Analysis
-
max time kernel
145s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2022 18:05
Behavioral task
behavioral1
Sample
e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe
Resource
win10v2004-20220812-en
General
-
Target
e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe
-
Size
32KB
-
MD5
d513beb2bac27c307c3ac5a5a501dc66
-
SHA1
34adc018f611f65572dafed37518418832aad994
-
SHA256
e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766
-
SHA512
f09569379f22c24cc5d7e169404b85fd01ba93573098c729c84db89900982901c1f88c2cb29a9986490ba72487e3f0f917279672ee18354165fbb9d535c7cf5b
-
SSDEEP
768:C2gQ2nGtvZmI1yK0gEBYsuii6bEarouRwe2oTyoGETDA7vyWD2IpdN:qQh+I14gbm8uR1LAjdfrN
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 3428 created 4584 3428 svchost.exe e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2372 bcdedit.exe 4820 bcdedit.exe -
Processes:
wbadmin.exepid process 4180 wbadmin.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe\"" e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3964 4584 WerFault.exe e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe 3992 4584 WerFault.exe e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4984 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
svchost.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeTcbPrivilege 3428 svchost.exe Token: SeTcbPrivilege 3428 svchost.exe Token: SeBackupPrivilege 4872 vssvc.exe Token: SeRestorePrivilege 4872 vssvc.exe Token: SeAuditPrivilege 4872 vssvc.exe Token: SeIncreaseQuotaPrivilege 4520 WMIC.exe Token: SeSecurityPrivilege 4520 WMIC.exe Token: SeTakeOwnershipPrivilege 4520 WMIC.exe Token: SeLoadDriverPrivilege 4520 WMIC.exe Token: SeSystemProfilePrivilege 4520 WMIC.exe Token: SeSystemtimePrivilege 4520 WMIC.exe Token: SeProfSingleProcessPrivilege 4520 WMIC.exe Token: SeIncBasePriorityPrivilege 4520 WMIC.exe Token: SeCreatePagefilePrivilege 4520 WMIC.exe Token: SeBackupPrivilege 4520 WMIC.exe Token: SeRestorePrivilege 4520 WMIC.exe Token: SeShutdownPrivilege 4520 WMIC.exe Token: SeDebugPrivilege 4520 WMIC.exe Token: SeSystemEnvironmentPrivilege 4520 WMIC.exe Token: SeRemoteShutdownPrivilege 4520 WMIC.exe Token: SeUndockPrivilege 4520 WMIC.exe Token: SeManageVolumePrivilege 4520 WMIC.exe Token: 33 4520 WMIC.exe Token: 34 4520 WMIC.exe Token: 35 4520 WMIC.exe Token: 36 4520 WMIC.exe Token: SeIncreaseQuotaPrivilege 4520 WMIC.exe Token: SeSecurityPrivilege 4520 WMIC.exe Token: SeTakeOwnershipPrivilege 4520 WMIC.exe Token: SeLoadDriverPrivilege 4520 WMIC.exe Token: SeSystemProfilePrivilege 4520 WMIC.exe Token: SeSystemtimePrivilege 4520 WMIC.exe Token: SeProfSingleProcessPrivilege 4520 WMIC.exe Token: SeIncBasePriorityPrivilege 4520 WMIC.exe Token: SeCreatePagefilePrivilege 4520 WMIC.exe Token: SeBackupPrivilege 4520 WMIC.exe Token: SeRestorePrivilege 4520 WMIC.exe Token: SeShutdownPrivilege 4520 WMIC.exe Token: SeDebugPrivilege 4520 WMIC.exe Token: SeSystemEnvironmentPrivilege 4520 WMIC.exe Token: SeRemoteShutdownPrivilege 4520 WMIC.exe Token: SeUndockPrivilege 4520 WMIC.exe Token: SeManageVolumePrivilege 4520 WMIC.exe Token: 33 4520 WMIC.exe Token: 34 4520 WMIC.exe Token: 35 4520 WMIC.exe Token: 36 4520 WMIC.exe Token: SeBackupPrivilege 3244 wbengine.exe Token: SeRestorePrivilege 3244 wbengine.exe Token: SeSecurityPrivilege 3244 wbengine.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
svchost.exee40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.execmd.exedescription pid process target process PID 3428 wrote to memory of 1768 3428 svchost.exe e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe PID 3428 wrote to memory of 1768 3428 svchost.exe e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe PID 3428 wrote to memory of 1768 3428 svchost.exe e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe PID 3428 wrote to memory of 1768 3428 svchost.exe e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe PID 3428 wrote to memory of 1768 3428 svchost.exe e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe PID 3428 wrote to memory of 1768 3428 svchost.exe e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe PID 3428 wrote to memory of 1768 3428 svchost.exe e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe PID 4584 wrote to memory of 2148 4584 e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe cmd.exe PID 4584 wrote to memory of 2148 4584 e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe cmd.exe PID 2148 wrote to memory of 4984 2148 cmd.exe vssadmin.exe PID 2148 wrote to memory of 4984 2148 cmd.exe vssadmin.exe PID 2148 wrote to memory of 4520 2148 cmd.exe WMIC.exe PID 2148 wrote to memory of 4520 2148 cmd.exe WMIC.exe PID 2148 wrote to memory of 2372 2148 cmd.exe bcdedit.exe PID 2148 wrote to memory of 2372 2148 cmd.exe bcdedit.exe PID 2148 wrote to memory of 4820 2148 cmd.exe bcdedit.exe PID 2148 wrote to memory of 4820 2148 cmd.exe bcdedit.exe PID 2148 wrote to memory of 4180 2148 cmd.exe wbadmin.exe PID 2148 wrote to memory of 4180 2148 cmd.exe wbadmin.exe PID 4584 wrote to memory of 3992 4584 e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe WerFault.exe PID 4584 wrote to memory of 3992 4584 e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe WerFault.exe PID 4584 wrote to memory of 3992 4584 e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe"C:\Users\Admin\AppData\Local\Temp\e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe"C:\Users\Admin\AppData\Local\Temp\e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe" n45842⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 7362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 7362⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4584 -ip 45841⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1768-132-0x0000000000000000-mapping.dmp
-
memory/2148-133-0x0000000000000000-mapping.dmp
-
memory/2372-136-0x0000000000000000-mapping.dmp
-
memory/3992-139-0x0000000000000000-mapping.dmp
-
memory/4180-138-0x0000000000000000-mapping.dmp
-
memory/4520-135-0x0000000000000000-mapping.dmp
-
memory/4820-137-0x0000000000000000-mapping.dmp
-
memory/4984-134-0x0000000000000000-mapping.dmp