Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
11-03-2023 16:55
Behavioral task
behavioral1
Sample
R5X2SH.bin.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
R5X2SH.bin.exe
Resource
win10v2004-20230221-en
General
-
Target
R5X2SH.bin.exe
-
Size
229KB
-
MD5
2316091f02153ac20dff768513aae1a4
-
SHA1
6b7b1017b9313ab87fccf4ea08a427c1499b89dc
-
SHA256
940bddbc6ef19b211f2022d61bf4d006969da11f9fe0beba98586e554dfcc741
-
SHA512
ff039365b85686a4b191a81d3f0e3b8ced76a7b3161d28906854d86cf2452c96dd2e476ef29f3eae29ea22efce4f0d4484b82a32bfe8dde0e0fec91d630b1448
-
SSDEEP
6144:oNxyvPouZtK58suC/004GKXkq4RUs3fY:oNxyXNtK58su3Z0RPY
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 944 cmd.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
R5X2SH.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\R5X2SH.bin.exe\" e" R5X2SH.bin.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run R5X2SH.bin.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
R5X2SH.bin.exedescription ioc process File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-1914912747-3343861975-731272777-1000\desktop.ini R5X2SH.bin.exe -
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
R5X2SH.bin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\D: R5X2SH.bin.exe File opened (read-only) \??\E: R5X2SH.bin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 1112 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1132 timeout.exe -
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 1968 vssadmin.exe 604 vssadmin.exe 1400 vssadmin.exe 1700 vssadmin.exe 2000 vssadmin.exe 740 vssadmin.exe 1904 vssadmin.exe 1100 vssadmin.exe 1656 vssadmin.exe 1704 vssadmin.exe 1268 vssadmin.exe 612 vssadmin.exe 1132 vssadmin.exe 336 vssadmin.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exeR5X2SH.bin.exepid process 1028 powershell.exe 1188 R5X2SH.bin.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
vssvc.exewmic.exepowershell.exedescription pid process Token: SeBackupPrivilege 868 vssvc.exe Token: SeRestorePrivilege 868 vssvc.exe Token: SeAuditPrivilege 868 vssvc.exe Token: SeIncreaseQuotaPrivilege 1144 wmic.exe Token: SeSecurityPrivilege 1144 wmic.exe Token: SeTakeOwnershipPrivilege 1144 wmic.exe Token: SeLoadDriverPrivilege 1144 wmic.exe Token: SeSystemProfilePrivilege 1144 wmic.exe Token: SeSystemtimePrivilege 1144 wmic.exe Token: SeProfSingleProcessPrivilege 1144 wmic.exe Token: SeIncBasePriorityPrivilege 1144 wmic.exe Token: SeCreatePagefilePrivilege 1144 wmic.exe Token: SeBackupPrivilege 1144 wmic.exe Token: SeRestorePrivilege 1144 wmic.exe Token: SeShutdownPrivilege 1144 wmic.exe Token: SeDebugPrivilege 1144 wmic.exe Token: SeSystemEnvironmentPrivilege 1144 wmic.exe Token: SeRemoteShutdownPrivilege 1144 wmic.exe Token: SeUndockPrivilege 1144 wmic.exe Token: SeManageVolumePrivilege 1144 wmic.exe Token: 33 1144 wmic.exe Token: 34 1144 wmic.exe Token: 35 1144 wmic.exe Token: SeIncreaseQuotaPrivilege 1144 wmic.exe Token: SeSecurityPrivilege 1144 wmic.exe Token: SeTakeOwnershipPrivilege 1144 wmic.exe Token: SeLoadDriverPrivilege 1144 wmic.exe Token: SeSystemProfilePrivilege 1144 wmic.exe Token: SeSystemtimePrivilege 1144 wmic.exe Token: SeProfSingleProcessPrivilege 1144 wmic.exe Token: SeIncBasePriorityPrivilege 1144 wmic.exe Token: SeCreatePagefilePrivilege 1144 wmic.exe Token: SeBackupPrivilege 1144 wmic.exe Token: SeRestorePrivilege 1144 wmic.exe Token: SeShutdownPrivilege 1144 wmic.exe Token: SeDebugPrivilege 1144 wmic.exe Token: SeSystemEnvironmentPrivilege 1144 wmic.exe Token: SeRemoteShutdownPrivilege 1144 wmic.exe Token: SeUndockPrivilege 1144 wmic.exe Token: SeManageVolumePrivilege 1144 wmic.exe Token: 33 1144 wmic.exe Token: 34 1144 wmic.exe Token: 35 1144 wmic.exe Token: SeDebugPrivilege 1028 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
R5X2SH.bin.exenet.exedescription pid process target process PID 1188 wrote to memory of 1248 1188 R5X2SH.bin.exe net.exe PID 1188 wrote to memory of 1248 1188 R5X2SH.bin.exe net.exe PID 1188 wrote to memory of 1248 1188 R5X2SH.bin.exe net.exe PID 1188 wrote to memory of 1248 1188 R5X2SH.bin.exe net.exe PID 1188 wrote to memory of 1400 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 1400 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 1400 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 1400 1188 R5X2SH.bin.exe vssadmin.exe PID 1248 wrote to memory of 1676 1248 net.exe net1.exe PID 1248 wrote to memory of 1676 1248 net.exe net1.exe PID 1248 wrote to memory of 1676 1248 net.exe net1.exe PID 