Overview

overview

10

Static

static

10

b88fe97196...d0.exe

windows7-x64

10

b88fe97196...d0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2022 10:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe

  • Size

    1.1MB

  • MD5

    ffc6b559c24b8d82afcb5c01bb5619d9

  • SHA1

    8e068e9c486769716d9685f85687b531ab3a88cf

  • SHA256

    b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0

  • SHA512

    48cf29ecbf184f9d96b9db95190657604c7fb9570046abbeba70d99c6748afbea5f698bb4bb91b1b9b3b3ab7abc56c36a3230aa20c58a99269fe0a4884522191

  • SSDEEP

    24576:NyBzKGHF0bxTCFvXwKk/aISpu4Qc6F3v1HT2BzN2tgGS3YzYho1yWEsWbj28Q5m:AV4xTCzu4Qc6/F8S8bzQ

Score
10/10
evasionransomware

Malware Config

Signatures

  • Deletes NTFS Change Journal 2 TTPs 1 IoCs

    The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

    ransomware
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 6 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
    "C:\Users\Admin\AppData\Local\Temp\b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c mkdir C:\ProgramData\Service
      2⤵
        PID:1168
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c mkdir "%TEMP%\Service"
        2⤵
          PID:1160
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
          2⤵
            PID:276
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              3⤵
              • Interacts with shadow copies
              PID:1384
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:688
            • C:\Windows\system32\vssadmin.exe
              vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
              3⤵
              • Interacts with shadow copies
              PID:1228
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
            2⤵
              PID:520
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} recoveryenabled No
                3⤵
                • Modifies boot configuration data using bcdedit
                PID:1164
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
              2⤵
                PID:1724
                • C:\Windows\system32\bcdedit.exe
                  bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
                  3⤵
                  • Modifies boot configuration data using bcdedit
                  PID:1160
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:452
                • C:\Windows\system32\vssadmin.exe
                  vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
                  3⤵
                  • Interacts with shadow copies
                  PID:1876
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
                2⤵
                  PID:1504
                  • C:\Windows\system32\fsutil.exe
                    fsutil.exe usn deletejournal /D C:
                    3⤵
                    • Deletes NTFS Change Journal
                    PID:1608
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
                  2⤵
                    PID:1512
                    • C:\Windows\system32\vssadmin.exe
                      vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
                      3⤵
                      • Interacts with shadow copies
                      PID:1764
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
                    2⤵
                      PID:1548
                      • C:\Windows\system32\wbadmin.exe
                        wbadmin.exe delete catalog -quiet
                        3⤵
                        • Deletes backup catalog
                        PID:1920
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=unbounded
                      2⤵
                        PID:828
                        • C:\Windows\system32\vssadmin.exe
                          vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=unbounded
                          3⤵
                          • Interacts with shadow copies
                          PID:1704
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
                        2⤵
                          PID:1524
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
                            3⤵
                              PID:1996
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                            2⤵
                              PID:2000
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
                              2⤵
                                PID:2016
                                • C:\Windows\system32\vssadmin.exe
                                  vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
                                  3⤵
                                  • Interacts with shadow copies
                                  PID:1708
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
                                2⤵
                                  PID:836
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
                                  2⤵
                                    PID:1032
                                    • C:\Windows\system32\reg.exe
                                      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
                                      3⤵
                                        PID:768
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
                                      2⤵
                                        PID:2044
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                        2⤵
                                          PID:1952
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
                                          2⤵
                                            PID:1732
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
                                            2⤵
                                              PID:1956
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=unbounded
                                              2⤵
                                                PID:580
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
                                                2⤵
                                                  PID:1332
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
                                                  2⤵
                                                    PID:812
                                                • C:\Windows\system32\vssvc.exe
                                                  C:\Windows\system32\vssvc.exe
                                                  1⤵
                                                    PID:1792

                                                  Network

                                                  MITRE ATT&CK Enterprise v6

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • memory/1600-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

                                                    Filesize

                                                    8KB

                                                    Download