bc06587b96b2628480d47579bcc2519a9da2b55aa037a49af4cd03811c534f66

Resubmissions

24-01-2023 13:44

230124-q11g6aca43 10

19-01-2023 04:27

230119-e29axafb46 10

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-01-2023 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc06587b96b2628480d47579bcc2519a9da2b55aa037a49af4cd03811c534f66.exe
Size

2.1MB
MD5

c9b3c61c718240516a1d3b3875d8e991
SHA1

7c42c65934ffe2ae0d54a8828b04102997866fd4
SHA256

bc06587b96b2628480d47579bcc2519a9da2b55aa037a49af4cd03811c534f66
SHA512

5f9f69f1673ebbaf8d89c2747ce4201cd6f9eab9d21da139aa7dba8014720670b8a9dcf3ed030800df87f2452a5e59dbd46aa93559300cda537f891bafe1a793
SSDEEP

24576:R+KpPzIzkQoU6TPF8mkoSW12GR7qMA6v0Xwq8UcNV++e/i5dv9jOlRJYzyiMAIQ3:Bq9LmKKe36MmYJPAvIPtHzHIh4UC4qk

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
956	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	704	vssvc.exe
Token: SeRestorePrivilege	704	vssvc.exe
Token: SeAuditPrivilege	704	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 956	1228	bc06587b96b2628480d47579bcc2519a9da2b55aa037a49af4cd03811c534f66.exe	28
PID 1228 wrote to memory of 956	1228	bc06587b96b2628480d47579bcc2519a9da2b55aa037a49af4cd03811c534f66.exe	28
PID 1228 wrote to memory of 956	1228	bc06587b96b2628480d47579bcc2519a9da2b55aa037a49af4cd03811c534f66.exe	28
PID 1228 wrote to memory of 956	1228	bc06587b96b2628480d47579bcc2519a9da2b55aa037a49af4cd03811c534f66.exe	28

C:\Users\Admin\AppData\Local\Temp\bc06587b96b2628480d47579bcc2519a9da2b55aa037a49af4cd03811c534f66.exe
"C:\Users\Admin\AppData\Local\Temp\bc06587b96b2628480d47579bcc2519a9da2b55aa037a49af4cd03811c534f66.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\SysWOW64\vssadmin.exe
  delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:956

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact