Overview

overview

10

Static

static

10

5235da476c...af.exe

windows7-x64

6

5235da476c...af.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2022 18:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe

  • Size

    30KB

  • MD5

    e4c10fca8733b5e03025c3ebd265a9ae

  • SHA1

    68a5abe32d67b337b0398a39960ce2f54ea29441

  • SHA256

    5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af

  • SHA512

    f1950d0474bba8e053996a1b7c43fac44d738ad3321f6b37dbd4c333b3b8c560625e2efe44a4f72d359fedb87973c10b487bc9b7f4572e51218989f7e07b41ac

  • SSDEEP

    768:VpuBNtX5EUX7WuP3yCwYJ1wl+o9UGgis0YE6DAeYBzxuv:gDvyoMlpdiJAe8zW

Score
10/10
evasionpersistenceransomware

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
    "C:\Users\Admin\AppData\Local\Temp\5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe"
    1⤵
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:5064
    • C:\Users\Admin\AppData\Local\Temp\5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
      "C:\Users\Admin\AppData\Local\Temp\5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe" n5064
      2⤵
        PID:4480
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4328
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:3624
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1956
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:4524
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:1676
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:2712
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3124
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1644
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:308
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:532
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:4612

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Command-Line Interface

      1
      T1059

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      File Deletion

      3
      T1107

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Inhibit System Recovery

      4
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini
        Filesize

        356B

        MD5

        b38638f39482bc1e779875712889b16a

        SHA1

        725725e689ae56cd2718abb500f1c9175ef99a3d

        SHA256

        74b53e9ff2a475874905c839da96655068e858140974dfb8b8c1651a6a69b32e

        SHA512

        cc94560747755adf18b20a575a829af78f0c66c5b1f81924a44b668c848791f87492ea5222fa766f1fcec4bce3db6ecba04809d5cd1b192e05b6adc6df0da3f0

        Download Submit
      • memory/1676-137-0x0000000000000000-mapping.dmp
        Download
      • memory/1956-135-0x0000000000000000-mapping.dmp
        Download
      • memory/2712-138-0x0000000000000000-mapping.dmp
        Download
      • memory/3624-134-0x0000000000000000-mapping.dmp
        Download
      • memory/4328-133-0x0000000000000000-mapping.dmp
        Download
      • memory/4480-132-0x0000000000000000-mapping.dmp
        Download
      • memory/4524-136-0x0000000000000000-mapping.dmp
        Download