1248 wrote to memory of 1676 1248 net.exe net1.exe PID 1188 wrote to memory of 1112 1188 R5X2SH.bin.exe sc.exe PID 1188 wrote to memory of 1112 1188 R5X2SH.bin.exe sc.exe PID 1188 wrote to memory of 1112 1188 R5X2SH.bin.exe sc.exe PID 1188 wrote to memory of 1112 1188 R5X2SH.bin.exe sc.exe PID 1188 wrote to memory of 1144 1188 R5X2SH.bin.exe wmic.exe PID 1188 wrote to memory of 1144 1188 R5X2SH.bin.exe wmic.exe PID 1188 wrote to memory of 1144 1188 R5X2SH.bin.exe wmic.exe PID 1188 wrote to memory of 1144 1188 R5X2SH.bin.exe wmic.exe PID 1188 wrote to memory of 1700 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 1700 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 1700 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 1700 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 2000 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 2000 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 2000 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 2000 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 1100 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 1100 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 1100 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 1100 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 740 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 740 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 740 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 740 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 612 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 612 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 612 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 612 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 1132 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 1132 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 1132 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 1132 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 1968 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 1968 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 1968 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 1968 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 604 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 604 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 604 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 604 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 1904 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 1904 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 1904 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 1904 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 1656 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 1656 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 1656 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 1656 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 336 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 336 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 336 1188 R5X2SH.bin.exe vssadmin.exe PID 1188 wrote to memory of 336 1188 R5X2SH.bin.exe vssadmin.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
R5X2SH.bin.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" R5X2SH.bin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\R5X2SH.bin.exe"C:\Users\Admin\AppData\Local\Temp\R5X2SH.bin.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\net.exenet stop VSS & sc config VSS start= disabled2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VSS & sc config VSS start= disabled3⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\sc.exesc config VSS start= Demand & net start VSS2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY delete /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "{A-Z}:" /grant {Username}:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\R5X2SH.bin.exe" >> NUL2⤵
- Deletes itself
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1028-61-0x0000000002560000-0x00000000025A0000-memory.dmpFilesize
256KB
-
memory/1188-54-0x0000000001080000-0x000000000110F000-memory.dmpFilesize
572KB
-
memory/1188-57-0x0000000001080000-0x000000000110F000-memory.dmpFilesize
572KB
-
memory/1188-56-0x0000000001080000-0x000000000110F000-memory.dmpFilesize
572KB
-
memory/1188-55-0x0000000001080000-0x000000000110F000-memory.dmpFilesize
572KB
-
memory/1188-58-0x0000000001080000-0x000000000110F000-memory.dmpFilesize
572KB
-
memory/1188-66-0x0000000001080000-0x000000000110F000-memory.dmpFilesize
572KB