4cdb404908c66dae742158bf14ad34d6fabe6124f9fe4f1dd37450a4e8422ff0

General

Target

4cdb404908c66dae742158bf14ad34d6fabe6124f9fe4f1dd37450a4e8422ff0.exe
Size

147KB
MD5

8c6309eabacbf95f01cea9e1e84aad4c
SHA1

fe1e785fb4519f1e4ed15351b68b399185c17aad
SHA256

4cdb404908c66dae742158bf14ad34d6fabe6124f9fe4f1dd37450a4e8422ff0
SHA512

f5589942e45b8186207a398f90f394a6f5faf95aeb0dedd310c04cf7d66217b7823b117cde6c791d58e815da5946a730bcf6b615faceb5cabedd626205a2fc8f
SSDEEP

3072:b0zy6Iv9/7bKrnZ+OF2IBIW3FXfLedZTWrL6:wm667urnZxFjIW3xq

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Drops startup file 1 IoCs

Processes:

explorer.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bcf8801.exe explorer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bcf8801.exe	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bcf880 = "C:\\bcf8801\\bcf8801.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*cf880 = "C:\\bcf8801\\bcf8801.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bcf8801 = "C:\\Users\\Admin\\AppData\\Roaming\\bcf8801.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*cf8801 = "C:\\Users\\Admin\\AppData\\Roaming\\bcf8801.exe"	explorer.exe

Drops file in Windows directory 1 IoCs

Processes:

4cdb404908c66dae742158bf14ad34d6fabe6124f9fe4f1dd37450a4e8422ff0.exe

description	ioc	process
File opened for modification	C:\Windows\4cdb404908c66dae742158bf14ad34d6fabe6124f9fe4f1dd37450a4e8422ff0.INI	4cdb404908c66dae742158bf14ad34d6fabe6124f9fe4f1dd37450a4e8422ff0.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1300 vssadmin.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

4cdb404908c66dae742158bf14ad34d6fabe6124f9fe4f1dd37450a4e8422ff0.exeexplorer.exe

pid process

1200 4cdb404908c66dae742158bf14ad34d6fabe6124f9fe4f1dd37450a4e8422ff0.exe
1056 explorer.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1764 vssvc.exe
Token: SeRestorePrivilege 1764 vssvc.exe
Token: SeAuditPrivilege 1764 vssvc.exe

pid	process
1300	vssadmin.exe

description	pid	process
Token: SeBackupPrivilege	1764	vssvc.exe
Token: SeRestorePrivilege	1764	vssvc.exe
Token: SeAuditPrivilege	1764	vssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

4cdb404908c66dae742158bf14ad34d6fabe6124f9fe4f1dd37450a4e8422ff0.exe

pid	process
1200	4cdb404908c66dae742158bf14ad34d6fabe6124f9fe4f1dd37450a4e8422ff0.exe
1200	4cdb404908c66dae742158bf14ad34d6fabe6124f9fe4f1dd37450a4e8422ff0.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

4cdb404908c66dae742158bf14ad34d6fabe6124f9fe4f1dd37450a4e8422ff0.exe

pid process

1200 4cdb404908c66dae742158bf14ad34d6fabe6124f9fe4f1dd37450a4e8422ff0.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4cdb404908c66dae742158bf14ad34d6fabe6124f9fe4f1dd37450a4e8422ff0.exeexplorer.exe

description	pid	process	target process
PID 1200 wrote to memory of 1056	1200	4cdb404908c66dae742158bf14ad34d6fabe6124f9fe4f1dd37450a4e8422ff0.exe	explorer.exe
PID 1200 wrote to memory of 1056	1200	4cdb404908c66dae742158bf14ad34d6fabe6124f9fe4f1dd37450a4e8422ff0.exe	explorer.exe
PID 1200 wrote to memory of 1056	1200	4cdb404908c66dae742158bf14ad34d6fabe6124f9fe4f1dd37450a4e8422ff0.exe	explorer.exe
PID 1200 wrote to memory of 1056	1200	4cdb404908c66dae742158bf14ad34d6fabe6124f9fe4f1dd37450a4e8422ff0.exe	explorer.exe
PID 1056 wrote to memory of 2024	1056	explorer.exe	svchost.exe
PID 1056 wrote to memory of 2024	1056	explorer.exe	svchost.exe
PID 1056 wrote to memory of 2024	1056	explorer.exe	svchost.exe
PID 1056 wrote to memory of 2024	1056	explorer.exe	svchost.exe
PID 1056 wrote to memory of 1300	1056	explorer.exe	vssadmin.exe
PID 1056 wrote to memory of 1300	1056	explorer.exe	vssadmin.exe
PID 1056 wrote to memory of 1300	1056	explorer.exe	vssadmin.exe
PID 1056 wrote to memory of 1300	1056	explorer.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\4cdb404908c66dae742158bf14ad34d6fabe6124f9fe4f1dd37450a4e8422ff0.exe
"C:\Users\Admin\AppData\Local\Temp\4cdb404908c66dae742158bf14ad34d6fabe6124f9fe4f1dd37450a4e8422ff0.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\syswow64\explorer.exe
"C:\Windows\syswow64\explorer.exe"
2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\syswow64\svchost.exe
-k netsvcs
3⤵
PID:2024

C:\Windows\syswow64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1300

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1056-56-0x0000000000000000-mapping.dmp

Download
memory/1056-58-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1056-59-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download
memory/1056-60-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/1200-54-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1200-57-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1300-62-0x0000000000000000-mapping.dmp

Download
memory/2024-61-0x0000000000000000-mapping.dmp

Download
memory/2024-64-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2024-65-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads