Analysis
-
max time kernel
218s -
max time network
242s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 09:02
Static task
static1
Behavioral task
behavioral1
Sample
2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe
Resource
win10v2004-20221111-en
General
-
Target
2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe
-
Size
428KB
-
MD5
e6227eaefc147e66e3c7fa87a7e90fd6
-
SHA1
911670753ffb5d56466888a22182501c4e32ebed
-
SHA256
2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3
-
SHA512
c077f4597279542ba9e2ae1e84da84b855c418c7fcef73d294c1c71525c4ad658cf444ebbcb9f9563dd193b37fc5bb96daa8e4422b6ea5d9e20b411d27ee1de7
-
SSDEEP
12288:UC5a4ZNG9mOhWMILp2IM4Vd0GkCY/xYa:Va4Zg9ThWhMmdBwx
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vault = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe\"" 2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*VaultBackup = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe\"" 2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exedescription ioc process File created C:\Windows\assembly\Desktop.ini 2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe File opened for modification C:\Windows\assembly\Desktop.ini 2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe -
Drops file in Windows directory 3 IoCs
Processes:
2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exedescription ioc process File opened for modification C:\Windows\assembly 2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe File created C:\Windows\assembly\Desktop.ini 2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe File opened for modification C:\Windows\assembly\Desktop.ini 2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 5076 vssadmin.exe 3732 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 3192 wmic.exe Token: SeSecurityPrivilege 3192 wmic.exe Token: SeTakeOwnershipPrivilege 3192 wmic.exe Token: SeLoadDriverPrivilege 3192 wmic.exe Token: SeSystemProfilePrivilege 3192 wmic.exe Token: SeSystemtimePrivilege 3192 wmic.exe Token: SeProfSingleProcessPrivilege 3192 wmic.exe Token: SeIncBasePriorityPrivilege 3192 wmic.exe Token: SeCreatePagefilePrivilege 3192 wmic.exe Token: SeBackupPrivilege 3192 wmic.exe Token: SeRestorePrivilege 3192 wmic.exe Token: SeShutdownPrivilege 3192 wmic.exe Token: SeDebugPrivilege 3192 wmic.exe Token: SeSystemEnvironmentPrivilege 3192 wmic.exe Token: SeRemoteShutdownPrivilege 3192 wmic.exe Token: SeUndockPrivilege 3192 wmic.exe Token: SeManageVolumePrivilege 3192 wmic.exe Token: 33 3192 wmic.exe Token: 34 3192 wmic.exe Token: 35 3192 wmic.exe Token: 36 3192 wmic.exe Token: SeIncreaseQuotaPrivilege 3192 wmic.exe Token: SeSecurityPrivilege 3192 wmic.exe Token: SeTakeOwnershipPrivilege 3192 wmic.exe Token: SeLoadDriverPrivilege 3192 wmic.exe Token: SeSystemProfilePrivilege 3192 wmic.exe Token: SeSystemtimePrivilege 3192 wmic.exe Token: SeProfSingleProcessPrivilege 3192 wmic.exe Token: SeIncBasePriorityPrivilege 3192 wmic.exe Token: SeCreatePagefilePrivilege 3192 wmic.exe Token: SeBackupPrivilege 3192 wmic.exe Token: SeRestorePrivilege 3192 wmic.exe Token: SeShutdownPrivilege 3192 wmic.exe Token: SeDebugPrivilege 3192 wmic.exe Token: SeSystemEnvironmentPrivilege 3192 wmic.exe Token: SeRemoteShutdownPrivilege 3192 wmic.exe Token: SeUndockPrivilege 3192 wmic.exe Token: SeManageVolumePrivilege 3192 wmic.exe Token: 33 3192 wmic.exe Token: 34 3192 wmic.exe Token: 35 3192 wmic.exe Token: 36 3192 wmic.exe Token: SeBackupPrivilege 1336 vssvc.exe Token: SeRestorePrivilege 1336 vssvc.exe Token: SeAuditPrivilege 1336 vssvc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.execsc.execmd.exedescription pid process target process PID 1448 wrote to memory of 4852 1448 2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe csc.exe PID 1448 wrote to memory of 4852 1448 2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe csc.exe PID 1448 wrote to memory of 4852 1448 2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe csc.exe PID 4852 wrote to memory of 1908 4852 csc.exe cvtres.exe PID 4852 wrote to memory of 1908 4852 csc.exe cvtres.exe PID 4852 wrote to memory of 1908 4852 csc.exe cvtres.exe PID 1448 wrote to memory of 5076 1448 2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe vssadmin.exe PID 1448 wrote to memory of 5076 1448 2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe vssadmin.exe PID 1448 wrote to memory of 3192 1448 2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe wmic.exe PID 1448 wrote to memory of 3192 1448 2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe wmic.exe PID 1448 wrote to memory of 3408 1448 2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe cmd.exe PID 1448 wrote to memory of 3408 1448 2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe cmd.exe PID 1448 wrote to memory of 3408 1448 2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe cmd.exe PID 3408 wrote to memory of 3732 3408 cmd.exe vssadmin.exe PID 3408 wrote to memory of 3732 3408 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe"C:\Users\Admin\AppData\Local\Temp\2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ipnu4wth.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES687A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC685A.tmp"3⤵
-
C:\Windows\system32\vssadmin.exe"C:\Windows\sysnative\vssadmin.exe" Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\sysnative\wbem\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Windows\sysnative\vssadmin.exe" Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\sysnative\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES687A.tmpFilesize
1KB
MD5bc549727a2902afe62651e7936d7beb5
SHA159950f97f65ae9d3a263f7fc3c3b20a3e6417780
SHA256a6b81d90406728039351b4a83709bd21f0a6c87760088a7b48b483ba0a55fcf4
SHA512c5e4d5c4d18e43a892e61d7020e3174719a298dba645d0834ace0c856b72c784bb716667dae1f0583dd7957cdcb82b612b765b3cd860409af54f81d30579f501
-
C:\Users\Admin\AppData\Local\Temp\ipnu4wth.dllFilesize
13KB
MD5f65ebb050c64ae1b163ac15bcd155e5e
SHA1be4f18940cc413a89b8d7dcf4f1179e932388836
SHA25618d03d1348065f9a3ca2b3b427eec43be2ddd1465e790f46b17df0ad07dac3d6
SHA512c743ec710af443e3f0f756fb28ae83530ecc93dfef840153bfa3c4350312d576aa9966e5980b980ff55cee25b8712846dbcca11f3a23970328700f3285db6efe
-
\??\c:\Users\Admin\AppData\Local\Temp\CSC685A.tmpFilesize
652B
MD543cbba9fd73da5abfdff4ae80818f2d6
SHA19d9a69f1743d4f8965cbfa84b8015663a094b443
SHA256d5ef689b324afc29c1f4f0aa8518d9d05f44f242b0e27f538e1931ee0b2fb383
SHA512c8a2c5d9e3e7f0fc2727c964f1b83d7afede4fd76237f8b4193369be0d6c849a81490e0963edb5e0501c7d6b9495e3b41eca2ef134a8f81988ec0c94858eb1ee
-
\??\c:\Users\Admin\AppData\Local\Temp\ipnu4wth.0.csFilesize
22KB
MD5876e1e05167f8d7cd0998c864f730338
SHA1b3a0dd03960b49d4620553e53a5194eb7483b30e
SHA25677ce602164e8a8f39684776b8528b710b032f863415334125b33cda12e7b8e2b
SHA512390fd444f4b9e47664b54c9cb6459eb81e1db6f1b63db0e1c126fe17e7049b767bbd47f21894204bd53e3490d7efc8b0a962a5cebeb90e89cabcf0f3cc31f2d8
-
\??\c:\Users\Admin\AppData\Local\Temp\ipnu4wth.cmdlineFilesize
347B
MD54a1dbee630ce8a684c38809a9a65c0b0
SHA1efe4c9c6770b3b9d677e37db221003bf934d6f5e
SHA25602813f73eff74ed1d949959fcd6b23ae04cca1984ad0b068bbb7f8de3d38f89a
SHA5120a53a62ac161af8bb4addee2bf2bab95e4beab5d27706c1144c4457ac2f2e653f4195ae530f84c343439af163dfcbbad6cf9489a007d1ba463600981ccfd63b5
-
memory/1448-132-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB
-
memory/1448-133-0x00000000746F0000-0x0000000074CA1000-memory.dmpFilesize
5.7MB
-
memory/1908-137-0x0000000000000000-mapping.dmp
-
memory/3192-142-0x0000000000000000-mapping.dmp
-
memory/3408-143-0x0000000000000000-mapping.dmp
-
memory/3732-144-0x0000000000000000-mapping.dmp
-
memory/4852-134-0x0000000000000000-mapping.dmp
-
memory/5076-141-0x0000000000000000-mapping.dmp