5843e3a65830a8f2ce2c28a484f94049f81790516d8fada0f198f58fc95f49a0

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
24-03-2023 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windows_encryptor.exe
Size

2.1MB
MD5

e72424408e6441d0f362cd9946c6cc60
SHA1

65cbfe67462ed01463903b13eda1caa10d5babcf
SHA256

5843e3a65830a8f2ce2c28a484f94049f81790516d8fada0f198f58fc95f49a0
SHA512

05476ceee021edbcfccae507f08aebc5dfa72d3de41b38ca8892bd4ee7e9545d753f761d360902e93444a453af473f46f3cc20068bf817f5599967cbc8cfa4e7
SSDEEP

49152:AKdKdhwcjW7oPlIFP2a8cTPBn+zOkLH4Gh0LKUm:AKdQheoPOx8Mnbk

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2004 vssadmin.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1368 vssvc.exe
Token: SeRestorePrivilege 1368 vssvc.exe
Token: SeAuditPrivilege 1368 vssvc.exe

pid	process
2004	vssadmin.exe

description	pid	process
Token: SeBackupPrivilege	1368	vssvc.exe
Token: SeRestorePrivilege	1368	vssvc.exe
Token: SeAuditPrivilege	1368	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

windows_encryptor.exe

description	pid	process	target process
PID 1744 wrote to memory of 2004	1744	windows_encryptor.exe	vssadmin.exe
PID 1744 wrote to memory of 2004	1744	windows_encryptor.exe	vssadmin.exe
PID 1744 wrote to memory of 2004	1744	windows_encryptor.exe	vssadmin.exe
PID 1744 wrote to memory of 2004	1744	windows_encryptor.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\windows_encryptor.exe
"C:\Users\Admin\AppData\Local\Temp\windows_encryptor.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:2004

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1368

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads