4568f9dd1dc8fd256524e78f1d32d009eb0d5acbdc1a9d9507287832808e50e9

Resubmissions

07-02-2023 21:14

230207-z3l7zsfa9w 10

07-02-2023 21:10

230207-z1fx7aff86 10

04-02-2023 03:46

230204-ebzc1sff9s 10

Analysis

max time kernel
28s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
07-02-2023 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

2.1MB
MD5

e41f12a522a995f17843ecd4ea38091a
SHA1

11a2399ed08a3618762905753e639299dfe3dc43
SHA256

33e9f0c2664f1845ef32af75623184d61537ac4ea24c8e9993deffb4fdba71b1
SHA512

4efe1fc05920900dca5592f82a39fc07095148f36cb7a28daffa8b2de43e33a5bc16254b4204b7809b0cdac12de46afdf75fca8a8f4f90afad6127436d43cf02
SSDEEP

49152:AKdKdhwcjW7oPlIFP2a8cTPBn+zO+LH4Gh0LKUm:AKdQheoPOx8Mnb+

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1180 vssadmin.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 940 vssvc.exe
Token: SeRestorePrivilege 940 vssvc.exe
Token: SeAuditPrivilege 940 vssvc.exe

pid	process
1180	vssadmin.exe

description	pid	process
Token: SeBackupPrivilege	940	vssvc.exe
Token: SeRestorePrivilege	940	vssvc.exe
Token: SeAuditPrivilege	940	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

1.exe

description	pid	process	target process
PID 1160 wrote to memory of 1180	1160	1.exe	vssadmin.exe
PID 1160 wrote to memory of 1180	1160	1.exe	vssadmin.exe
PID 1160 wrote to memory of 1180	1160	1.exe	vssadmin.exe
PID 1160 wrote to memory of 1180	1160	1.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1180

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1160-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1180-55-0x0000000000000000-mapping.dmp

Download