Analysis
-
max time kernel
152s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 05:41
Static task
static1
Behavioral task
behavioral1
Sample
eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe
Resource
win10v2004-20220812-en
General
-
Target
eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe
-
Size
184KB
-
MD5
17255f13e6914fbc1dd9dec40a0f05cd
-
SHA1
69142df7d8539ceec58cd37b5b2ed4197de709ed
-
SHA256
eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8
-
SHA512
fde2cf558b3dea7bd8b7bc6afe9931fe7c7051834405196067965a53ebdd5865fe46927b57b3857e21546ff8d673628f06981bd4787057b5c1df5216287659f6
-
SSDEEP
3072:+yXt9mTrJfPB6y0TwqjoL0sMjHicmDJij4X0PQgyrkEp92QObfOCLn2O:D4FfZ6zTwhmjsO4XcQ1F9pObp2O
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
wpcdvml.exewpcdvml.exepid process 1064 wpcdvml.exe 1924 wpcdvml.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1192 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exepid process 796 eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wpcdvml.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svv_e = "C:\\Users\\Admin\\AppData\\Roaming\\wpcdvml.exe" wpcdvml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce wpcdvml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\*svv_e = "C:\\Users\\Admin\\AppData\\Roaming\\wpcdvml.exe" wpcdvml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run wpcdvml.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ipinfo.io -
Suspicious use of SetThreadContext 2 IoCs
Processes:
eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exewpcdvml.exedescription pid process target process PID 1536 set thread context of 796 1536 eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe PID 1064 set thread context of 1924 1064 wpcdvml.exe wpcdvml.exe -
Drops file in Program Files directory 59 IoCs
Processes:
wpcdvml.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\kk.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\History.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt wpcdvml.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt wpcdvml.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 856 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
wpcdvml.exepid process 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe 1924 wpcdvml.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exewpcdvml.exevssvc.exedescription pid process Token: SeDebugPrivilege 796 eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe Token: SeDebugPrivilege 1924 wpcdvml.exe Token: SeBackupPrivilege 1636 vssvc.exe Token: SeRestorePrivilege 1636 vssvc.exe Token: SeAuditPrivilege 1636 vssvc.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exeeaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exewpcdvml.exewpcdvml.exedescription pid process target process PID 1536 wrote to memory of 796 1536 eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe PID 1536 wrote to memory of 796 1536 eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe PID 1536 wrote to memory of 796 1536 eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe PID 1536 wrote to memory of 796 1536 eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe PID 1536 wrote to memory of 796 1536 eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe PID 1536 wrote to memory of 796 1536 eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe PID 1536 wrote to memory of 796 1536 eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe PID 1536 wrote to memory of 796 1536 eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe PID 1536 wrote to memory of 796 1536 eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe PID 1536 wrote to memory of 796 1536 eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe PID 796 wrote to memory of 1064 796 eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe wpcdvml.exe PID 796 wrote to memory of 1064 796 eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe wpcdvml.exe PID 796 wrote to memory of 1064 796 eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe wpcdvml.exe PID 796 wrote to memory of 1064 796 eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe wpcdvml.exe PID 1064 wrote to memory of 1924 1064 wpcdvml.exe wpcdvml.exe PID 1064 wrote to memory of 1924 1064 wpcdvml.exe wpcdvml.exe PID 1064 wrote to memory of 1924 1064 wpcdvml.exe wpcdvml.exe PID 1064 wrote to memory of 1924 1064 wpcdvml.exe wpcdvml.exe PID 1064 wrote to memory of 1924 1064 wpcdvml.exe wpcdvml.exe PID 1064 wrote to memory of 1924 1064 wpcdvml.exe wpcdvml.exe PID 1064 wrote to memory of 1924 1064 wpcdvml.exe wpcdvml.exe PID 1064 wrote to memory of 1924 1064 wpcdvml.exe wpcdvml.exe PID 1064 wrote to memory of 1924 1064 wpcdvml.exe wpcdvml.exe PID 1064 wrote to memory of 1924 1064 wpcdvml.exe wpcdvml.exe PID 796 wrote to memory of 1192 796 eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe cmd.exe PID 796 wrote to memory of 1192 796 eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe cmd.exe PID 796 wrote to memory of 1192 796 eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe cmd.exe PID 796 wrote to memory of 1192 796 eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe cmd.exe PID 1924 wrote to memory of 856 1924 wpcdvml.exe vssadmin.exe PID 1924 wrote to memory of 856 1924 wpcdvml.exe vssadmin.exe PID 1924 wrote to memory of 856 1924 wpcdvml.exe vssadmin.exe PID 1924 wrote to memory of 856 1924 wpcdvml.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe"C:\Users\Admin\AppData\Local\Temp\eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exeC:\Users\Admin\AppData\Local\Temp\eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8.exe2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wpcdvml.exeC:\Users\Admin\AppData\Roaming\wpcdvml.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wpcdvml.exeC:\Users\Admin\AppData\Roaming\wpcdvml.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\EACEEF~1.EXE >> NUL3⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\wpcdvml.exeFilesize
184KB
MD517255f13e6914fbc1dd9dec40a0f05cd
SHA169142df7d8539ceec58cd37b5b2ed4197de709ed
SHA256eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8
SHA512fde2cf558b3dea7bd8b7bc6afe9931fe7c7051834405196067965a53ebdd5865fe46927b57b3857e21546ff8d673628f06981bd4787057b5c1df5216287659f6
-
C:\Users\Admin\AppData\Roaming\wpcdvml.exeFilesize
184KB
MD517255f13e6914fbc1dd9dec40a0f05cd
SHA169142df7d8539ceec58cd37b5b2ed4197de709ed
SHA256eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8
SHA512fde2cf558b3dea7bd8b7bc6afe9931fe7c7051834405196067965a53ebdd5865fe46927b57b3857e21546ff8d673628f06981bd4787057b5c1df5216287659f6
-
C:\Users\Admin\AppData\Roaming\wpcdvml.exeFilesize
184KB
MD517255f13e6914fbc1dd9dec40a0f05cd
SHA169142df7d8539ceec58cd37b5b2ed4197de709ed
SHA256eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8
SHA512fde2cf558b3dea7bd8b7bc6afe9931fe7c7051834405196067965a53ebdd5865fe46927b57b3857e21546ff8d673628f06981bd4787057b5c1df5216287659f6
-
\Users\Admin\AppData\Roaming\wpcdvml.exeFilesize
184KB
MD517255f13e6914fbc1dd9dec40a0f05cd
SHA169142df7d8539ceec58cd37b5b2ed4197de709ed
SHA256eaceefa415070bbdd2c0f66d51e3161ac6cf9039f284199f6b610f83ce2f24d8
SHA512fde2cf558b3dea7bd8b7bc6afe9931fe7c7051834405196067965a53ebdd5865fe46927b57b3857e21546ff8d673628f06981bd4787057b5c1df5216287659f6
-
memory/796-58-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/796-68-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/796-60-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/796-65-0x0000000000425911-mapping.dmp
-
memory/796-92-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/796-69-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/796-55-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/796-56-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/796-64-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/796-62-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/856-94-0x0000000000000000-mapping.dmp
-
memory/1064-71-0x0000000000000000-mapping.dmp
-
memory/1192-91-0x0000000000000000-mapping.dmp
-
memory/1536-54-0x00000000764C1000-0x00000000764C3000-memory.dmpFilesize
8KB
-
memory/1924-90-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB
-
memory/1924-84-0x0000000000425911-mapping.dmp
-
memory/1924-93-0x0000000000400000-0x0000000000467000-memory.dmpFilesize
412KB