVolumePrivilege 224 WMIC.exe Token: 33 224 WMIC.exe Token: 34 224 WMIC.exe Token: 35 224 WMIC.exe Token: 36 224 WMIC.exe Token: SeBackupPrivilege 3828 vssvc.exe Token: SeRestorePrivilege 3828 vssvc.exe Token: SeAuditPrivilege 3828 vssvc.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4860 wrote to memory of 2976 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 85 PID 4860 wrote to memory of 2976 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 85 PID 4860 wrote to memory of 2976 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 85 PID 4860 wrote to memory of 2596 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 87 PID 4860 wrote to memory of 2596 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 87 PID 4860 wrote to memory of 2596 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 87 PID 4860 wrote to memory of 4184 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 89 PID 4860 wrote to memory of 4184 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 89 PID 4860 wrote to memory of 4184 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 89 PID 4860 wrote to memory of 5032 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 91 PID 4860 wrote to memory of 5032 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 91 PID 4860 wrote to memory of 5032 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 91 PID 4860 wrote to memory of 1964 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 92 PID 4860 wrote to memory of 1964 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 92 PID 4860 wrote to memory of 1964 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 92 PID 4860 wrote to memory of 2500 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 94 PID 4860 wrote to memory of 2500 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 94 PID 4860 wrote to memory of 2500 4860 6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe 94 PID 5032 wrote to memory of 224 5032 cmd.exe 97 PID 5032 wrote to memory of 224 5032 cmd.exe 97 PID 5032 wrote to memory of 224 5032 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe"C:\Users\Admin\AppData\Local\Temp\6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "vssadmin delete shadows /all /quiet"2⤵PID:2976
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"2⤵PID:2596
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "wbadmin DELETE BACKUP -keepVersions:0"2⤵PID:4184
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "wmic SHADOWCOPY DELETE"2⤵
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
PID:224
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"2⤵PID:1964
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"2⤵PID:2500
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3828