Analysis
-
max time kernel
135s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
11-03-2023 16:57
Behavioral task
behavioral1
Sample
R5X2SH.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
R5X2SH.exe
Resource
win10v2004-20230220-en
General
-
Target
R5X2SH.exe
-
Size
229KB
-
MD5
2316091f02153ac20dff768513aae1a4
-
SHA1
6b7b1017b9313ab87fccf4ea08a427c1499b89dc
-
SHA256
940bddbc6ef19b211f2022d61bf4d006969da11f9fe0beba98586e554dfcc741
-
SHA512
ff039365b85686a4b191a81d3f0e3b8ced76a7b3161d28906854d86cf2452c96dd2e476ef29f3eae29ea22efce4f0d4484b82a32bfe8dde0e0fec91d630b1448
-
SSDEEP
6144:oNxyvPouZtK58suC/004GKXkq4RUs3fY:oNxyXNtK58su3Z0RPY
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
R5X2SH.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation R5X2SH.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
R5X2SH.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run R5X2SH.exe Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\R5X2SH.exe\" e" R5X2SH.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
R5X2SH.exedescription ioc process File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-144354903-2550862337-1367551827-1000\desktop.ini R5X2SH.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
R5X2SH.exedescription ioc process File opened (read-only) \??\D: R5X2SH.exe File opened (read-only) \??\E: R5X2SH.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 4112 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1688 timeout.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeR5X2SH.exepid process 768 powershell.exe 768 powershell.exe 1712 R5X2SH.exe 1712 R5X2SH.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
wmic.exevssvc.exepowershell.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2888 wmic.exe Token: SeSecurityPrivilege 2888 wmic.exe Token: SeTakeOwnershipPrivilege 2888 wmic.exe Token: SeLoadDriverPrivilege 2888 wmic.exe Token: SeSystemProfilePrivilege 2888 wmic.exe Token: SeSystemtimePrivilege 2888 wmic.exe Token: SeProfSingleProcessPrivilege 2888 wmic.exe Token: SeIncBasePriorityPrivilege 2888 wmic.exe Token: SeCreatePagefilePrivilege 2888 wmic.exe Token: SeBackupPrivilege 2888 wmic.exe Token: SeRestorePrivilege 2888 wmic.exe Token: SeShutdownPrivilege 2888 wmic.exe Token: SeDebugPrivilege 2888 wmic.exe Token: SeSystemEnvironmentPrivilege 2888 wmic.exe Token: SeRemoteShutdownPrivilege 2888 wmic.exe Token: SeUndockPrivilege 2888 wmic.exe Token: SeManageVolumePrivilege 2888 wmic.exe Token: 33 2888 wmic.exe Token: 34 2888 wmic.exe Token: 35 2888 wmic.exe Token: 36 2888 wmic.exe Token: SeIncreaseQuotaPrivilege 2888 wmic.exe Token: SeSecurityPrivilege 2888 wmic.exe Token: SeTakeOwnershipPrivilege 2888 wmic.exe Token: SeLoadDriverPrivilege 2888 wmic.exe Token: SeSystemProfilePrivilege 2888 wmic.exe Token: SeSystemtimePrivilege 2888 wmic.exe Token: SeProfSingleProcessPrivilege 2888 wmic.exe Token: SeIncBasePriorityPrivilege 2888 wmic.exe Token: SeCreatePagefilePrivilege 2888 wmic.exe Token: SeBackupPrivilege 2888 wmic.exe Token: SeRestorePrivilege 2888 wmic.exe Token: SeShutdownPrivilege 2888 wmic.exe Token: SeDebugPrivilege 2888 wmic.exe Token: SeSystemEnvironmentPrivilege 2888 wmic.exe Token: SeRemoteShutdownPrivilege 2888 wmic.exe Token: SeUndockPrivilege 2888 wmic.exe Token: SeManageVolumePrivilege 2888 wmic.exe Token: 33 2888 wmic.exe Token: 34 2888 wmic.exe Token: 35 2888 wmic.exe Token: 36 2888 wmic.exe Token: SeBackupPrivilege 4348 vssvc.exe Token: SeRestorePrivilege 4348 vssvc.exe Token: SeAuditPrivilege 4348 vssvc.exe Token: SeDebugPrivilege 768 powershell.exe Token: SeBackupPrivilege 3840 vssvc.exe Token: SeRestorePrivilege 3840 vssvc.exe Token: SeAuditPrivilege 3840 vssvc.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
