Analysis
-
max time kernel
232s -
max time network
266s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 18:35
Static task
static1
Behavioral task
behavioral1
Sample
a7ab0969bf6641cd0c7228ae95f6d217.exe
Resource
win10v2004-20220812-en
General
-
Target
a7ab0969bf6641cd0c7228ae95f6d217.exe
-
Size
7.7MB
-
MD5
a7ab0969bf6641cd0c7228ae95f6d217
-
SHA1
002971b6d178698bf7930b5b89c201750d80a07e
-
SHA256
117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464
-
SHA512
7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a
-
SSDEEP
49152:mwHittZSrb/TjvO90dL3BmAFd4A64nsfJTGNHltPgQjre0Q2hEsj2kcR9RsU/2LU:mwUs3dfC2at9kDXdmG55wuzZqGdE
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a7ab0969bf6641cd0c7228ae95f6d217.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation a7ab0969bf6641cd0c7228ae95f6d217.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\Y: svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3640 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4348 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a7ab0969bf6641cd0c7228ae95f6d217.exepid process 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
a7ab0969bf6641cd0c7228ae95f6d217.exevssvc.exesvchost.exedescription pid process Token: SeDebugPrivilege 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe Token: SeBackupPrivilege 1072 vssvc.exe Token: SeRestorePrivilege 1072 vssvc.exe Token: SeAuditPrivilege 1072 vssvc.exe Token: SeAuditPrivilege 2576 svchost.exe Token: SeAuditPrivilege 2576 svchost.exe Token: SeAuditPrivilege 2576 svchost.exe Token: SeAuditPrivilege 2576 svchost.exe Token: SeAuditPrivilege 2576 svchost.exe Token: SeAuditPrivilege 2576 svchost.exe Token: SeAuditPrivilege 2576 svchost.exe Token: SeAuditPrivilege 2576 svchost.exe Token: SeAuditPrivilege 2576 svchost.exe Token: SeAuditPrivilege 2576 svchost.exe Token: SeAuditPrivilege 2576 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
NOTEPAD.EXEpid process 4348 NOTEPAD.EXE 4348 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
a7ab0969bf6641cd0c7228ae95f6d217.execmd.exedescription pid process target process PID 4436 wrote to memory of 1812 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe cmd.exe PID 4436 wrote to memory of 1812 4436 a7ab0969bf6641cd0c7228ae95f6d217.exe cmd.exe PID 1812 wrote to memory of 3640 1812 cmd.exe vssadmin.exe PID 1812 wrote to memory of 3640 1812 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7ab0969bf6641cd0c7228ae95f6d217.exe"C:\Users\Admin\AppData\Local\Temp\a7ab0969bf6641cd0c7228ae95f6d217.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\a7ab0969bf6641cd0c7228ae95f6d217.txt1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow