595c869f8ec7eaf71fef44bad331d81bb934c886cdff99e1f013eec7acdaf8c9

Resubmissions

24-01-2023 13:41

230124-qy9caade8t 10

19-01-2023 06:28

230119-g8e2racc3v 10

Analysis

max time kernel
38s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-01-2023 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Royal_ransom_5007943bec2cf5310cfe8b8c49d6f55f79ad0e4c.exe
Size

2.1MB
MD5

c46070b5e113a7f5d9a58de14a11e430
SHA1

5007943bec2cf5310cfe8b8c49d6f55f79ad0e4c
SHA256

595c869f8ec7eaf71fef44bad331d81bb934c886cdff99e1f013eec7acdaf8c9
SHA512

e77a2bbc22974f79f30f6673adaf78c8818d674532ef1cff4d61514ecb3d1aec0459d76c05595d1c650624bf25d4e4f06ee14841b5c2b1c5a20a27e4861ae818
SSDEEP

24576:R+KpPzIzkQoU6TPF8mkoSW12GR7qMA6v0Xwq8UcNV++e/i5dv9jOlRJYzyiMAIQB:Bq9LmKKe36MmYJPAvIPtHzHlh4UC4qki

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1888	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1756	vssvc.exe
Token: SeRestorePrivilege	1756	vssvc.exe
Token: SeAuditPrivilege	1756	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 608 wrote to memory of 1888	608	Royal_ransom_5007943bec2cf5310cfe8b8c49d6f55f79ad0e4c.exe	28
PID 608 wrote to memory of 1888	608	Royal_ransom_5007943bec2cf5310cfe8b8c49d6f55f79ad0e4c.exe	28
PID 608 wrote to memory of 1888	608	Royal_ransom_5007943bec2cf5310cfe8b8c49d6f55f79ad0e4c.exe	28
PID 608 wrote to memory of 1888	608	Royal_ransom_5007943bec2cf5310cfe8b8c49d6f55f79ad0e4c.exe	28

C:\Users\Admin\AppData\Local\Temp\Royal_ransom_5007943bec2cf5310cfe8b8c49d6f55f79ad0e4c.exe
"C:\Users\Admin\AppData\Local\Temp\Royal_ransom_5007943bec2cf5310cfe8b8c49d6f55f79ad0e4c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:608
- C:\Windows\SysWOW64\vssadmin.exe
  delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1888

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact