Analysis
-
max time kernel
132s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
03-04-2023 18:52
Static task
static1
Behavioral task
behavioral1
Sample
666.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
666.exe
Resource
win10v2004-20230220-en
General
-
Target
666.exe
-
Size
86KB
-
MD5
a7f9d16f72ba1782aff84741fcc43a7a
-
SHA1
20536bb7463d83143a0221e56c4faf2155e73bc7
-
SHA256
1bf688e2b35c3e431a8458de0e55d30729a8ae2762568f82359ed0ccf75d65fa
-
SHA512
59b08739c0eeedf8956a7dc44730d11548996ed1f6ef2dc6beac753fc1a6b844545250640d9f341a6c7a06f108cd43b6db98e9e7166729405e54ab9e5513a3cd
-
SSDEEP
1536:2Uv4AYvNDT0aJQcc7T7yVx+a0NqlLjvCPTPRhnBu3gAjObfnapxjJeU:28ACb/6jIU
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables RegEdit via registry modification 1 IoCs
Processes:
666.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 666.exe -
Disables Task Manager via registry modification
-
Modifies WinLogon 2 TTPs 1 IoCs
Processes:
666.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ShellExperience = "\"ShellExperience.exe\"" 666.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
666.exedescription ioc process File opened for modification \??\PhysicalDrive0 666.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1032 vssadmin.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
666.exepid process 2044 666.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
666.exevssvc.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2044 666.exe Token: SeDebugPrivilege 2044 666.exe Token: SeBackupPrivilege 1204 vssvc.exe Token: SeRestorePrivilege 1204 vssvc.exe Token: SeAuditPrivilege 1204 vssvc.exe Token: SeIncreaseQuotaPrivilege 1332 WMIC.exe Token: SeSecurityPrivilege 1332 WMIC.exe Token: SeTakeOwnershipPrivilege 1332 WMIC.exe Token: SeLoadDriverPrivilege 1332 WMIC.exe Token: SeSystemProfilePrivilege 1332 WMIC.exe Token: SeSystemtimePrivilege 1332 WMIC.exe Token: SeProfSingleProcessPrivilege 1332 WMIC.exe Token: SeIncBasePriorityPrivilege 1332 WMIC.exe Token: SeCreatePagefilePrivilege 1332 WMIC.exe Token: SeBackupPrivilege 1332 WMIC.exe Token: SeRestorePrivilege 1332 WMIC.exe Token: SeShutdownPrivilege 1332 WMIC.exe Token: SeDebugPrivilege 1332 WMIC.exe Token: SeSystemEnvironmentPrivilege 1332 WMIC.exe Token: SeRemoteShutdownPrivilege 1332 WMIC.exe Token: SeUndockPrivilege 1332 WMIC.exe Token: SeManageVolumePrivilege 1332 WMIC.exe Token: 33 1332 WMIC.exe Token: 34 1332 WMIC.exe Token: 35 1332 WMIC.exe Token: SeIncreaseQuotaPrivilege 1332 WMIC.exe Token: SeSecurityPrivilege 1332 WMIC.exe Token: SeTakeOwnershipPrivilege 1332 WMIC.exe Token: SeLoadDriverPrivilege 1332 WMIC.exe Token: SeSystemProfilePrivilege 1332 WMIC.exe Token: SeSystemtimePrivilege 1332 WMIC.exe Token: SeProfSingleProcessPrivilege 1332 WMIC.exe Token: SeIncBasePriorityPrivilege 1332 WMIC.exe Token: SeCreatePagefilePrivilege 1332 WMIC.exe Token: SeBackupPrivilege 1332 WMIC.exe Token: SeRestorePrivilege 1332 WMIC.exe Token: SeShutdownPrivilege 1332 WMIC.exe Token: SeDebugPrivilege 1332 WMIC.exe Token: SeSystemEnvironmentPrivilege 1332 WMIC.exe Token: SeRemoteShutdownPrivilege 1332 WMIC.exe Token: SeUndockPrivilege 1332 WMIC.exe Token: SeManageVolumePrivilege 1332 WMIC.exe Token: 33 1332 WMIC.exe Token: 34 1332 WMIC.exe Token: 35 1332 WMIC.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
666.execmd.exedescription pid process target process PID 2044 wrote to memory of 1656 2044 666.exe cmd.exe PID 2044 wrote to memory of 1656 2044 666.exe cmd.exe PID 2044 wrote to memory of 1656 2044 666.exe cmd.exe PID 2044 wrote to memory of 1656 2044 666.exe cmd.exe PID 1656 wrote to memory of 1032 1656 cmd.exe vssadmin.exe PID 1656 wrote to memory of 1032 1656 cmd.exe vssadmin.exe PID 1656 wrote to memory of 1032 1656 cmd.exe vssadmin.exe PID 1656 wrote to memory of 1032 1656 cmd.exe vssadmin.exe PID 1656 wrote to memory of 1332 1656 cmd.exe WMIC.exe PID 1656 wrote to memory of 1332 1656 cmd.exe WMIC.exe PID 1656 wrote to memory of 1332 1656 cmd.exe WMIC.exe PID 1656 wrote to memory of 1332 1656 cmd.exe WMIC.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\666.exe"C:\Users\Admin\AppData\Local\Temp\666.exe"1⤵
- Disables RegEdit via registry modification
- Modifies WinLogon
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2044-54-0x0000000000FE0000-0x0000000000FFC000-memory.dmpFilesize
112KB
-
memory/2044-55-0x0000000004CA0000-0x0000000004CE0000-memory.dmpFilesize
256KB
-
memory/2044-56-0x0000000004CA0000-0x0000000004CE0000-memory.dmpFilesize
256KB
-
memory/2044-57-0x0000000004CA0000-0x0000000004CE0000-memory.dmpFilesize
256KB