Overview

overview

9

Static

static

9fa123ab83...d2.exe

windows7-x64

9

9fa123ab83...d2.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    138s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 07:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9fa123ab8324a0ff02101b973cc07e91c33811f2165d2412e5959cd68a96a8d2.exe

  • Size

    260KB

  • MD5

    105833e760b09cbde85e0077f9e9d49e

  • SHA1

    3f08a1c94510574f013debac02f93fcdec7ab796

  • SHA256

    9fa123ab8324a0ff02101b973cc07e91c33811f2165d2412e5959cd68a96a8d2

  • SHA512

    92258448944a1c9e95212ba2cda0cd172a08ca772712a93da4a7f456e622ce49a2c2e8f67ae332fd5bdad95548aa67202dc3e97db794b0fb05dabf6cb36e43ed

  • SSDEEP

    6144:dT79rfiNK9tqna0atlq3w27v00L2gubvsznNH/f:dTprfga0P3cgz5f

Score
9/10
ransomware

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Drops startup file 2 IoCs
  • Drops file in System32 directory 8 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies data under HKEY_USERS 64 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9fa123ab8324a0ff02101b973cc07e91c33811f2165d2412e5959cd68a96a8d2.exe
    "C:\Users\Admin\AppData\Local\Temp\9fa123ab8324a0ff02101b973cc07e91c33811f2165d2412e5959cd68a96a8d2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Users\Admin\AppData\Local\Temp\9fa123ab8324a0ff02101b973cc07e91c33811f2165d2412e5959cd68a96a8d2.exe
      C:\Users\Admin\AppData\Local\Temp\9fa123ab8324a0ff02101b973cc07e91c33811f2165d2412e5959cd68a96a8d2.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:824
      • C:\Windows\syswow64\explorer.exe
        "C:\Windows\syswow64\explorer.exe"
        3⤵
        • Drops startup file
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1116
        • C:\Windows\syswow64\svchost.exe
          -k netsvcs
          4⤵
          • Drops startup file
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • NTFS ADS
          • Suspicious behavior: EnumeratesProcesses
          PID:1556
        • C:\Windows\syswow64\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          4⤵
          • Interacts with shadow copies
          PID:1008
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bcf8801.exe:1
    Filesize

    551KB

    MD5

    30f505fa06a080a392c0b32ea5a59a24

    SHA1

    e6b9914684cd90c7e24a4d91a48cb5c8c71a20c5

    SHA256

    029746aa3914b912871ddf7ee534710841b43a7c5628ae289643dde7ca9db73a

    SHA512

    95ef3f31d8443df317cacb2ec13ab786e1fe2b533fb276bc6e4e76747f9050fd34b5806b4d79f2242588ef21a4cea0a7aeef7fbbd8ba9710a428b4f93208a909

    Download Submit
  • C:\Users\Admin\AppData\Roaming\bcf8801.exe:1
    Filesize

    551KB

    MD5

    30f505fa06a080a392c0b32ea5a59a24

    SHA1

    e6b9914684cd90c7e24a4d91a48cb5c8c71a20c5

    SHA256

    029746aa3914b912871ddf7ee534710841b43a7c5628ae289643dde7ca9db73a

    SHA512

    95ef3f31d8443df317cacb2ec13ab786e1fe2b533fb276bc6e4e76747f9050fd34b5806b4d79f2242588ef21a4cea0a7aeef7fbbd8ba9710a428b4f93208a909

    Download Submit
  • C:\bcf8801\bcf8801.exe:1
    Filesize

    551KB

    MD5

    30f505fa06a080a392c0b32ea5a59a24

    SHA1

    e6b9914684cd90c7e24a4d91a48cb5c8c71a20c5

    SHA256

    029746aa3914b912871ddf7ee534710841b43a7c5628ae289643dde7ca9db73a

    SHA512

    95ef3f31d8443df317cacb2ec13ab786e1fe2b533fb276bc6e4e76747f9050fd34b5806b4d79f2242588ef21a4cea0a7aeef7fbbd8ba9710a428b4f93208a909

    Download Submit
  • memory/824-55-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/824-56-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/824-58-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/824-59-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/824-61-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/824-62-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/824-63-0x0000000000418DF0-mapping.dmp
    Download
  • memory/824-65-0x0000000000240000-0x000000000024C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/824-70-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1008-78-0x0000000000000000-mapping.dmp
    Download
  • memory/1116-74-0x00000000749F1000-0x00000000749F3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1116-75-0x0000000000100000-0x000000000012B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1116-72-0x0000000000000000-mapping.dmp
    Download
  • memory/1212-69-0x0000000002670000-0x000000000267C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1212-76-0x0000000140000000-0x00000001405E8000-memory.dmp
    Filesize

    5.9MB

    Download
  • memory/1212-71-0x0000000140000000-0x00000001405E8000-memory.dmp
    Filesize

    5.9MB

    Download
  • memory/1380-64-0x0000000000250000-0x0000000000254000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1380-54-0x00000000757A1000-0x00000000757A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1556-80-0x0000000000080000-0x00000000000AB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1556-84-0x0000000000C10000-0x0000000000C9A000-memory.dmp
    Filesize

    552KB

    Download
  • memory/1556-85-0x0000000002F50000-0x0000000003087000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1556-77-0x0000000000000000-mapping.dmp
    Download
  • memory/1556-86-0x0000000003090000-0x00000000031F8000-memory.dmp
    Filesize

    1.4MB

    Download