Analysis
-
max time kernel
90s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2022 14:36
Static task
static1
Behavioral task
behavioral1
Sample
9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe
Resource
win10v2004-20221111-en
General
-
Target
9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe
-
Size
298KB
-
MD5
40cb01660e4b45213c35e997b94238a0
-
SHA1
8a1f0f62eede7cd183158567f9b78384074f5fed
-
SHA256
9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5
-
SHA512
305cedfe911fc108c33310a9954c368d9f3583f275d8cc002473bbb47294d7171b10854e2f513c589c4d17197e39dadcfc11c19bf9cf5573747651fefe5fd4e4
-
SSDEEP
6144:fMjokASLOMN9/wJP96/jdLnCd4C0+7s0Vlm2QV7wcNTLysyTXLI/dc46xPy3cYsF:nkAqOi94x96Rjw4C02silwNTLxyTX01a
Malware Config
Extracted
pony
http://gruzdom.ru/api/
Signatures
-
CrypVault
Ransomware family which makes encrypted files look like they have been quarantined by AV.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1176 4324 cmd.exe 46 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 4820 bcdedit.exe 2064 bcdedit.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3332 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3064 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe 3064 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeImpersonatePrivilege 3064 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe Token: SeTcbPrivilege 3064 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe Token: SeChangeNotifyPrivilege 3064 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe Token: SeCreateTokenPrivilege 3064 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe Token: SeBackupPrivilege 3064 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe Token: SeRestorePrivilege 3064 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe Token: SeIncreaseQuotaPrivilege 3064 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe Token: SeAssignPrimaryTokenPrivilege 3064 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe Token: SeIncreaseQuotaPrivilege 4592 WMIC.exe Token: SeSecurityPrivilege 4592 WMIC.exe Token: SeTakeOwnershipPrivilege 4592 WMIC.exe Token: SeLoadDriverPrivilege 4592 WMIC.exe Token: SeSystemProfilePrivilege 4592 WMIC.exe Token: SeSystemtimePrivilege 4592 WMIC.exe Token: SeProfSingleProcessPrivilege 4592 WMIC.exe Token: SeIncBasePriorityPrivilege 4592 WMIC.exe Token: SeCreatePagefilePrivilege 4592 WMIC.exe Token: SeBackupPrivilege 4592 WMIC.exe Token: SeRestorePrivilege 4592 WMIC.exe Token: SeShutdownPrivilege 4592 WMIC.exe Token: SeDebugPrivilege 4592 WMIC.exe Token: SeSystemEnvironmentPrivilege 4592 WMIC.exe Token: SeRemoteShutdownPrivilege 4592 WMIC.exe Token: SeUndockPrivilege 4592 WMIC.exe Token: SeManageVolumePrivilege 4592 WMIC.exe Token: 33 4592 WMIC.exe Token: 34 4592 WMIC.exe Token: 35 4592 WMIC.exe Token: 36 4592 WMIC.exe Token: SeIncreaseQuotaPrivilege 4592 WMIC.exe Token: SeSecurityPrivilege 4592 WMIC.exe Token: SeTakeOwnershipPrivilege 4592 WMIC.exe Token: SeLoadDriverPrivilege 4592 WMIC.exe Token: SeSystemProfilePrivilege 4592 WMIC.exe Token: SeSystemtimePrivilege 4592 WMIC.exe Token: SeProfSingleProcessPrivilege 4592 WMIC.exe Token: SeIncBasePriorityPrivilege 4592 WMIC.exe Token: SeCreatePagefilePrivilege 4592 WMIC.exe Token: SeBackupPrivilege 4592 WMIC.exe Token: SeRestorePrivilege 4592 WMIC.exe Token: SeShutdownPrivilege 4592 WMIC.exe Token: SeDebugPrivilege 4592 WMIC.exe Token: SeSystemEnvironmentPrivilege 4592 WMIC.exe Token: SeRemoteShutdownPrivilege 4592 WMIC.exe Token: SeUndockPrivilege 4592 WMIC.exe Token: SeManageVolumePrivilege 4592 WMIC.exe Token: 33 4592 WMIC.exe Token: 34 4592 WMIC.exe Token: 35 4592 WMIC.exe Token: 36 4592 WMIC.exe Token: SeBackupPrivilege 1116 vssvc.exe Token: SeRestorePrivilege 1116 vssvc.exe Token: SeAuditPrivilege 1116 vssvc.exe Token: SeImpersonatePrivilege 3064 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe Token: SeTcbPrivilege 3064 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe Token: SeChangeNotifyPrivilege 3064 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe Token: SeCreateTokenPrivilege 3064 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe Token: SeBackupPrivilege 3064 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe Token: SeRestorePrivilege 3064 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe Token: SeIncreaseQuotaPrivilege 3064 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe Token: SeAssignPrimaryTokenPrivilege 3064 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe Token: SeImpersonatePrivilege 3064 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe Token: SeTcbPrivilege 3064 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe Token: SeChangeNotifyPrivilege 3064 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3064 wrote to memory of 4592 3064 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe 82 PID 3064 wrote to memory of 4592 3064 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe 82 PID 3064 wrote to memory of 4592 3064 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe 82 PID 3064 wrote to memory of 4240 3064 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe 83 PID 3064 wrote to memory of 4240 3064 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe 83 PID 3064 wrote to memory of 4240 3064 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe 83 PID 1176 wrote to memory of 3332 1176 cmd.exe 87 PID 1176 wrote to memory of 3332 1176 cmd.exe 87 PID 1176 wrote to memory of 4820 1176 cmd.exe 92 PID 1176 wrote to memory of 4820 1176 cmd.exe 92 PID 1176 wrote to memory of 2064 1176 cmd.exe 94 PID 1176 wrote to memory of 2064 1176 cmd.exe 94 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe"C:\Users\Admin\AppData\Local\Temp\9ed9ed487238d528d158d25f1a6189aa9fbe37f5bba5e40e033e0b0a786119d5.exe"1⤵
- Checks computer location settings
- Drops startup file
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:3064 -
C:\Windows\SysWOW64\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4592
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\VAULT.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵PID:4240
-
-
C:\Windows\system32\cmd.execmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:3332
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:4820
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:2064
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1116
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD51cf60361078e1c2f1219d27c4b3e760c
SHA108d350d205da687672b13e22b253932dd1708e75
SHA256c2d9c1bd8bb434dffd5ebbd0e8020ee73123f2e8134b19cbde4b6458f0d05a43
SHA51290f973c08c663dc7ca8575196ca2d6939bbeb9e1943268e8c8bae3b5cd895e85f654726924c86a0f1ffca4830f05c75ac6e80b44d4adeff345e9ff2cacaacccb