2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3

General

Target

2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe
Size

428KB
MD5

e6227eaefc147e66e3c7fa87a7e90fd6
SHA1

911670753ffb5d56466888a22182501c4e32ebed
SHA256

2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3
SHA512

c077f4597279542ba9e2ae1e84da84b855c418c7fcef73d294c1c71525c4ad658cf444ebbcb9f9563dd193b37fc5bb96daa8e4422b6ea5d9e20b411d27ee1de7
SSDEEP

12288:UC5a4ZNG9mOhWMILp2IM4Vd0GkCY/xYa:Va4Zg9ThWhMmdBwx

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vault = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe\""	2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*VaultBackup = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe\""	2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe

Drops file in Windows directory 3 IoCs

Processes:

2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe
File created	C:\Windows\assembly\Desktop.ini	2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

5076 vssadmin.exe
3732 vssadmin.exe

pid	process
5076	vssadmin.exe
3732	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

wmic.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3192	wmic.exe
Token: SeSecurityPrivilege	3192	wmic.exe
Token: SeTakeOwnershipPrivilege	3192	wmic.exe
Token: SeLoadDriverPrivilege	3192	wmic.exe
Token: SeSystemProfilePrivilege	3192	wmic.exe
Token: SeSystemtimePrivilege	3192	wmic.exe
Token: SeProfSingleProcessPrivilege	3192	wmic.exe
Token: SeIncBasePriorityPrivilege	3192	wmic.exe
Token: SeCreatePagefilePrivilege	3192	wmic.exe
Token: SeBackupPrivilege	3192	wmic.exe
Token: SeRestorePrivilege	3192	wmic.exe
Token: SeShutdownPrivilege	3192	wmic.exe
Token: SeDebugPrivilege	3192	wmic.exe
Token: SeSystemEnvironmentPrivilege	3192	wmic.exe
Token: SeRemoteShutdownPrivilege	3192	wmic.exe
Token: SeUndockPrivilege	3192	wmic.exe
Token: SeManageVolumePrivilege	3192	wmic.exe
Token: 33	3192	wmic.exe
Token: 34	3192	wmic.exe
Token: 35	3192	wmic.exe
Token: 36	3192	wmic.exe
Token: SeIncreaseQuotaPrivilege	3192	wmic.exe
Token: SeSecurityPrivilege	3192	wmic.exe
Token: SeTakeOwnershipPrivilege	3192	wmic.exe
Token: SeLoadDriverPrivilege	3192	wmic.exe
Token: SeSystemProfilePrivilege	3192	wmic.exe
Token: SeSystemtimePrivilege	3192	wmic.exe
Token: SeProfSingleProcessPrivilege	3192	wmic.exe
Token: SeIncBasePriorityPrivilege	3192	wmic.exe
Token: SeCreatePagefilePrivilege	3192	wmic.exe
Token: SeBackupPrivilege	3192	wmic.exe
Token: SeRestorePrivilege	3192	wmic.exe
Token: SeShutdownPrivilege	3192	wmic.exe
Token: SeDebugPrivilege	3192	wmic.exe
Token: SeSystemEnvironmentPrivilege	3192	wmic.exe
Token: SeRemoteShutdownPrivilege	3192	wmic.exe
Token: SeUndockPrivilege	3192	wmic.exe
Token: SeManageVolumePrivilege	3192	wmic.exe
Token: 33	3192	wmic.exe
Token: 34	3192	wmic.exe
Token: 35	3192	wmic.exe
Token: 36	3192	wmic.exe
Token: SeBackupPrivilege	1336	vssvc.exe
Token: SeRestorePrivilege	1336	vssvc.exe
Token: SeAuditPrivilege	1336	vssvc.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.execsc.execmd.exe

description	pid	process	target process
PID 1448 wrote to memory of 4852	1448	2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe	csc.exe
PID 1448 wrote to memory of 4852	1448	2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe	csc.exe
PID 1448 wrote to memory of 4852	1448	2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe	csc.exe
PID 4852 wrote to memory of 1908	4852	csc.exe	cvtres.exe
PID 4852 wrote to memory of 1908	4852	csc.exe	cvtres.exe
PID 4852 wrote to memory of 1908	4852	csc.exe	cvtres.exe
PID 1448 wrote to memory of 5076	1448	2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe	vssadmin.exe
PID 1448 wrote to memory of 5076	1448	2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe	vssadmin.exe
PID 1448 wrote to memory of 3192	1448	2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe	wmic.exe
PID 1448 wrote to memory of 3192	1448	2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe	wmic.exe
PID 1448 wrote to memory of 3408	1448	2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe	cmd.exe
PID 1448 wrote to memory of 3408	1448	2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe	cmd.exe
PID 1448 wrote to memory of 3408	1448	2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe	cmd.exe
PID 3408 wrote to memory of 3732	3408	cmd.exe	vssadmin.exe
PID 3408 wrote to memory of 3732	3408	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe
"C:\Users\Admin\AppData\Local\Temp\2aee14aa18a742ea0a5409173a220855b9ab1720748bf992ddd93e0b85b82fb3.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ipnu4wth.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4852

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES687A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC685A.tmp"
3⤵
PID:1908

C:\Windows\system32\vssadmin.exe
"C:\Windows\sysnative\vssadmin.exe" Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:5076

C:\Windows\system32\wbem\wmic.exe
"C:\Windows\sysnative\wbem\wmic.exe" shadowcopy delete
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Windows\sysnative\vssadmin.exe" Delete Shadows /All /Quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\system32\vssadmin.exe
C:\Windows\sysnative\vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:3732

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES687A.tmp
Filesize
1KB

MD5
bc549727a2902afe62651e7936d7beb5

SHA1
59950f97f65ae9d3a263f7fc3c3b20a3e6417780

SHA256
a6b81d90406728039351b4a83709bd21f0a6c87760088a7b48b483ba0a55fcf4

SHA512
c5e4d5c4d18e43a892e61d7020e3174719a298dba645d0834ace0c856b72c784bb716667dae1f0583dd7957cdcb82b612b765b3cd860409af54f81d30579f501

Download Submit
C:\Users\Admin\AppData\Local\Temp\ipnu4wth.dll
Filesize
13KB

MD5
f65ebb050c64ae1b163ac15bcd155e5e

SHA1
be4f18940cc413a89b8d7dcf4f1179e932388836

SHA256
18d03d1348065f9a3ca2b3b427eec43be2ddd1465e790f46b17df0ad07dac3d6

SHA512
c743ec710af443e3f0f756fb28ae83530ecc93dfef840153bfa3c4350312d576aa9966e5980b980ff55cee25b8712846dbcca11f3a23970328700f3285db6efe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC685A.tmp
Filesize
652B

MD5
43cbba9fd73da5abfdff4ae80818f2d6

SHA1
9d9a69f1743d4f8965cbfa84b8015663a094b443

SHA256
d5ef689b324afc29c1f4f0aa8518d9d05f44f242b0e27f538e1931ee0b2fb383

SHA512
c8a2c5d9e3e7f0fc2727c964f1b83d7afede4fd76237f8b4193369be0d6c849a81490e0963edb5e0501c7d6b9495e3b41eca2ef134a8f81988ec0c94858eb1ee

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ipnu4wth.0.cs
Filesize
22KB

MD5
876e1e05167f8d7cd0998c864f730338

SHA1
b3a0dd03960b49d4620553e53a5194eb7483b30e

SHA256
77ce602164e8a8f39684776b8528b710b032f863415334125b33cda12e7b8e2b

SHA512
390fd444f4b9e47664b54c9cb6459eb81e1db6f1b63db0e1c126fe17e7049b767bbd47f21894204bd53e3490d7efc8b0a962a5cebeb90e89cabcf0f3cc31f2d8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ipnu4wth.cmdline
Filesize
347B

MD5
4a1dbee630ce8a684c38809a9a65c0b0

SHA1
efe4c9c6770b3b9d677e37db221003bf934d6f5e

SHA256
02813f73eff74ed1d949959fcd6b23ae04cca1984ad0b068bbb7f8de3d38f89a

SHA512
0a53a62ac161af8bb4addee2bf2bab95e4beab5d27706c1144c4457ac2f2e653f4195ae530f84c343439af163dfcbbad6cf9489a007d1ba463600981ccfd63b5

Download Submit
memory/1448-132-0x00000000746F0000-0x0000000074CA1000-memory.dmp

Filesize
5.7MB

Download
memory/1448-133-0x00000000746F0000-0x0000000074CA1000-memory.dmp

Filesize
5.7MB

Download
memory/1908-137-0x0000000000000000-mapping.dmp

Download
memory/3192-142-0x0000000000000000-mapping.dmp

Download
memory/3408-143-0x0000000000000000-mapping.dmp

Download
memory/3732-144-0x0000000000000000-mapping.dmp

Download
memory/4852-134-0x0000000000000000-mapping.dmp

Download
memory/5076-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads