Overview

overview

10

Static

static

8230596bfd...44.exe

windows7-x64

10

8230596bfd...44.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    43s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/11/2022, 18:40

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    8230596bfd0459c3cf5a52dc31dbb77b6855cb3507314f0ca4a5660b3439d844.exe

  • Size

    460KB

  • MD5

    49010614f2c6847c02cc3f9652fdc038

  • SHA1

    5d566ed39acafaf4cf551b26a79b140739ff734b

  • SHA256

    8230596bfd0459c3cf5a52dc31dbb77b6855cb3507314f0ca4a5660b3439d844

  • SHA512

    167633f1ac4b7a00dc3a8add590c970cf03f8a8ca8b220d2fd11d74566d2d5df4b0927480be3dd8bb10ff230fed8252cfe54e32ecfe35079e4986787e10d96da

  • SSDEEP

    12288:S9RINWZVbR+OeO+OeNhBBhhBBch6F8rm5qrWNruysjM:S9RINWDonoT

Score
10/10
discoverypersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\ENCRYPTED.txt

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. Do you really want to restore your files? You can write us to our mailboxes: [email protected] (in subject line please write your MachineID: 1521878335 and LaunchID: 603f71c2ba) Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 26 IoCs
  • Enumerates connected drives 3 TTPs 18 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Interacts with shadow copies 2 TTPs 14 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\8230596bfd0459c3cf5a52dc31dbb77b6855cb3507314f0ca4a5660b3439d844.exe
    "C:\Users\Admin\AppData\Local\Temp\8230596bfd0459c3cf5a52dc31dbb77b6855cb3507314f0ca4a5660b3439d844.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1884
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:1020
    • C:\Windows\SysWOW64\net.exe
      net stop VSS & sc config VSS start= disabled
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop VSS & sc config VSS start= disabled
        3⤵
          PID:1656
      • C:\Windows\SysWOW64\sc.exe
        sc config VSS start= Demand & net start VSS
        2⤵
        • Launches sc.exe
        PID:984
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic.exe SHADOWCOPY delete /nointeractive
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:636
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        2⤵
        • Interacts with shadow copies
        PID:1528
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
        2⤵
        • Interacts with shadow copies
        PID:1916
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
        2⤵
        • Interacts with shadow copies
        PID:1912
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1516
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1148
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:308
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1564
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1928
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:584
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1940
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1644
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1100
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1844
      • C:\Windows\SysWOW64\icacls.exe
        icacls.exe "{A-Z}:" /grant {Username}:F /T /C /Q
        2⤵
        • Modifies file permissions
        PID:840
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:544
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\8230596bfd0459c3cf5a52dc31dbb77b6855cb3507314f0ca4a5660b3439d844.exe" >> NUL
        2⤵
        • Deletes itself
        PID:1564
        • C:\Windows\SysWOW64\timeout.exe
          timeout 1
          3⤵
          • Delays execution with timeout.exe
          PID:1972
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2016

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/544-79-0x0000000073760000-0x0000000073D0B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/544-78-0x0000000073760000-0x0000000073D0B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/1884-55-0x0000000000D20000-0x0000000000DA0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1884-81-0x0000000000D20000-0x0000000000DA0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1884-72-0x0000000000D20000-0x0000000000DA0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1884-54-0x0000000075571000-0x0000000075573000-memory.dmp

            Filesize

            8KB

            Download