f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429

Analysis

max time kernel
110s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2023 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

avi.exe
Size

2.9MB
MD5

df0b88dafe7a65295f99e69a67db9e1b
SHA1

db3163a09eb33ff4370ad162a05f4b2584a20456
SHA256

f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429
SHA512

2206969d222882dd8b7e3e5671311462266277d699e08e3016a7b3781b17390e8dd11956d8aaecae996a2c16227d7b2390eb84b9b8df26e39ffe8f38d5b76fbd
SSDEEP

49152:cDVwASOLGtlqrRIU6i9+vazNqQlJZP1BMU2thA8mNtNCiJlrRUFcJ7HIPcLzkw5c:wm+GaNqqJJ12vlZol8cJ7rc3

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4732	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2712	vssvc.exe
Token: SeRestorePrivilege	2712	vssvc.exe
Token: SeAuditPrivilege	2712	vssvc.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 4732	3484	avi.exe	86
PID 3484 wrote to memory of 4732	3484	avi.exe	86

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\avi.exe
"C:\Users\Admin\AppData\Local\Temp\avi.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Windows\System32\vssadmin.exe
  delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:4732

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads