Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 09:50
Static task
static1
Behavioral task
behavioral1
Sample
c2deff6218be4bb0352583511a17a52e715016b921a56f3f0166ff09d0b0e72e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c2deff6218be4bb0352583511a17a52e715016b921a56f3f0166ff09d0b0e72e.exe
Resource
win10v2004-20221111-en
General
-
Target
c2deff6218be4bb0352583511a17a52e715016b921a56f3f0166ff09d0b0e72e.exe
-
Size
267KB
-
MD5
4d39aeaf7e88ebd9c25b886db71cc776
-
SHA1
1c2aa785a49f4ec5fc0df68fce47d1e43140b59f
-
SHA256
c2deff6218be4bb0352583511a17a52e715016b921a56f3f0166ff09d0b0e72e
-
SHA512
c2a498167f2aca5edf18a3eb29690e32c28cfd8d564ae28272b44ac9acaaa72b07967c5c3926efb7a7920a4f208382d39a1950e67daa6bfcbf63d8e6d5ea7ae6
-
SSDEEP
3072:D22DPzPAzp6f9PboTde136OjAS7Vglkq+yUzsKOUqE617AYUJvAOVuRLa3Cmfj6+:a2bESbKM6J4ilsyZiq1sAOVu4NHwjH7o
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
Processes:
explorer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\92b5590.exe explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*2b559 = "C:\\92b5590\\92b5590.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\92b5590 = "C:\\Users\\Admin\\AppData\\Roaming\\92b5590.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*2b5590 = "C:\\Users\\Admin\\AppData\\Roaming\\92b5590.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\92b559 = "C:\\92b5590\\92b5590.exe" explorer.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1500 vssadmin.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
c2deff6218be4bb0352583511a17a52e715016b921a56f3f0166ff09d0b0e72e.exeexplorer.exepid process 1720 c2deff6218be4bb0352583511a17a52e715016b921a56f3f0166ff09d0b0e72e.exe 1520 explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1184 vssvc.exe Token: SeRestorePrivilege 1184 vssvc.exe Token: SeAuditPrivilege 1184 vssvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
c2deff6218be4bb0352583511a17a52e715016b921a56f3f0166ff09d0b0e72e.exeexplorer.exedescription pid process target process PID 1720 wrote to memory of 1520 1720 c2deff6218be4bb0352583511a17a52e715016b921a56f3f0166ff09d0b0e72e.exe explorer.exe PID 1720 wrote to memory of 1520 1720 c2deff6218be4bb0352583511a17a52e715016b921a56f3f0166ff09d0b0e72e.exe explorer.exe PID 1720 wrote to memory of 1520 1720 c2deff6218be4bb0352583511a17a52e715016b921a56f3f0166ff09d0b0e72e.exe explorer.exe PID 1720 wrote to memory of 1520 1720 c2deff6218be4bb0352583511a17a52e715016b921a56f3f0166ff09d0b0e72e.exe explorer.exe PID 1520 wrote to memory of 1632 1520 explorer.exe svchost.exe PID 1520 wrote to memory of 1632 1520 explorer.exe svchost.exe PID 1520 wrote to memory of 1632 1520 explorer.exe svchost.exe PID 1520 wrote to memory of 1632 1520 explorer.exe svchost.exe PID 1520 wrote to memory of 1500 1520 explorer.exe vssadmin.exe PID 1520 wrote to memory of 1500 1520 explorer.exe vssadmin.exe PID 1520 wrote to memory of 1500 1520 explorer.exe vssadmin.exe PID 1520 wrote to memory of 1500 1520 explorer.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2deff6218be4bb0352583511a17a52e715016b921a56f3f0166ff09d0b0e72e.exe"C:\Users\Admin\AppData\Local\Temp\c2deff6218be4bb0352583511a17a52e715016b921a56f3f0166ff09d0b0e72e.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\explorer.exe"C:\Windows\syswow64\explorer.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\svchost.exe-k netsvcs3⤵
-
C:\Windows\syswow64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1500-62-0x0000000000000000-mapping.dmp
-
memory/1520-57-0x0000000000000000-mapping.dmp
-
memory/1520-58-0x0000000075BD1000-0x0000000075BD3000-memory.dmpFilesize
8KB
-
memory/1520-59-0x0000000074D41000-0x0000000074D43000-memory.dmpFilesize
8KB
-
memory/1520-60-0x00000000000C0000-0x00000000000E0000-memory.dmpFilesize
128KB
-
memory/1632-61-0x0000000000000000-mapping.dmp
-
memory/1632-64-0x00000000000C0000-0x00000000000E0000-memory.dmpFilesize
128KB
-
memory/1632-65-0x00000000000C0000-0x00000000000E0000-memory.dmpFilesize
128KB
-
memory/1720-55-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1720-54-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB