2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f

Resubmissions

09/03/2023, 23:07

230309-23yxwsaf76 10

15/11/2022, 10:46

221115-mvfzsahc5t 9

Analysis

max time kernel
94s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
15/11/2022, 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

2.9MB
MD5

01492156ce8b4034c5b1027130f4cf4e
SHA1

6b0deb67a178fe20e81691133b257df3bafa3006
SHA256

2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f
SHA512

a26e6898ff4546b3357c07b222d05ecd8f631b2f7e939e19cf422f3e78d201de86ff5a3c208f5f52fbe3158a1a8bd71cf957ae52285b9e572088a3fe4363c3f4
SSDEEP

49152:cDVwASOLGtlqrRIU6i9+vazNqQlJZP1BMU2thA8mNtNCiJlrRUFcJ7HIPcLzk+5k:wm+GaNqqJJ12vlZol8cJ7rc

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\MeasureEnable.raw => C:\Users\Admin\Pictures\MeasureEnable.raw.royal	sample.exe
File renamed	C:\Users\Admin\Pictures\LockEdit.tiff => C:\Users\Admin\Pictures\LockEdit.tiff.royal	sample.exe
File renamed	C:\Users\Admin\Pictures\RegisterUnprotect.tif => C:\Users\Admin\Pictures\RegisterUnprotect.tif.royal	sample.exe
File renamed	C:\Users\Admin\Pictures\DismountMount.crw => C:\Users\Admin\Pictures\DismountMount.crw.royal	sample.exe
File renamed	C:\Users\Admin\Pictures\CompressSync.tiff => C:\Users\Admin\Pictures\CompressSync.tiff.royal	sample.exe
File opened for modification	C:\Users\Admin\Pictures\LockEdit.tiff	sample.exe
File renamed	C:\Users\Admin\Pictures\RenameWrite.crw => C:\Users\Admin\Pictures\RenameWrite.crw.royal	sample.exe
File opened for modification	C:\Users\Admin\Pictures\WriteRead.tiff	sample.exe
File renamed	C:\Users\Admin\Pictures\WriteRead.tiff => C:\Users\Admin\Pictures\WriteRead.tiff.royal	sample.exe
File opened for modification	C:\Users\Admin\Pictures\CompressSync.tiff	sample.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\README.TXT	sample.exe

Drops desktop.ini file(s) 31 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	sample.exe
File opened for modification	C:\Program Files\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	sample.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	sample.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	sample.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-phn.xrm-ms	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\eclipse.inf	sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\vlc.mo	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\ui-strings.js	sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\README.TXT	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ADO210.CHM	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\WelcomeCardRdr.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nl-nl\ui-strings.js	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sv-se\ui-strings.js	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\main-selector.css	sample.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\README.TXT	sample.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\README.TXT	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-phn.xrm-ms	sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\README.TXT	sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\he-il\README.TXT	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar	sample.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\SearchEmail2x.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\line.cur	sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ro-ro\README.TXT	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_ellipses_selected.svg	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-fr\ui-strings.js	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul-oob.xrm-ms	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\lpklegal.txt	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql70.xsl	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ppd.xrm-ms	sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ru-ru\README.TXT	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_zh_CN.jar	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_editpdf_18.svg	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\main.css	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\pt-br\ui-strings.js	sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RIntLoc.en-us.16.msi	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\close.svg	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover.png	sample.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\README.TXT	sample.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\README.TXT	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.ja_5.5.0.165303.jar	sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\README.TXT	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sqlpdw.xsl	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\plugin.js	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-ms	sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\README.TXT	sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\sv-se\README.TXT	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\bg_pattern_RHP.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hr-hr\ui-strings.js	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-Bold.otf	sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-tw\README.TXT	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\cross.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\ui-strings.js	sample.exe
File created	C:\Program Files\Microsoft Office\Updates\Apply\README.TXT	sample.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\README.TXT	sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\he-il\README.TXT	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int_2x.gif	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\css\main.css	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-oob.xrm-ms	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.boot.tree.dat	sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ca-es\README.TXT	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\selector.js	sample.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4636	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe
2952	sample.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1292	vssvc.exe
Token: SeRestorePrivilege	1292	vssvc.exe
Token: SeAuditPrivilege	1292	vssvc.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 4636	2952	sample.exe	80
PID 2952 wrote to memory of 4636	2952	sample.exe	80

C:\Users\Admin\AppData\Local\Temp\sample.exe
C:\Users\Admin\AppData\Local\Temp\sample.exe -path C:\ -id 12345678123456781234567812346578
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\System32\vssadmin.exe
  delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:4636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads