9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae

General

Target

9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
Size

277KB
MD5

1dec533464e822a43b0a8160b910d910
SHA1

6709c297dafa871c54989569779c828a326f26d2
SHA256

9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae
SHA512

7b1724e1f5e7191e10c60155b3c790e0d6f760049c264d76d6e73eedcc37bb69c883105fbd4cd74fb5c788da0540950ac2871fa126392b2bffab1f5a431ea13a
SSDEEP

6144:edTPNP/JvZ3oqXAhD/rqs9SXZ0PE2hWXsQ:epVPxvZ3oqXk9YZ0M3

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Drops startup file 1 IoCs

Processes:

explorer.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bcf8801.exe explorer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bcf8801.exe	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*cf8801 = "C:\\Users\\Admin\\AppData\\Roaming\\bcf8801.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bcf880 = "C:\\bcf8801\\bcf8801.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*cf880 = "C:\\bcf8801\\bcf8801.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bcf8801 = "C:\\Users\\Admin\\AppData\\Roaming\\bcf8801.exe"	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe

description	pid	process	target process
PID 1364 set thread context of 820	1364	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1220 vssadmin.exe

pid	process
1220	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe

pid	process
1364	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
1364	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exeexplorer.exe

pid process

820 9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
944 explorer.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1328 vssvc.exe
Token: SeRestorePrivilege 1328 vssvc.exe
Token: SeAuditPrivilege 1328 vssvc.exe

pid	process
820	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
944	explorer.exe

description	pid	process
Token: SeBackupPrivilege	1328	vssvc.exe
Token: SeRestorePrivilege	1328	vssvc.exe
Token: SeAuditPrivilege	1328	vssvc.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exeexplorer.exe

description	pid	process	target process
PID 1364 wrote to memory of 820	1364	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
PID 1364 wrote to memory of 820	1364	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
PID 1364 wrote to memory of 820	1364	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
PID 1364 wrote to memory of 820	1364	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
PID 1364 wrote to memory of 820	1364	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
PID 1364 wrote to memory of 820	1364	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
PID 1364 wrote to memory of 820	1364	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
PID 1364 wrote to memory of 820	1364	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
PID 1364 wrote to memory of 820	1364	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
PID 1364 wrote to memory of 820	1364	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
PID 820 wrote to memory of 944	820	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe	explorer.exe
PID 820 wrote to memory of 944	820	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe	explorer.exe
PID 820 wrote to memory of 944	820	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe	explorer.exe
PID 820 wrote to memory of 944	820	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe	explorer.exe
PID 944 wrote to memory of 764	944	explorer.exe	svchost.exe
PID 944 wrote to memory of 764	944	explorer.exe	svchost.exe
PID 944 wrote to memory of 764	944	explorer.exe	svchost.exe
PID 944 wrote to memory of 764	944	explorer.exe	svchost.exe
PID 944 wrote to memory of 1220	944	explorer.exe	vssadmin.exe
PID 944 wrote to memory of 1220	944	explorer.exe	vssadmin.exe
PID 944 wrote to memory of 1220	944	explorer.exe	vssadmin.exe
PID 944 wrote to memory of 1220	944	explorer.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
"C:\Users\Admin\AppData\Local\Temp\9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Local\Temp\9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
"C:\Users\Admin\AppData\Local\Temp\9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe"
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\syswow64\explorer.exe
"C:\Windows\syswow64\explorer.exe"
3⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\syswow64\svchost.exe
-k netsvcs
4⤵
PID:764

C:\Windows\syswow64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1220

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/764-69-0x0000000000000000-mapping.dmp

Download
memory/764-73-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/764-72-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/820-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/820-57-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/820-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/820-61-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/820-62-0x00000000004143B0-mapping.dmp

Download
memory/820-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/820-54-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/820-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/944-64-0x0000000000000000-mapping.dmp

Download
memory/944-68-0x0000000000310000-0x0000000000330000-memory.dmp

Filesize
128KB

Download
memory/944-67-0x0000000074D31000-0x0000000074D33000-memory.dmp

Filesize
8KB

Download
memory/944-66-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1220-70-0x0000000000000000-mapping.dmp

Download
memory/1364-63-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads