Analysis
-
max time kernel
75s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
27/03/2023, 06:40
General
-
Target
07c56a1a423c1a2f00377112cac61f642f3abfea413ba4f405eafde69e97ef09.exe
-
Size
1.3MB
-
MD5
7fc1d33734cbae90767ee85c6afee623
-
SHA1
e00adfff94436788d5d77b55967b6ec0b79052b5
-
SHA256
07c56a1a423c1a2f00377112cac61f642f3abfea413ba4f405eafde69e97ef09
-
SHA512
d6cf627d3f8b8fcb623c2bf4103d4e26817890058a8b52dc5e1bbef863d897c094c9320cf8a10cb0c55a953af84bb67eab14cd787307ef273ff4f11380f5b0eb
-
SSDEEP
24576:fiyGR8Z010ZGcocGFWjplHF6QmhMvytAp20opY+t0BcBVilNlgZhmJKgC:xG2k0ZGc3GMjplH3XvytA7+NuDgZhmJ
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\History.txt
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Program crash 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\07c56a1a423c1a2f00377112cac61f642f3abfea413ba4f405eafde69e97ef09.exe"C:\Users\Admin\AppData\Local\Temp\07c56a1a423c1a2f00377112cac61f642f3abfea413ba4f405eafde69e97ef09.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k7.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k7.exe2⤵
- Modifies extensions of user files
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 10963⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1696 -ip 16961⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53B
MD5cdc8df570b07fcbec956bed6a11d04e6
SHA14567949b96f6ca78dc527a5d2bd8d6876bbd23f2
SHA2568f56d5ef0f2bf53214e53ceaa12faea15c08ed600c99f38295ec10e9c8e13b3a
SHA512439d229fcedb890cae00be6e380e6f5bef6521c213f7bc06de88e6298765177f6e752e3ac17dd55457bd5a2e457957ec79163ae19249f50c3be00ba6c90f7737
-
Filesize
53B
MD5d580065a2284b092a94d5b27f51fadf1
SHA1bf6cdbed4f3519732c75080fe5c2f1c062a667f0
SHA25657af3d1d80818dc06e08726784ed2c6dd89d365eb1cea1b62710dcb013b0b9c9
SHA51266f603ec48d2e535d9107ecb774205ad0155a9e11a6d85c901b4afa19f1c0edcb1cf898a321cd61185b057adfef55e687e0166aa3d7221f95adce4853a1e1c29
-
Filesize
76KB
MD569b0377e9b29ad5df6aa8ae3482c80d6
SHA1523f270f4cd479bc27d9b1cd80643074879d7663
SHA256e4ed8dc375a36f6bc2f7c2a00344483e3d6e602896347a6468645d93c68165b7
SHA512f006b5da69b9d51f8a8c5144fd991d6c7e7c6fcb878faf86633ada083d72fd947e508efe3f1acb9965c4bad31e26896367ec176133490191642eb6d3f8ca238b
-
Filesize
47KB
MD511087a869b397a9670f65f0e4c0afc5b
SHA154899e295a4304d5577a3833b0620e8c81440460
SHA256637edeeab5c0fc1e5fa82c5fa6a2fcf7671fe8cafe1afa973672337da8c98056
SHA51205526492f00149e321c2c4044a82b57ec7ff3a05692206a4df76180234016bcdcab8906806cf863af7ee4e4d9dc82d9425bf0a703d4e7e658303a71480a779f2
-
Filesize
64KB
MD538024afb325dcd3c96997feb261dbb81
SHA161db6a676e00dd8352cd3bed0671607bd995698b
SHA2561b824f846ff7df3062b63a8addbadf0a526b7e62ef99eb9b275b4aaf584e19af
SHA5120181993b54539bf456ba85881c2498050840512e2bd62f671174e069f14499433fb6c00135932996fb6a20bfca6b7a0f109634508c577759cf5551e9fa9b486a
-
Filesize
54KB
MD5b1206a5abf93bc64601a3caa2dff47d4
SHA18f3ec5931b77f0841522324fb1202599b396e45a
SHA25624a8a7c00f0bb8ac3096f58f53bd47fa392b8d220c1c43d372100bd692c68e5f
SHA5126b13003fe209885f377ed93340a2472b936bc5699ed9e645f40a9dacc647d9aa280f78c991805b9646861fa4ca1e85e9799c3868daead643e21a9b351b2663f9
-
Filesize
54KB
MD5368cc2e9979e8d169ff5b8faeae77c7f
SHA1d9158fc250ba74dd2d62f9d00585d36dda307376
SHA2567b10367f9b052a9e3c8c7c740493c35291b0dcdbb5adb348eeee075c523884f7
SHA512ed26c7660d522dd5f61052e9bfc3b3c6a53e9b4c6a8805ba60a0167c0e62ea4365ea4959007f19702639a58cd5c22c9d4d5ce1a0798ff99a60fe5d4616782c74
-
Filesize
19KB
MD5e732fba914e5ef673df326ab7d279d1c
SHA12962fbbdabc5fe03969a41dfda75fa71c12c25d9
SHA256f1c9becfbda9550786cba8651a388d541073b9844b31032937092c75b70199ca
SHA512cf1763dd9f68f5604db6f4f9887d3188a2a5e3088b26dd1462be78d390b70af362b93b89ebfda60635dbd4b4f278efcecef020094341ec8dd43a676ee95c0d44
-
Filesize
19KB
MD5e732fba914e5ef673df326ab7d279d1c
SHA12962fbbdabc5fe03969a41dfda75fa71c12c25d9
SHA256f1c9becfbda9550786cba8651a388d541073b9844b31032937092c75b70199ca
SHA512cf1763dd9f68f5604db6f4f9887d3188a2a5e3088b26dd1462be78d390b70af362b93b89ebfda60635dbd4b4f278efcecef020094341ec8dd43a676ee95c0d44
-
Filesize
31KB
MD5b834cf6cd188da06b28918fd27feb13b
SHA167a6fc24fe9ae3c989102de8d6a2092ff47f1091
SHA2568c4379fafae454d99f62ecd312a9da7637fe8e17d5a26e2dcbd5a17a43601b5d
SHA512ba0e37f48ee210922459800811986a83da9da3ed13e4dcec9f0f4511d42caad1c46c780aef32a2b86754f93ebb0387471a8733096b979547ec5bee92c4fbf9ee
-
Filesize
3KB
MD5fcb4f2486eaba2743c10991ca7ba2c85
SHA1c47e84a7d22713762d5776bed5c0ce8cfc42250e
SHA256c3dd6ef20f70f046cff5270c09cbb48c818bc0b2dd34a00181fd9bedce35f1bf
SHA5123c2786983e0d1bae01ffc921bc2596e8a9a81c9f56b2fa13fc8da05182a598a09f743255fc7b364ef390c70ebf04bbde1c72451879023589c7e9037778504ac9
-
Filesize
3KB
MD5c83ee59a78ce69fa2aafb4cf6d430e55
SHA1e4d458fc7d192b353bdd73de8d6f42e90c72a8b2
SHA2562a8eb05a35990926618a636b7fd0fd299e0c6c09cabcb0acf85d8677087da390
SHA512b22711c6b79461cf3236f018b2416d31675ee51fbd4fb9ad700a66f334a91d7844543ed3fdfc8607c0c12be12a15af1b02b47d706d50ce899837573337254582
-
Filesize
275B
MD5569c75a631209494fe66031b6b77d4b8
SHA1564679a5f9de6c4533dc74b0f0a2f180ec2c29cc
SHA256f475e03f09e7c3c613b256fec3879b2a9b70c338afde2e9a41ea7bdbb424c389
SHA5123773452c02e863ff15d9d4580b5e349673ad6954725c1bfc5ffc73f18abc1ace3fde302483e8a46de4763ace3c79881767860661cec0881e0841562bd3807b7e
-
Filesize
87KB
MD5dd4a3dcaf713e6ba8a57f6abd6741e1a
SHA137a5f4bfe77d5ed5383c47e6992d5f0139e5ea5c
SHA256f82dd20e9af0177981e5611fed016128bb2ff2fecee19844ac0db2b81cb1a938
SHA512818824f88737fa4d935e27676b39af5eb47d804f8c8759feb394f25955ee58657e755067a3ce9e0d2511bd2c76cbdf2ceaae214393127886120219f3e8031ab3
-
Filesize
87KB
MD5dd4a3dcaf713e6ba8a57f6abd6741e1a
SHA137a5f4bfe77d5ed5383c47e6992d5f0139e5ea5c
SHA256f82dd20e9af0177981e5611fed016128bb2ff2fecee19844ac0db2b81cb1a938
SHA512818824f88737fa4d935e27676b39af5eb47d804f8c8759feb394f25955ee58657e755067a3ce9e0d2511bd2c76cbdf2ceaae214393127886120219f3e8031ab3
-
Filesize
1KB
MD5b57c8b97c0d018d14786e06eabe0734f
SHA10c30b73f29600dd9ee51dd87ecc718f48022294a
SHA25678452b7a10fdd6b2131d3e98f3ffa533b415ed58a0edd3f644d3ec8c98ceb23f
SHA512b503ab083a4eda004e3020cbc887a2cd49b80dd74b08f73f86e7b9d04ceaae8b3c43d59a7abe3153ae220c601fb3da2b5ce020446492cb9d85dd2ea102dfcfe7
-
Filesize
1KB
MD57dc4d3661305beca317759c226c7e5f5
SHA11d6fb869f5d5c87d0b7cff308682a7988bb3961d
SHA256ea2272062bfb446f21b98af551a527dfb399fb6c57e36375d8b4b7e99a564d0d
SHA512dc1765280168d06673f3c47df90c635a54f7e279f75d35ff8c8b6296fa8807fc1891ea4f8e07460f61c56ee1e7169831354fb6e12c2d0c661c9b96e8df533ba5
-
Filesize
275B
MD5569c75a631209494fe66031b6b77d4b8
SHA1564679a5f9de6c4533dc74b0f0a2f180ec2c29cc
SHA256f475e03f09e7c3c613b256fec3879b2a9b70c338afde2e9a41ea7bdbb424c389
SHA5123773452c02e863ff15d9d4580b5e349673ad6954725c1bfc5ffc73f18abc1ace3fde302483e8a46de4763ace3c79881767860661cec0881e0841562bd3807b7e
-
Filesize
44KB
-
Filesize
32KB