Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2022 15:20

General

  • Target

    6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe

  • Size

    492KB

  • MD5

    dbd11e3affbd1133b53c56d8fe202aa1

  • SHA1

    eeb49894bb2646305e3fbc79c34dd518bc0f89ba

  • SHA256

    6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc

  • SHA512

    91d0417f9e212344b622917e4aacc275a83426d9a3e436e2dd3dc8d5299494226eb88e6a7b9b6389caa24706531db628e8e1bd3f905ccd938fa16d9002fb40a8

  • SSDEEP

    12288:afG0XhhRpfWThnjhrHI2OmeIMcX5n0h2++:XAFpWVNYqJnr

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe
    "C:\Users\Admin\AppData\Local\Temp\6958f81a06790d8d417b9b1b921fdc96a75d34efa832364e9827badcad276ebc.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4860
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "vssadmin delete shadows /all /quiet"
      2⤵
        PID:2976
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"
        2⤵
          PID:2596
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "wbadmin DELETE BACKUP -keepVersions:0"
          2⤵
            PID:4184
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c "wmic SHADOWCOPY DELETE"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:5032
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic SHADOWCOPY DELETE
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:224
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"
            2⤵
              PID:1964
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
              2⤵
                PID:2500
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3828

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads