e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766

General

Target

e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe
Size

32KB
MD5

d513beb2bac27c307c3ac5a5a501dc66
SHA1

34adc018f611f65572dafed37518418832aad994
SHA256

e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766
SHA512

f09569379f22c24cc5d7e169404b85fd01ba93573098c729c84db89900982901c1f88c2cb29a9986490ba72487e3f0f917279672ee18354165fbb9d535c7cf5b
SSDEEP

768:C2gQ2nGtvZmI1yK0gEBYsuii6bEarouRwe2oTyoGETDA7vyWD2IpdN:qQh+I14gbm8uR1LAjdfrN

Score

10^/10

evasion persistence ransomware

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 3428 created 4584 3428 svchost.exe e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2372 bcdedit.exe
4820 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

4180 wbadmin.exe

description	pid	process	target process
PID 3428 created 4584	3428	svchost.exe	e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe

pid	process
2372	bcdedit.exe
4820	bcdedit.exe

pid	process
4180	wbadmin.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe\""	e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
3964	4584	WerFault.exe	e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe
3992	4584	WerFault.exe	e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4984 vssadmin.exe

pid	process
4984	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

svchost.exevssvc.exeWMIC.exewbengine.exe

description	pid	process
Token: SeTcbPrivilege	3428	svchost.exe
Token: SeTcbPrivilege	3428	svchost.exe
Token: SeBackupPrivilege	4872	vssvc.exe
Token: SeRestorePrivilege	4872	vssvc.exe
Token: SeAuditPrivilege	4872	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4520	WMIC.exe
Token: SeSecurityPrivilege	4520	WMIC.exe
Token: SeTakeOwnershipPrivilege	4520	WMIC.exe
Token: SeLoadDriverPrivilege	4520	WMIC.exe
Token: SeSystemProfilePrivilege	4520	WMIC.exe
Token: SeSystemtimePrivilege	4520	WMIC.exe
Token: SeProfSingleProcessPrivilege	4520	WMIC.exe
Token: SeIncBasePriorityPrivilege	4520	WMIC.exe
Token: SeCreatePagefilePrivilege	4520	WMIC.exe
Token: SeBackupPrivilege	4520	WMIC.exe
Token: SeRestorePrivilege	4520	WMIC.exe
Token: SeShutdownPrivilege	4520	WMIC.exe
Token: SeDebugPrivilege	4520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4520	WMIC.exe
Token: SeRemoteShutdownPrivilege	4520	WMIC.exe
Token: SeUndockPrivilege	4520	WMIC.exe
Token: SeManageVolumePrivilege	4520	WMIC.exe
Token: 33	4520	WMIC.exe
Token: 34	4520	WMIC.exe
Token: 35	4520	WMIC.exe
Token: 36	4520	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4520	WMIC.exe
Token: SeSecurityPrivilege	4520	WMIC.exe
Token: SeTakeOwnershipPrivilege	4520	WMIC.exe
Token: SeLoadDriverPrivilege	4520	WMIC.exe
Token: SeSystemProfilePrivilege	4520	WMIC.exe
Token: SeSystemtimePrivilege	4520	WMIC.exe
Token: SeProfSingleProcessPrivilege	4520	WMIC.exe
Token: SeIncBasePriorityPrivilege	4520	WMIC.exe
Token: SeCreatePagefilePrivilege	4520	WMIC.exe
Token: SeBackupPrivilege	4520	WMIC.exe
Token: SeRestorePrivilege	4520	WMIC.exe
Token: SeShutdownPrivilege	4520	WMIC.exe
Token: SeDebugPrivilege	4520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4520	WMIC.exe
Token: SeRemoteShutdownPrivilege	4520	WMIC.exe
Token: SeUndockPrivilege	4520	WMIC.exe
Token: SeManageVolumePrivilege	4520	WMIC.exe
Token: 33	4520	WMIC.exe
Token: 34	4520	WMIC.exe
Token: 35	4520	WMIC.exe
Token: 36	4520	WMIC.exe
Token: SeBackupPrivilege	3244	wbengine.exe
Token: SeRestorePrivilege	3244	wbengine.exe
Token: SeSecurityPrivilege	3244	wbengine.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

svchost.exee40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.execmd.exe

description	pid	process	target process
PID 3428 wrote to memory of 1768	3428	svchost.exe	e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe
PID 3428 wrote to memory of 1768	3428	svchost.exe	e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe
PID 3428 wrote to memory of 1768	3428	svchost.exe	e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe
PID 3428 wrote to memory of 1768	3428	svchost.exe	e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe
PID 3428 wrote to memory of 1768	3428	svchost.exe	e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe
PID 3428 wrote to memory of 1768	3428	svchost.exe	e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe
PID 3428 wrote to memory of 1768	3428	svchost.exe	e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe
PID 4584 wrote to memory of 2148	4584	e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe	cmd.exe
PID 4584 wrote to memory of 2148	4584	e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe	cmd.exe
PID 2148 wrote to memory of 4984	2148	cmd.exe	vssadmin.exe
PID 2148 wrote to memory of 4984	2148	cmd.exe	vssadmin.exe
PID 2148 wrote to memory of 4520	2148	cmd.exe	WMIC.exe
PID 2148 wrote to memory of 4520	2148	cmd.exe	WMIC.exe
PID 2148 wrote to memory of 2372	2148	cmd.exe	bcdedit.exe
PID 2148 wrote to memory of 2372	2148	cmd.exe	bcdedit.exe
PID 2148 wrote to memory of 4820	2148	cmd.exe	bcdedit.exe
PID 2148 wrote to memory of 4820	2148	cmd.exe	bcdedit.exe
PID 2148 wrote to memory of 4180	2148	cmd.exe	wbadmin.exe
PID 2148 wrote to memory of 4180	2148	cmd.exe	wbadmin.exe
PID 4584 wrote to memory of 3992	4584	e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe	WerFault.exe
PID 4584 wrote to memory of 3992	4584	e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe	WerFault.exe
PID 4584 wrote to memory of 3992	4584	e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe
"C:\Users\Admin\AppData\Local\Temp\e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4584

C:\Users\Admin\AppData\Local\Temp\e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe
"C:\Users\Admin\AppData\Local\Temp\e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe" n4584
2⤵
PID:1768

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4984

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:2372

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:4820

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 736
2⤵
- Program crash
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 736
2⤵
- Program crash
PID:3992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428