b879ef0713b23926b087e45d82addfb0ffb65cc5d3a6cffb2843d87058444d20

Analysis

max time kernel
121s
max time network
62s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
24-11-2022 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PCShredder.exe
Size

14.7MB
MD5

96cb05530c60082172543f1011fd9d48
SHA1

3ab9dcd4b109432656b36afa1f8f264d43d43273
SHA256

918567fd880fe414ae41ebca386cfafe8b114369ce8002fa2d9420b5495576c8
SHA512

e6fd8493dee16e771dccc892cd0941cac676fbd2f23cd589350101df3d9c307dcbc3b7e66181f9cc83662da9a455ea5172392485e351754bc775743d90cb7c90
SSDEEP

393216:Q4q3RE5c113BsymGR6zB2Dl4DAJZwO6JGFC/HE:ImxzB2RreOa1/k

Score

9^/10

ransomware upx

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

MBR_Note.exe

pid process

5020 MBR_Note.exe

pid	process
5020	MBR_Note.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\MBR_Note.exe	upx
behavioral1/memory/5020-124-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\MBR_Note.exe	upx
behavioral1/memory/5020-145-0x0000000000400000-0x00000000004C4000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3336 vssadmin.exe

pid	process
3336	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

vssvc.exeAUDIODG.EXE

description	pid	process
Token: SeBackupPrivilege	2416	vssvc.exe
Token: SeRestorePrivilege	2416	vssvc.exe
Token: SeAuditPrivilege	2416	vssvc.exe
Token: 33	3200	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3200	AUDIODG.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

PCShredder.execmd.exe

description	pid	process	target process
PID 2372 wrote to memory of 5020	2372	PCShredder.exe	MBR_Note.exe
PID 2372 wrote to memory of 5020	2372	PCShredder.exe	MBR_Note.exe
PID 2372 wrote to memory of 5020	2372	PCShredder.exe	MBR_Note.exe
PID 2372 wrote to memory of 4480	2372	PCShredder.exe	cmd.exe
PID 2372 wrote to memory of 4480	2372	PCShredder.exe	cmd.exe
PID 4480 wrote to memory of 3336	4480	cmd.exe	vssadmin.exe
PID 4480 wrote to memory of 3336	4480	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\PCShredder.exe
"C:\Users\Admin\AppData\Local\Temp\PCShredder.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2372

C:\Users\Admin\AppData\Local\Temp\MBR_Note.exe
"C:\Users\Admin\AppData\Local\Temp\MBR_Note.exe"
2⤵
- Executes dropped EXE
PID:5020

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k vssadmin.exe delete shadows /all /quiet && exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4480

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3336

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\c25d35dc10e3423fa38d64391e1716f8 /t 2392 /p 2372
1⤵
PID:3444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3c8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MBR_Note.exe
Filesize
303KB

MD5
631e45f7bd3d32363362f09cbfbdfbae

SHA1
6ae1e59d037b64f3c57c334ee521f8e9be6ea96f

SHA256
fef9f05fbb339b16a15848a1b4d743857ccca6e347818cad687dfc78119803e0

SHA512
7ee88c4d4f8543cbdb0e42e04cd6f5aa523c016d3753927a56fe8078f89d538adcb022d7ac95998fb1b0c5398c8c3cd9ec70d2b24ced2cca1f91fd8d6d62e429

Download Submit
C:\Users\Admin\AppData\Local\Temp\MBR_Note.exe
Filesize
303KB

MD5
631e45f7bd3d32363362f09cbfbdfbae

SHA1
6ae1e59d037b64f3c57c334ee521f8e9be6ea96f

SHA256
fef9f05fbb339b16a15848a1b4d743857ccca6e347818cad687dfc78119803e0

SHA512
7ee88c4d4f8543cbdb0e42e04cd6f5aa523c016d3753927a56fe8078f89d538adcb022d7ac95998fb1b0c5398c8c3cd9ec70d2b24ced2cca1f91fd8d6d62e429

Download Submit
memory/2372-120-0x000002009F220000-0x00000200A00D2000-memory.dmp

Filesize
14.7MB

Download
memory/2372-121-0x00000200BA600000-0x00000200BB526000-memory.dmp

Filesize
15.1MB

Download
memory/3336-127-0x0000000000000000-mapping.dmp

Download
memory/4480-125-0x0000000000000000-mapping.dmp

Download
memory/5020-122-0x0000000000000000-mapping.dmp

Download
memory/5020-124-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/5020-126-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-128-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-129-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-130-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-131-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-132-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-133-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-135-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-136-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-137-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-138-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-139-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-140-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-141-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-142-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-143-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-144-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-145-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/5020-147-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-146-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-148-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-149-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-150-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-151-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-152-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-153-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-154-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-155-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-156-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-157-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-158-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-159-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-160-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-161-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-162-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-164-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-163-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-165-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-166-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-167-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-168-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-169-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-170-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-171-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-172-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-173-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-174-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-175-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-176-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-177-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-178-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-179-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-180-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-181-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-182-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-183-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-184-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-185-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-186-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-188-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-187-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-189-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-190-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-191-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5020-192-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download