Overview

overview

9

Static

static

1

166c61424c...6f.exe

windows7-x64

9

166c61424c...6f.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    29s
  • max time network
    32s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    06/03/2023, 10:07

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    166c61424c79b082c52448d66f66156f.exe

  • Size

    1.2MB

  • MD5

    166c61424c79b082c52448d66f66156f

  • SHA1

    0cbd03202b50932f24da07bc91f0aa1e579177f4

  • SHA256

    6195f07015a3408f58375cf7dd2444f3fe1a751cea0052cad9024fc55e8aa320

  • SHA512

    cd0ad1b04d2be67e072784418f9f4354e9adf194946658afa5ac8f866fa27bc6cd24659deffb0e46068d964903aa642e0f681ac31aa4c43f89b63faf16d07e7c

  • SSDEEP

    6144:rm4TgrU5XdB6MQkz5zMAOdjhDspqO6skIGNcCqB7VYq:rXTgrU5XwpnjzDsC2C6VYq

Score
9/10
ransomware

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\166c61424c79b082c52448d66f66156f.exe
    "C:\Users\Admin\AppData\Local\Temp\166c61424c79b082c52448d66f66156f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
      • Modifies extensions of user files
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1732
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:432
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:280
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:696
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1824

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\PerfLogs\Admin\How To Restore Your Files.txt
          Filesize

          272B

          MD5

          9cee3cd6590c1a7902e92daf03ef467b

          SHA1

          ef31096205e95601d124de1e69652a24fb0a0968

          SHA256

          bf6b4f9ea83f59043027605234c5af52e9146e8903816175cefdd33af148549d

          SHA512

          13d94c5bf381616ffd41108b81d712bb1fd8f0c7729d09518893deb316555ea7c46a84c4985af9b20e51d40f8890ed7045a7faf1f9026aa499fdf0e5bd7aa07e

          Download Submit

        • memory/2004-54-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2004-56-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2004-57-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2004-87-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2004-352-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2004-360-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2004-361-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2004-362-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2004-366-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2004-367-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download