5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef

General

Target

5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe
Size

244KB
MD5

b725067c7926e8a3268d2fabfcad7b4e
SHA1

2518fb688bec920f49e6b20144dc385866a2a70c
SHA256

5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef
SHA512

41a2631b82f007cfca0e50904ff288995c202583c0da99df94cf840f5f3b8b6cb332e17cd95ce737f4379074e60250932b5c61d39cb37d829003915c538f908c
SSDEEP

6144:zKsiUOlPoYuvIPXCJ7/r32Ay1BJWCTVTAmk:zx8QYuOCp2Ay/dK

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops startup file 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8855f3d.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8855f3d.exe:1	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\8855f3 = "C:\\8855f3d\\8855f3d.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*855f3 = "C:\\8855f3d\\8855f3d.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\8855f3d = "C:\\Users\\Admin\\AppData\\Roaming\\8855f3d.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*855f3d = "C:\\Users\\Admin\\AppData\\Roaming\\8855f3d.exe"	explorer.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

70 wtfismyip.com

flow	ioc
70	wtfismyip.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe

description	pid	process	target process
PID 596 set thread context of 888	596	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1768 vssadmin.exe
NTFS ADS 2 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\8855f3d.exe:1 svchost.exe
File created C:\8855f3d\8855f3d.exe:1 svchost.exe

pid	process
1768	vssadmin.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\8855f3d.exe:1	svchost.exe
File created	C:\8855f3d\8855f3d.exe:1	svchost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exesvchost.exe

pid	process
596	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe
596	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe
596	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe
888	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe
888	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe
888	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe
888	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe
888	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe
888	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe
888	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe
888	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe
1268	svchost.exe
1268	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1228

pid	process
1228

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exeexplorer.exe

pid	process
888	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe
888	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe
1220	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vssvc.exe

description	pid	process
Token: SeBackupPrivilege	1504	vssvc.exe
Token: SeRestorePrivilege	1504	vssvc.exe
Token: SeAuditPrivilege	1504	vssvc.exe
Token: SeShutdownPrivilege	1228

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1228
1228
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1228
1228
1228
1228

pid	process
1228
1228

pid	process
1228
1228
1228
1228

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe

pid	process
596	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe
596	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exeexplorer.exe

description	pid	process	target process
PID 596 wrote to memory of 888	596	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe
PID 596 wrote to memory of 888	596	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe
PID 596 wrote to memory of 888	596	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe
PID 596 wrote to memory of 888	596	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe
PID 596 wrote to memory of 888	596	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe
PID 596 wrote to memory of 888	596	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe
PID 596 wrote to memory of 888	596	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe
PID 596 wrote to memory of 888	596	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe
PID 596 wrote to memory of 888	596	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe
PID 596 wrote to memory of 888	596	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe
PID 888 wrote to memory of 1220	888	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe	explorer.exe
PID 888 wrote to memory of 1220	888	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe	explorer.exe
PID 888 wrote to memory of 1220	888	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe	explorer.exe
PID 888 wrote to memory of 1220	888	5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe	explorer.exe
PID 1220 wrote to memory of 1268	1220	explorer.exe	svchost.exe
PID 1220 wrote to memory of 1268	1220	explorer.exe	svchost.exe
PID 1220 wrote to memory of 1268	1220	explorer.exe	svchost.exe
PID 1220 wrote to memory of 1268	1220	explorer.exe	svchost.exe
PID 1220 wrote to memory of 1768	1220	explorer.exe	vssadmin.exe
PID 1220 wrote to memory of 1768	1220	explorer.exe	vssadmin.exe
PID 1220 wrote to memory of 1768	1220	explorer.exe	vssadmin.exe
PID 1220 wrote to memory of 1768	1220	explorer.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe
"C:\Users\Admin\AppData\Local\Temp\5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:596

C:\Users\Admin\AppData\Local\Temp\5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe
C:\Users\Admin\AppData\Local\Temp\5a4b59886e1720839a0731967c000e239cddd5220c3a82d54e326e4b3ca78eef.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\syswow64\explorer.exe
"C:\Windows\syswow64\explorer.exe"
3⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\syswow64\svchost.exe
-k netsvcs
4⤵
- Drops startup file
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1268

C:\Windows\syswow64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1768

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\8855f3d\8855f3d.exe:1
Filesize
551KB

MD5
30f505fa06a080a392c0b32ea5a59a24

SHA1
e6b9914684cd90c7e24a4d91a48cb5c8c71a20c5

SHA256
029746aa3914b912871ddf7ee534710841b43a7c5628ae289643dde7ca9db73a

SHA512
95ef3f31d8443df317cacb2ec13ab786e1fe2b533fb276bc6e4e76747f9050fd34b5806b4d79f2242588ef21a4cea0a7aeef7fbbd8ba9710a428b4f93208a909

Download Submit
C:\Users\Admin\AppData\Roaming\8855f3d.exe:1
Filesize
551KB

MD5
30f505fa06a080a392c0b32ea5a59a24

SHA1
e6b9914684cd90c7e24a4d91a48cb5c8c71a20c5

SHA256
029746aa3914b912871ddf7ee534710841b43a7c5628ae289643dde7ca9db73a

SHA512
95ef3f31d8443df317cacb2ec13ab786e1fe2b533fb276bc6e4e76747f9050fd34b5806b4d79f2242588ef21a4cea0a7aeef7fbbd8ba9710a428b4f93208a909

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8855f3d.exe:1
Filesize
551KB

MD5
30f505fa06a080a392c0b32ea5a59a24

SHA1
e6b9914684cd90c7e24a4d91a48cb5c8c71a20c5

SHA256
029746aa3914b912871ddf7ee534710841b43a7c5628ae289643dde7ca9db73a

SHA512
95ef3f31d8443df317cacb2ec13ab786e1fe2b533fb276bc6e4e76747f9050fd34b5806b4d79f2242588ef21a4cea0a7aeef7fbbd8ba9710a428b4f93208a909

Download Submit
memory/596-54-0x0000000075701000-0x0000000075703000-memory.dmp

Filesize
8KB

Download
memory/596-64-0x0000000000610000-0x0000000000614000-memory.dmp

Filesize
16KB

Download
memory/888-62-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/888-61-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/888-63-0x0000000000418E50-mapping.dmp

Download
memory/888-59-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/888-65-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/888-69-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/888-58-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/888-56-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/888-55-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1220-74-0x00000000746E1000-0x00000000746E3000-memory.dmp

Filesize
8KB

Download
memory/1220-75-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/1220-72-0x0000000000000000-mapping.dmp

Download
memory/1228-76-0x00000000025A0000-0x00000000025AC000-memory.dmp

Filesize
48KB

Download
memory/1228-77-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1228-70-0x00000000025A0000-0x00000000025AC000-memory.dmp

Filesize
48KB

Download
memory/1228-71-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1268-82-0x00000000000E0000-0x000000000010C000-memory.dmp

Filesize
176KB

Download
memory/1268-80-0x00000000000E0000-0x000000000010C000-memory.dmp

Filesize
176KB

Download
memory/1268-86-0x00000000008C0000-0x000000000094A000-memory.dmp

Filesize
552KB

Download
memory/1268-87-0x0000000002BA0000-0x0000000002CD7000-memory.dmp

Filesize
1.2MB

Download
memory/1268-88-0x0000000002CE0000-0x0000000002E48000-memory.dmp

Filesize
1.4MB

Download
memory/1268-78-0x0000000000000000-mapping.dmp

Download
memory/1768-79-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads