4568f9dd1dc8fd256524e78f1d32d009eb0d5acbdc1a9d9507287832808e50e9

Resubmissions

07-02-2023 21:14

230207-z3l7zsfa9w 10

07-02-2023 21:10

230207-z1fx7aff86 10

04-02-2023 03:46

230204-ebzc1sff9s 10

Analysis

max time kernel
1609s
max time network
1612s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
07-02-2023 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

2.1MB
MD5

e41f12a522a995f17843ecd4ea38091a
SHA1

11a2399ed08a3618762905753e639299dfe3dc43
SHA256

33e9f0c2664f1845ef32af75623184d61537ac4ea24c8e9993deffb4fdba71b1
SHA512

4efe1fc05920900dca5592f82a39fc07095148f36cb7a28daffa8b2de43e33a5bc16254b4204b7809b0cdac12de46afdf75fca8a8f4f90afad6127436d43cf02
SSDEEP

49152:AKdKdhwcjW7oPlIFP2a8cTPBn+zO+LH4Gh0LKUm:AKdQheoPOx8Mnb+

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1280	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	564	vssvc.exe
Token: SeRestorePrivilege	564	vssvc.exe
Token: SeAuditPrivilege	564	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 1280	1292	1.exe	28
PID 1292 wrote to memory of 1280	1292	1.exe	28
PID 1292 wrote to memory of 1280	1292	1.exe	28
PID 1292 wrote to memory of 1280	1292	1.exe	28

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\SysWOW64\vssadmin.exe
  delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1280

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact