2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f

Resubmissions

09/03/2023, 23:07

230309-23yxwsaf76 10

15/11/2022, 10:46

221115-mvfzsahc5t 9

Analysis

max time kernel
75s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
15/11/2022, 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

2.9MB
MD5

01492156ce8b4034c5b1027130f4cf4e
SHA1

6b0deb67a178fe20e81691133b257df3bafa3006
SHA256

2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f
SHA512

a26e6898ff4546b3357c07b222d05ecd8f631b2f7e939e19cf422f3e78d201de86ff5a3c208f5f52fbe3158a1a8bd71cf957ae52285b9e572088a3fe4363c3f4
SSDEEP

49152:cDVwASOLGtlqrRIU6i9+vazNqQlJZP1BMU2thA8mNtNCiJlrRUFcJ7HIPcLzk+5k:wm+GaNqqJJ12vlZol8cJ7rc

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\UndoRestore.tif => C:\Users\Admin\Pictures\UndoRestore.tif.royal	sample.exe
File renamed	C:\Users\Admin\Pictures\EditComplete.tif => C:\Users\Admin\Pictures\EditComplete.tif.royal	sample.exe
File renamed	C:\Users\Admin\Pictures\PublishOpen.png => C:\Users\Admin\Pictures\PublishOpen.png.royal	sample.exe

Drops desktop.ini file(s) 46 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\SE2B3O62\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\J6AIXJLC\desktop.ini	sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	sample.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\02T2Y1LA\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XM4BNOMM\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	sample.exe
File opened for modification	C:\Program Files\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\desktop.ini	sample.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jce.jar	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif	sample.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\README.TXT	sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\HxRuntime.HxS	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382954.JPG	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00808_.WMF	sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png	sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\THMBNAIL.PNG	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18234_.WMF	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_ja_4.4.0.v20140623020002.jar	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_left.gif	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152600.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0238959.WMF	sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_ButtonGraphic.png	sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo	sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xml	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\MANIFEST.MF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WHIRL2.WMF	sample.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\ZoneInfoMappings	sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\vlc.mo	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLPERF.INI	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\validation.js	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\LightSpirit.css	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239191.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNoteNames.gpd	sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Hovd	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18209_.WMF	sample.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\README.TXT	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN03500_.WMF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14800_.GIF	sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Guyana	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152696.WMF	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx	sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\README.TXT	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0179963.JPG	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Origin.xml	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPT.CFG	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\SectionHeading.jpg	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Elemental.eftx	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate.css	sample.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\README.TXT	sample.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\README.TXT	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BANNER.XML	sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png	sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\common.luac	sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html	sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msado28.tlb	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\localedata.jar	sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Singapore	sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\DATES.XML	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Blanc-Sablon	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BRCHUR11.POC	sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\custom.lua	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Median.thmx	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessData.xml	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PG_INDEX.XML	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCOUPON.XML	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME42.CSS	sample.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1476	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe
1216	sample.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1504	vssvc.exe
Token: SeRestorePrivilege	1504	vssvc.exe
Token: SeAuditPrivilege	1504	vssvc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 1476	1216	sample.exe	28
PID 1216 wrote to memory of 1476	1216	sample.exe	28
PID 1216 wrote to memory of 1476	1216	sample.exe	28

C:\Users\Admin\AppData\Local\Temp\sample.exe
C:\Users\Admin\AppData\Local\Temp\sample.exe -path C:\ -id 12345678123456781234567812346578
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\System32\vssadmin.exe
  delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1476

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads