cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403

General

Target

cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe
Size

364KB
MD5

54a2c676671f6ddbb2177bf8e890acd0
SHA1

884cfa603a2b4e79d6fe2f41d102e6b55ee2de59
SHA256

cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403
SHA512

fab5630b95bd11cadaa2179f0add2946b2185d5594251762d2c00f5cd0f86877e3fe7a47b46b6172865aa30ffd743ea218b3b5584124dbd5e8dc7a6a7623f2c9
SSDEEP

6144:FC4m9hjy766vocAXRXi1s4dKNLGEbhSBr29lW7XczExw4Rqo:zm9hjR6A7hXEcNLtSBybW7cO7oo

Score

9^/10

persistence ransomware

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\fek2B36.tmp	acprotect

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Drops startup file 1 IoCs

Processes:

explorer.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\afd3b0e.exe explorer.exe
Loads dropped DLL 1 IoCs

Processes:

cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe

pid process

852 cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\afd3b0e.exe	explorer.exe

pid	process
852	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\afd3b0e = "C:\\Users\\Admin\\AppData\\Roaming\\afd3b0e.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*fd3b0e = "C:\\Users\\Admin\\AppData\\Roaming\\afd3b0e.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\afd3b0 = "C:\\afd3b0e\\afd3b0e.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*fd3b0 = "C:\\afd3b0e\\afd3b0e.exe"	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe

description	pid	process	target process
PID 852 set thread context of 664	852	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1916 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

explorer.exe

pid process

1640 explorer.exe
1640 explorer.exe
1640 explorer.exe
1640 explorer.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exeexplorer.exe

pid process

664 cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe
1640 explorer.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1088 vssvc.exe
Token: SeRestorePrivilege 1088 vssvc.exe
Token: SeAuditPrivilege 1088 vssvc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe

pid process

852 cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe

pid	process
1916	vssadmin.exe

pid	process
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe
1640	explorer.exe

pid	process
664	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe
1640	explorer.exe

description	pid	process
Token: SeBackupPrivilege	1088	vssvc.exe
Token: SeRestorePrivilege	1088	vssvc.exe
Token: SeAuditPrivilege	1088	vssvc.exe

pid	process
852	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.execd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exeexplorer.exe

description	pid	process	target process
PID 852 wrote to memory of 664	852	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe
PID 852 wrote to memory of 664	852	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe
PID 852 wrote to memory of 664	852	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe
PID 852 wrote to memory of 664	852	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe
PID 852 wrote to memory of 664	852	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe
PID 852 wrote to memory of 664	852	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe
PID 852 wrote to memory of 664	852	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe
PID 852 wrote to memory of 664	852	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe
PID 852 wrote to memory of 664	852	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe
PID 852 wrote to memory of 664	852	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe
PID 664 wrote to memory of 1640	664	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe	explorer.exe
PID 664 wrote to memory of 1640	664	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe	explorer.exe
PID 664 wrote to memory of 1640	664	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe	explorer.exe
PID 664 wrote to memory of 1640	664	cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe	explorer.exe
PID 1640 wrote to memory of 800	1640	explorer.exe	svchost.exe
PID 1640 wrote to memory of 800	1640	explorer.exe	svchost.exe
PID 1640 wrote to memory of 800	1640	explorer.exe	svchost.exe
PID 1640 wrote to memory of 800	1640	explorer.exe	svchost.exe
PID 1640 wrote to memory of 1916	1640	explorer.exe	vssadmin.exe
PID 1640 wrote to memory of 1916	1640	explorer.exe	vssadmin.exe
PID 1640 wrote to memory of 1916	1640	explorer.exe	vssadmin.exe
PID 1640 wrote to memory of 1916	1640	explorer.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe
"C:\Users\Admin\AppData\Local\Temp\cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:852

C:\Users\Admin\AppData\Local\Temp\cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe
"C:\Users\Admin\AppData\Local\Temp\cd9681cfe1ef76bf46c079e4de23b7ba72bce3929585fae08e0a62937e38d403.exe"
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\syswow64\explorer.exe
"C:\Windows\syswow64\explorer.exe"
3⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\syswow64\svchost.exe
-k netsvcs
4⤵
PID:800

C:\Windows\syswow64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1916

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\fek2B36.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/664-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/664-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/664-70-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/664-67-0x0000000000418820-mapping.dmp

Download
memory/664-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/664-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/664-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/664-66-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/800-74-0x0000000000000000-mapping.dmp

Download
memory/800-77-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/852-58-0x00000000004B0000-0x0000000000523000-memory.dmp

Filesize
460KB

Download
memory/852-68-0x00000000004B0000-0x0000000000523000-memory.dmp

Filesize
460KB

Download
memory/852-57-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/852-56-0x0000000074071000-0x0000000074073000-memory.dmp

Filesize
8KB

Download
memory/852-54-0x0000000074E41000-0x0000000074E43000-memory.dmp

Filesize
8KB

Download
memory/1640-69-0x0000000000000000-mapping.dmp

Download
memory/1640-73-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/1640-72-0x0000000074681000-0x0000000074683000-memory.dmp

Filesize
8KB

Download
memory/1640-78-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/1916-75-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads