Overview

overview

10

Static

static

4cae449450...58.exe

windows7-x64

8

4cae449450...58.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2022 12:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe

  • Size

    156KB

  • MD5

    fcd21c6fca3b9378961aa1865bee7ecb

  • SHA1

    0abaa05da2a05977e0baf68838cff1712f1789e0

  • SHA256

    4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458

  • SHA512

    e39c1f965f6faeaa33dfec6eba23fbfff14b287f4777797ea79480bb037d6d806516bda7046315e051961fce12e935ac546819c1e0bef5c33568d68955a9792a

  • SSDEEP

    1536:7ZLTzASUIG0TOOYTufIaSWvRYkekdvizSBXxNe9VPw6s6aUCT7Q7qn:OBI9HYyfNBdviGBBQsrhPk4

Score
10/10
ransomexx_winevasionransomware

Malware Config

Signatures

  • Deletes NTFS Change Journal 2 TTPs 1 IoCs

    The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

    ransomware
  • RansomEXX Ransomware

    Targeted ransomware with variants which affect Windows and Linux systems.

    ransomwareransomexx_win
  • Clears Windows event logs 1 TTPs 4 IoCs
    evasionransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Disables use of System Restore points 1 TTPs
    evasion
  • Modifies extensions of user files 13 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Overwrites deleted data with Cipher tool 1 TTPs

    Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
    "C:\Users\Admin\AppData\Local\Temp\4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4400
    • C:\Windows\System32\fsutil.exe
      "C:\Windows\System32\fsutil.exe" usn deletejournal /D C:
      2⤵
      • Deletes NTFS Change Journal
      PID:260
    • C:\Windows\System32\wevtutil.exe
      "C:\Windows\System32\wevtutil.exe" cl Application
      2⤵
      • Clears Windows event logs
      • Suspicious use of AdjustPrivilegeToken
      PID:228
    • C:\Windows\SysWOW64\cipher.exe
      "C:\Windows\System32\cipher.exe" /w:D:
      2⤵
      • Enumerates connected drives
      PID:928
    • C:\Windows\System32\bcdedit.exe
      "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1388
    • C:\Windows\System32\wbadmin.exe
      "C:\Windows\System32\wbadmin.exe" delete catalog -quiet
      2⤵
      • Deletes backup catalog
      PID:4260
    • C:\Windows\SysWOW64\cipher.exe
      "C:\Windows\System32\cipher.exe" /w:C:
      2⤵
        PID:3924
      • C:\Windows\System32\wevtutil.exe
        "C:\Windows\System32\wevtutil.exe" sl Security /e:false
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1692
      • C:\Windows\System32\wevtutil.exe
        "C:\Windows\System32\wevtutil.exe" cl Setup
        2⤵
        • Clears Windows event logs
        • Suspicious use of AdjustPrivilegeToken
        PID:3628
      • C:\Windows\System32\wevtutil.exe
        "C:\Windows\System32\wevtutil.exe" cl Security
        2⤵
        • Clears Windows event logs
        • Suspicious use of AdjustPrivilegeToken
        PID:3680
      • C:\Windows\System32\wevtutil.exe
        "C:\Windows\System32\wevtutil.exe" cl System
        2⤵
        • Clears Windows event logs
        • Suspicious use of AdjustPrivilegeToken
        PID:4276
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:4748
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
        2⤵
          PID:788
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:880
      • C:\Windows\System32\vdsldr.exe
        C:\Windows\System32\vdsldr.exe -Embedding
        1⤵
          PID:1960
        • C:\Windows\System32\vds.exe
          C:\Windows\System32\vds.exe
          1⤵
          • Checks SCSI registry key(s)
          PID:2716

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/228-134-0x0000000000000000-mapping.dmp

          Download

        • memory/260-132-0x0000000000000000-mapping.dmp

          Download

        • memory/788-137-0x0000000000000000-mapping.dmp

          Download

        • memory/928-135-0x0000000000000000-mapping.dmp

          Download

        • memory/1388-140-0x0000000000000000-mapping.dmp

          Download

        • memory/1692-139-0x0000000000000000-mapping.dmp

          Download

        • memory/3628-143-0x0000000000000000-mapping.dmp

          Download

        • memory/3680-136-0x0000000000000000-mapping.dmp

          Download

        • memory/3924-138-0x0000000000000000-mapping.dmp

          Download

        • memory/4260-142-0x0000000000000000-mapping.dmp

          Download

        • memory/4276-133-0x0000000000000000-mapping.dmp

          Download

        • memory/4748-141-0x0000000000000000-mapping.dmp

          Download