Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
11-03-2023 16:57
Behavioral task
behavioral1
Sample
R5X2SH.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
R5X2SH.exe
Resource
win10v2004-20230220-en
General
-
Target
R5X2SH.exe
-
Size
229KB
-
MD5
2316091f02153ac20dff768513aae1a4
-
SHA1
6b7b1017b9313ab87fccf4ea08a427c1499b89dc
-
SHA256
940bddbc6ef19b211f2022d61bf4d006969da11f9fe0beba98586e554dfcc741
-
SHA512
ff039365b85686a4b191a81d3f0e3b8ced76a7b3161d28906854d86cf2452c96dd2e476ef29f3eae29ea22efce4f0d4484b82a32bfe8dde0e0fec91d630b1448
-
SSDEEP
6144:oNxyvPouZtK58suC/004GKXkq4RUs3fY:oNxyXNtK58su3Z0RPY
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1624 cmd.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
R5X2SH.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run R5X2SH.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\R5X2SH.exe\" e" R5X2SH.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
R5X2SH.exedescription ioc process File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-3948302646-268491222-1934009652-1000\desktop.ini R5X2SH.exe -
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exeR5X2SH.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\D: R5X2SH.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\E: R5X2SH.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 1544 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 840 timeout.exe -
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 1948 vssadmin.exe 872 vssadmin.exe 1920 vssadmin.exe 1552 vssadmin.exe 1624 vssadmin.exe 2000 vssadmin.exe 1264 vssadmin.exe 1436 vssadmin.exe 1180 vssadmin.exe 1964 vssadmin.exe 1488 vssadmin.exe 2012 vssadmin.exe 1212 vssadmin.exe 820 vssadmin.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exeR5X2SH.exepid process 1572 powershell.exe 2016 R5X2SH.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
vssvc.exewmic.exepowershell.exedescription pid process Token: SeBackupPrivilege 1504 vssvc.exe Token: SeRestorePrivilege 1504 vssvc.exe Token: SeAuditPrivilege 1504 vssvc.exe Token: SeIncreaseQuotaPrivilege 1104 wmic.exe Token: SeSecurityPrivilege 1104 wmic.exe Token: SeTakeOwnershipPrivilege 1104 wmic.exe Token: SeLoadDriverPrivilege 1104 wmic.exe Token: SeSystemProfilePrivilege 1104 wmic.exe Token: SeSystemtimePrivilege 1104 wmic.exe Token: SeProfSingleProcessPrivilege 1104 wmic.exe Token: SeIncBasePriorityPrivilege 1104 wmic.exe Token: SeCreatePagefilePrivilege 1104 wmic.exe Token: SeBackupPrivilege 1104 wmic.exe Token: SeRestorePrivilege 1104 wmic.exe Token: SeShutdownPrivilege 1104 wmic.exe Token: SeDebugPrivilege 1104 wmic.exe Token: SeSystemEnvironmentPrivilege 1104 wmic.exe Token: SeRemoteShutdownPrivilege 1104 wmic.exe Token: SeUndockPrivilege 1104 wmic.exe Token: SeManageVolumePrivilege 1104 wmic.exe Token: 33 1104 wmic.exe Token: 34 1104 wmic.exe Token: 35 1104 wmic.exe Token: SeIncreaseQuotaPrivilege 1104 wmic.exe Token: SeSecurityPrivilege 1104 wmic.exe Token: SeTakeOwnershipPrivilege 1104 wmic.exe Token: SeLoadDriverPrivilege 1104 wmic.exe Token: SeSystemProfilePrivilege 1104 wmic.exe Token: SeSystemtimePrivilege 1104 wmic.exe Token: SeProfSingleProcessPrivilege 1104 wmic.exe Token: SeIncBasePriorityPrivilege 1104 wmic.exe Token: SeCreatePagefilePrivilege 1104 wmic.exe Token: SeBackupPrivilege 1104 wmic.exe Token: SeRestorePrivilege 1104 wmic.exe Token: SeShutdownPrivilege 1104 wmic.exe Token: SeDebugPrivilege 1104 wmic.exe Token: SeSystemEnvironmentPrivilege 1104 wmic.exe Token: SeRemoteShutdownPrivilege 1104 wmic.exe Token: SeUndockPrivilege 1104 wmic.exe Token: SeManageVolumePrivilege 1104 wmic.exe Token: 33 1104 wmic.exe Token: 34 1104 wmic.exe Token: 35 1104 wmic.exe Token: SeDebugPrivilege 1572 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
R5X2SH.exenet.exedescription pid process target process PID 2016 wrote to memory of 2012 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 2012 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 2012 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 2012 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1996 2016 R5X2SH.exe net.exe PID 2016 wrote to memory of 1996 2016 R5X2SH.exe net.exe PID 2016 wrote to memory of 1996 2016 R5X2SH.exe net.exe PID 2016 wrote to memory of 1996 2016 R5X2SH.exe net.exe PID 1996 wrote to memory of 644 1996 net.exe net1.exe PID 1996 wrote to memory of 644 1996 net.exe net1.exe PID 1996 wrote to memory of 644 1996 net.exe net1.exe PID 1996 wrote to memory of 644 1996 net.exe net1.exe PID 2016 wrote to memory of 1544 2016 R5X2SH.exe sc.exe PID 2016 wrote to memory of 1544 2016 R5X2SH.exe sc.exe PID 2016 wrote to memory of 1544 2016 R5X2SH.exe sc.exe PID 2016 wrote to memory of 1544 2016 R5X2SH.exe sc.exe PID 2016 wrote to memory of 1104 2016 R5X2SH.exe wmic.exe PID 2016 wrote to memory of 1104 2016 R5X2SH.exe wmic.exe PID 2016 wrote to memory of 1104 2016 R5X2SH.exe wmic.exe PID 2016 wrote to memory of 1104 2016 R5X2SH.exe wmic.exe PID 2016 wrote to memory of 1212 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1212 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1212 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1212 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1948 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1948 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1948 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1948 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 820 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 820 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 820 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 820 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1436 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1436 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1436 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1436 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1624 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1624 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1624 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1624 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1180 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1180 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1180 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1180 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1964 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1964 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1964 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1964 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 872 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 872 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 872 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 872 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1488 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1488 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1488 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1488 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 2000 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 2000 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 2000 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 2000 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1920 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1920 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1920 2016 R5X2SH.exe vssadmin.exe PID 2016 wrote to memory of 1920 2016 R5X2SH.exe vssadmin.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
R5X2SH.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" R5X2SH.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\R5X2SH.exe"C:\Users\Admin\AppData\Local\Temp\R5X2SH.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\net.exenet stop VSS & sc config VSS start= disabled2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VSS & sc config VSS start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config VSS start= Demand & net start VSS2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY delete /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "{A-Z}:" /grant {Username}:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\R5X2SH.exe" >> NUL2⤵
- Deletes itself
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1572-61-0x00000000026E0000-0x0000000002720000-memory.dmpFilesize
256KB
-
memory/2016-54-0x0000000000890000-0x000000000091F000-memory.dmpFilesize
572KB
-
memory/2016-56-0x0000000000890000-0x000000000091F000-memory.dmpFilesize
572KB
-
memory/2016-55-0x0000000000890000-0x000000000091F000-memory.dmpFilesize
572KB
-
memory/2016-57-0x0000000000890000-0x000000000091F000-memory.dmpFilesize
572KB
-
memory/2016-58-0x0000000000890000-0x000000000091F000-memory.dmpFilesize
572KB
-
memory/2016-66-0x0000000000890000-0x000000000091F000-memory.dmpFilesize
572KB