R5X2SH.exenet.execmd.exedescription pid process target process PID 1712 wrote to memory of 2204 1712 R5X2SH.exe net.exe PID 1712 wrote to memory of 2204 1712 R5X2SH.exe net.exe PID 1712 wrote to memory of 2204 1712 R5X2SH.exe net.exe PID 2204 wrote to memory of 1812 2204 net.exe net1.exe PID 2204 wrote to memory of 1812 2204 net.exe net1.exe PID 2204 wrote to memory of 1812 2204 net.exe net1.exe PID 1712 wrote to memory of 4112 1712 R5X2SH.exe sc.exe PID 1712 wrote to memory of 4112 1712 R5X2SH.exe sc.exe PID 1712 wrote to memory of 4112 1712 R5X2SH.exe sc.exe PID 1712 wrote to memory of 2888 1712 R5X2SH.exe wmic.exe PID 1712 wrote to memory of 2888 1712 R5X2SH.exe wmic.exe PID 1712 wrote to memory of 2888 1712 R5X2SH.exe wmic.exe PID 1712 wrote to memory of 4156 1712 R5X2SH.exe icacls.exe PID 1712 wrote to memory of 4156 1712 R5X2SH.exe icacls.exe PID 1712 wrote to memory of 4156 1712 R5X2SH.exe icacls.exe PID 1712 wrote to memory of 768 1712 R5X2SH.exe powershell.exe PID 1712 wrote to memory of 768 1712 R5X2SH.exe powershell.exe PID 1712 wrote to memory of 768 1712 R5X2SH.exe powershell.exe PID 1712 wrote to memory of 1156 1712 R5X2SH.exe cmd.exe PID 1712 wrote to memory of 1156 1712 R5X2SH.exe cmd.exe PID 1712 wrote to memory of 1156 1712 R5X2SH.exe cmd.exe PID 1156 wrote to memory of 1688 1156 cmd.exe timeout.exe PID 1156 wrote to memory of 1688 1156 cmd.exe timeout.exe PID 1156 wrote to memory of 1688 1156 cmd.exe timeout.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
R5X2SH.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" R5X2SH.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\R5X2SH.exe"C:\Users\Admin\AppData\Local\Temp\R5X2SH.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\net.exenet stop VSS & sc config VSS start= disabled2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VSS & sc config VSS start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config VSS start= Demand & net start VSS2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY delete /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "{A-Z}:" /grant {Username}:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\R5X2SH.exe" >> NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h2ysj1re.h0v.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/768-138-0x00000000025F0000-0x0000000002626000-memory.dmpFilesize
216KB
-
memory/768-156-0x00000000063A0000-0x00000000063BA000-memory.dmpFilesize
104KB
-
memory/768-142-0x0000000005070000-0x00000000050D6000-memory.dmpFilesize
408KB
-
memory/768-159-0x0000000004B40000-0x0000000004B50000-memory.dmpFilesize
64KB
-
memory/768-158-0x00000000074E0000-0x0000000007A84000-memory.dmpFilesize
5.6MB
-
memory/768-139-0x0000000005180000-0x00000000057A8000-memory.dmpFilesize
6.2MB
-
memory/768-140-0x0000000004EF0000-0x0000000004F12000-memory.dmpFilesize
136KB
-
memory/768-141-0x0000000004F90000-0x0000000004FF6000-memory.dmpFilesize
408KB
-
memory/768-155-0x0000000006E90000-0x0000000006F26000-memory.dmpFilesize
600KB
-
memory/768-157-0x00000000063F0000-0x0000000006412000-memory.dmpFilesize
136KB
-
memory/768-153-0x0000000004B40000-0x0000000004B50000-memory.dmpFilesize
64KB
-
memory/768-152-0x0000000004B40000-0x0000000004B50000-memory.dmpFilesize
64KB
-
memory/768-154-0x0000000005EB0000-0x0000000005ECE000-memory.dmpFilesize
120KB
-
memory/1712-134-0x0000000000ED0000-0x0000000000F5F000-memory.dmpFilesize
572KB
-
memory/1712-166-0x0000000000ED0000-0x0000000000F5F000-memory.dmpFilesize
572KB
-
memory/1712-136-0x0000000000ED0000-0x0000000000F5F000-memory.dmpFilesize
572KB
-
memory/1712-133-0x0000000000ED0000-0x0000000000F5F000-memory.dmpFilesize
572KB
-
memory/1712-137-0x0000000000ED0000-0x0000000000F5F000-memory.dmpFilesize
572KB
-
memory/1712-135-0x0000000000ED0000-0x0000000000F5F000-memory.dmpFilesize
572KB