Analysis
-
max time kernel
98s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
11-03-2023 16:55
Behavioral task
behavioral1
Sample
R5X2SH.bin.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
R5X2SH.bin.exe
Resource
win10v2004-20230221-en
General
-
Target
R5X2SH.bin.exe
-
Size
229KB
-
MD5
2316091f02153ac20dff768513aae1a4
-
SHA1
6b7b1017b9313ab87fccf4ea08a427c1499b89dc
-
SHA256
940bddbc6ef19b211f2022d61bf4d006969da11f9fe0beba98586e554dfcc741
-
SHA512
ff039365b85686a4b191a81d3f0e3b8ced76a7b3161d28906854d86cf2452c96dd2e476ef29f3eae29ea22efce4f0d4484b82a32bfe8dde0e0fec91d630b1448
-
SSDEEP
6144:oNxyvPouZtK58suC/004GKXkq4RUs3fY:oNxyXNtK58su3Z0RPY
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
R5X2SH.bin.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation R5X2SH.bin.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
R5X2SH.bin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows\CurrentVersion\Run R5X2SH.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\R5X2SH.bin.exe\" e" R5X2SH.bin.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
R5X2SH.bin.exedescription ioc process File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-2805025096-2326403612-4231045514-1000\desktop.ini R5X2SH.bin.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
R5X2SH.bin.exedescription ioc process File opened (read-only) \??\D: R5X2SH.bin.exe File opened (read-only) \??\E: R5X2SH.bin.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 3804 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1964 timeout.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeR5X2SH.bin.exepid process 4204 powershell.exe 4204 powershell.exe 844 R5X2SH.bin.exe 844 R5X2SH.bin.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
wmic.exevssvc.exepowershell.exedescription pid process Token: SeIncreaseQuotaPrivilege 3036 wmic.exe Token: SeSecurityPrivilege 3036 wmic.exe Token: SeTakeOwnershipPrivilege 3036 wmic.exe Token: SeLoadDriverPrivilege 3036 wmic.exe Token: SeSystemProfilePrivilege 3036 wmic.exe Token: SeSystemtimePrivilege 3036 wmic.exe Token: SeProfSingleProcessPrivilege 3036 wmic.exe Token: SeIncBasePriorityPrivilege 3036 wmic.exe Token: SeCreatePagefilePrivilege 3036 wmic.exe Token: SeBackupPrivilege 3036 wmic.exe Token: SeRestorePrivilege 3036 wmic.exe Token: SeShutdownPrivilege 3036 wmic.exe Token: SeDebugPrivilege 3036 wmic.exe Token: SeSystemEnvironmentPrivilege 3036 wmic.exe Token: SeRemoteShutdownPrivilege 3036 wmic.exe Token: SeUndockPrivilege 3036 wmic.exe Token: SeManageVolumePrivilege 3036 wmic.exe Token: 33 3036 wmic.exe Token: 34 3036 wmic.exe Token: 35 3036 wmic.exe Token: 36 3036 wmic.exe Token: SeIncreaseQuotaPrivilege 3036 wmic.exe Token: SeSecurityPrivilege 3036 wmic.exe Token: SeTakeOwnershipPrivilege 3036 wmic.exe Token: SeLoadDriverPrivilege 3036 wmic.exe Token: SeSystemProfilePrivilege 3036 wmic.exe Token: SeSystemtimePrivilege 3036 wmic.exe Token: SeProfSingleProcessPrivilege 3036 wmic.exe Token: SeIncBasePriorityPrivilege 3036 wmic.exe Token: SeCreatePagefilePrivilege 3036 wmic.exe Token: SeBackupPrivilege 3036 wmic.exe Token: SeRestorePrivilege 3036 wmic.exe Token: SeShutdownPrivilege 3036 wmic.exe Token: SeDebugPrivilege 3036 wmic.exe Token: SeSystemEnvironmentPrivilege 3036 wmic.exe Token: SeRemoteShutdownPrivilege 3036 wmic.exe Token: SeUndockPrivilege 3036 wmic.exe Token: SeManageVolumePrivilege 3036 wmic.exe Token: 33 3036 wmic.exe Token: 34 3036 wmic.exe Token: 35 3036 wmic.exe Token: 36 3036 wmic.exe Token: SeBackupPrivilege 3484 vssvc.exe Token: SeRestorePrivilege 3484 vssvc.exe Token: SeAuditPrivilege 3484 vssvc.exe Token: SeDebugPrivilege 4204 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
R5X2SH.bin.exenet.execmd.exedescription pid process target process PID 844 wrote to memory of 4416 844 R5X2SH.bin.exe net.exe PID 844 wrote to memory of 4416 844 R5X2SH.bin.exe net.exe PID 844 wrote to memory of 4416 844 R5X2SH.bin.exe net.exe PID 4416 wrote to memory of 1256 4416 net.exe net1.exe PID 4416 wrote to memory of 1256 4416 net.exe net1.exe PID 4416 wrote to memory of 1256 4416 net.exe net1.exe PID 844 wrote to memory of 3804 844 R5X2SH.bin.exe sc.exe PID 844 wrote to memory of 3804 844 R5X2SH.bin.exe sc.exe PID 844 wrote to memory of 3804 844 R5X2SH.bin.exe sc.exe PID 844 wrote to memory of 3036 844 R5X2SH.bin.exe wmic.exe PID 844 wrote to memory of 3036 844 R5X2SH.bin.exe wmic.exe PID 844 wrote to memory of 3036 844 R5X2SH.bin.exe wmic.exe PID 844 wrote to memory of 1052 844 R5X2SH.bin.exe icacls.exe PID 844 wrote to memory of 1052 844 R5X2SH.bin.exe icacls.exe PID 844 wrote to memory of 1052 844 R5X2SH.bin.exe icacls.exe PID 844 wrote to memory of 4204 844 R5X2SH.bin.exe powershell.exe PID 844 wrote to memory of 4204 844 R5X2SH.bin.exe powershell.exe PID 844 wrote to memory of 4204 844 R5X2SH.bin.exe powershell.exe PID 844 wrote to memory of 1976 844 R5X2SH.bin.exe cmd.exe PID 844 wrote to memory of 1976 844 R5X2SH.bin.exe cmd.exe PID 844 wrote to memory of 1976 844 R5X2SH.bin.exe cmd.exe PID 1976 wrote to memory of 1964 1976 cmd.exe timeout.exe PID 1976 wrote to memory of 1964 1976 cmd.exe timeout.exe PID 1976 wrote to memory of 1964 1976 cmd.exe timeout.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
R5X2SH.bin.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" R5X2SH.bin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\R5X2SH.bin.exe"C:\Users\Admin\AppData\Local\Temp\R5X2SH.bin.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\net.exenet stop VSS & sc config VSS start= disabled2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VSS & sc config VSS start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config VSS start= Demand & net start VSS2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY delete /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "{A-Z}:" /grant {Username}:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\R5X2SH.bin.exe" >> NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wdd024gt.uge.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/844-133-0x0000000000AD0000-0x0000000000B5F000-memory.dmpFilesize
572KB
-
memory/844-135-0x0000000000AD0000-0x0000000000B5F000-memory.dmpFilesize
572KB
-
memory/844-134-0x0000000000AD0000-0x0000000000B5F000-memory.dmpFilesize
572KB
-
memory/844-136-0x0000000000AD0000-0x0000000000B5F000-memory.dmpFilesize
572KB
-
memory/844-137-0x0000000000AD0000-0x0000000000B5F000-memory.dmpFilesize
572KB
-
memory/844-166-0x0000000000AD0000-0x0000000000B5F000-memory.dmpFilesize
572KB
-
memory/4204-143-0x0000000004D10000-0x0000000004D76000-memory.dmpFilesize
408KB
-
memory/4204-141-0x0000000004A90000-0x0000000004AB2000-memory.dmpFilesize
136KB
-
memory/4204-142-0x0000000004B30000-0x0000000004B96000-memory.dmpFilesize
408KB
-
memory/4204-140-0x0000000004D90000-0x00000000053B8000-memory.dmpFilesize
6.2MB
-
memory/4204-139-0x0000000004750000-0x0000000004760000-memory.dmpFilesize
64KB
-
memory/4204-153-0x0000000004750000-0x0000000004760000-memory.dmpFilesize
64KB
-
memory/4204-154-0x0000000005AF0000-0x0000000005B0E000-memory.dmpFilesize
120KB
-
memory/4204-155-0x0000000006AC0000-0x0000000006B56000-memory.dmpFilesize
600KB
-
memory/4204-156-0x0000000005FD0000-0x0000000005FEA000-memory.dmpFilesize
104KB
-
memory/4204-157-0x0000000006020000-0x0000000006042000-memory.dmpFilesize
136KB
-
memory/4204-158-0x0000000007110000-0x00000000076B4000-memory.dmpFilesize
5.6MB
-
memory/4204-159-0x0000000004750000-0x0000000004760000-memory.dmpFilesize
64KB
-
memory/4204-138-0x0000000000CF0000-0x0000000000D26000-memory.dmpFilesize
216KB