Overview

overview

8

Static

static

1

c5ef104253...bb.exe

windows7-x64

8

c5ef104253...bb.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-03-2023 14:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe

  • Size

    210KB

  • MD5

    f486b69dc261cbf3ffac231324015ebb

  • SHA1

    ee1fc0b7350559fac9c23f7d832bdf2760e80b03

  • SHA256

    c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb

  • SHA512

    16a1d8c6a371506525c488355e799b2fd04173a4dd6e771e1fcddb380d8a4d16f1f5bd310858f3f151a9c860c3636712a63b536ca55bc2b63f03263f4e50f12b

  • SSDEEP

    3072:QV+V98GoDHlXb6hyhwOfFAc/ZICFzhb9wl/mjF5I6yAJKybo:LVPo76y5NAcB5x9wk1VJKybo

Score
8/10
ransomwarespywarestealer

Malware Config

Signatures

  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 31 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe
    "C:\Users\Admin\AppData\Local\Temp\c5ef104253ed4c066104a184ab368630027831b627c043d63170ff8f89c6a2bb.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F2DAD5A-D6F8-4EE3-A134-CD1CE95667FA}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4216
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F2DAD5A-D6F8-4EE3-A134-CD1CE95667FA}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2480
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4396

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\README.txt
    Filesize

    122B

    MD5

    818d78ec097f2a03ae2dafeb16e1de7f

    SHA1

    204ba20483435f1b6b4a8dea41c4e4f104adf59c

    SHA256

    9e930a6bbe9443c3683df6639f5007afd6f2213d8c0abeadd281fc5e8a59a8ae

    SHA512

    d28e3a81645f8541e2f5cd2d89f23c02dff12b6430dc6d47e9156ccd20d092ce9d91cf6b7ca68cab744752b7d42d4b71ae1679dc79f0cc1d73a91cbba5151396

    Download Submit