1bf688e2b35c3e431a8458de0e55d30729a8ae2762568f82359ed0ccf75d65fa

General

Target

666.exe
Size

86KB
MD5

a7f9d16f72ba1782aff84741fcc43a7a
SHA1

20536bb7463d83143a0221e56c4faf2155e73bc7
SHA256

1bf688e2b35c3e431a8458de0e55d30729a8ae2762568f82359ed0ccf75d65fa
SHA512

59b08739c0eeedf8956a7dc44730d11548996ed1f6ef2dc6beac753fc1a6b844545250640d9f341a6c7a06f108cd43b6db98e9e7166729405e54ab9e5513a3cd
SSDEEP

1536:2Uv4AYvNDT0aJQcc7T7yVx+a0NqlLjvCPTPRhnBu3gAjObfnapxjJeU:28ACb/6jIU

Score

9^/10

bootkit evasion persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

666.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	666.exe

Disables Task Manager via registry modification
evasion

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

666.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ShellExperience = "\"ShellExperience.exe\""	666.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

666.exe

description ioc process

File opened for modification \??\PhysicalDrive0 666.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1032 vssadmin.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

666.exe

pid process

2044 666.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	666.exe

pid	process
1032	vssadmin.exe

pid	process
2044	666.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

666.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2044	666.exe
Token: SeDebugPrivilege	2044	666.exe
Token: SeBackupPrivilege	1204	vssvc.exe
Token: SeRestorePrivilege	1204	vssvc.exe
Token: SeAuditPrivilege	1204	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1332	WMIC.exe
Token: SeSecurityPrivilege	1332	WMIC.exe
Token: SeTakeOwnershipPrivilege	1332	WMIC.exe
Token: SeLoadDriverPrivilege	1332	WMIC.exe
Token: SeSystemProfilePrivilege	1332	WMIC.exe
Token: SeSystemtimePrivilege	1332	WMIC.exe
Token: SeProfSingleProcessPrivilege	1332	WMIC.exe
Token: SeIncBasePriorityPrivilege	1332	WMIC.exe
Token: SeCreatePagefilePrivilege	1332	WMIC.exe
Token: SeBackupPrivilege	1332	WMIC.exe
Token: SeRestorePrivilege	1332	WMIC.exe
Token: SeShutdownPrivilege	1332	WMIC.exe
Token: SeDebugPrivilege	1332	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1332	WMIC.exe
Token: SeRemoteShutdownPrivilege	1332	WMIC.exe
Token: SeUndockPrivilege	1332	WMIC.exe
Token: SeManageVolumePrivilege	1332	WMIC.exe
Token: 33	1332	WMIC.exe
Token: 34	1332	WMIC.exe
Token: 35	1332	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1332	WMIC.exe
Token: SeSecurityPrivilege	1332	WMIC.exe
Token: SeTakeOwnershipPrivilege	1332	WMIC.exe
Token: SeLoadDriverPrivilege	1332	WMIC.exe
Token: SeSystemProfilePrivilege	1332	WMIC.exe
Token: SeSystemtimePrivilege	1332	WMIC.exe
Token: SeProfSingleProcessPrivilege	1332	WMIC.exe
Token: SeIncBasePriorityPrivilege	1332	WMIC.exe
Token: SeCreatePagefilePrivilege	1332	WMIC.exe
Token: SeBackupPrivilege	1332	WMIC.exe
Token: SeRestorePrivilege	1332	WMIC.exe
Token: SeShutdownPrivilege	1332	WMIC.exe
Token: SeDebugPrivilege	1332	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1332	WMIC.exe
Token: SeRemoteShutdownPrivilege	1332	WMIC.exe
Token: SeUndockPrivilege	1332	WMIC.exe
Token: SeManageVolumePrivilege	1332	WMIC.exe
Token: 33	1332	WMIC.exe
Token: 34	1332	WMIC.exe
Token: 35	1332	WMIC.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

666.execmd.exe

description	pid	process	target process
PID 2044 wrote to memory of 1656	2044	666.exe	cmd.exe
PID 2044 wrote to memory of 1656	2044	666.exe	cmd.exe
PID 2044 wrote to memory of 1656	2044	666.exe	cmd.exe
PID 2044 wrote to memory of 1656	2044	666.exe	cmd.exe
PID 1656 wrote to memory of 1032	1656	cmd.exe	vssadmin.exe
PID 1656 wrote to memory of 1032	1656	cmd.exe	vssadmin.exe
PID 1656 wrote to memory of 1032	1656	cmd.exe	vssadmin.exe
PID 1656 wrote to memory of 1032	1656	cmd.exe	vssadmin.exe
PID 1656 wrote to memory of 1332	1656	cmd.exe	WMIC.exe
PID 1656 wrote to memory of 1332	1656	cmd.exe	WMIC.exe
PID 1656 wrote to memory of 1332	1656	cmd.exe	WMIC.exe
PID 1656 wrote to memory of 1332	1656	cmd.exe	WMIC.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\666.exe
"C:\Users\Admin\AppData\Local\Temp\666.exe"
1⤵
- Disables RegEdit via registry modification
- Modifies WinLogon
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1032

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1204

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2044-54-0x0000000000FE0000-0x0000000000FFC000-memory.dmp

Filesize
112KB

Download
memory/2044-55-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/2044-56-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/2044-57-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads