Analysis
-
max time kernel
99s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
29/03/2023, 19:26
Static task
static1
Behavioral task
behavioral1
Sample
bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe
Resource
win7-20230220-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe
-
Size
720KB
-
MD5
163e651162f292028ca9a8d7f1ed7340
-
SHA1
a85ff9091f298ea2d6823a7b0053daa08b237423
-
SHA256
bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b
-
SHA512
f1cd02b07219d40d489b8000a92e20fca0c3e536a7dde25b98b7be0ce54a46349dcea9e66bef8f7fbd895ce7e5b22e3f3a46fbb9c7dcea4185b3937384f1649f
-
SSDEEP
12288:A+2ZzbQ32UC1pC0q1oJn2OR9YA/SnHaetVkiIGjltRztp:A+4OECVCn2OR9r/kaetNIOtZ
Score
9/10
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe File opened (read-only) \??\L: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe File opened (read-only) \??\P: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe File opened (read-only) \??\S: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe File opened (read-only) \??\T: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe File opened (read-only) \??\X: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe File opened (read-only) \??\H: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe File opened (read-only) \??\D: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe File opened (read-only) \??\G: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe File opened (read-only) \??\J: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe File opened (read-only) \??\M: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe File opened (read-only) \??\Q: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe File opened (read-only) \??\Z: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe File opened (read-only) \??\B: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe File opened (read-only) \??\N: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe File opened (read-only) \??\Y: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe File opened (read-only) \??\F: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe File opened (read-only) \??\E: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe File opened (read-only) \??\K: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe File opened (read-only) \??\O: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe File opened (read-only) \??\R: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe File opened (read-only) \??\U: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe File opened (read-only) \??\V: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe File opened (read-only) \??\W: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe File opened (read-only) \??\A: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 540 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe Token: SeBackupPrivilege 1864 vssvc.exe Token: SeRestorePrivilege 1864 vssvc.exe Token: SeAuditPrivilege 1864 vssvc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1964 wrote to memory of 1676 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 30 PID 1964 wrote to memory of 1676 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 30 PID 1964 wrote to memory of 1676 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 30 PID 1964 wrote to memory of 1676 1964 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe 30 PID 1676 wrote to memory of 540 1676 cmd.exe 32 PID 1676 wrote to memory of 540 1676 cmd.exe 32 PID 1676 wrote to memory of 540 1676 cmd.exe 32 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe"C:\Users\Admin\AppData\Local\Temp\bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:540
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1864