Analysis
-
max time kernel
104s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2023 18:52
Static task
static1
Behavioral task
behavioral1
Sample
666.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
666.exe
Resource
win10v2004-20230220-en
General
-
Target
666.exe
-
Size
86KB
-
MD5
a7f9d16f72ba1782aff84741fcc43a7a
-
SHA1
20536bb7463d83143a0221e56c4faf2155e73bc7
-
SHA256
1bf688e2b35c3e431a8458de0e55d30729a8ae2762568f82359ed0ccf75d65fa
-
SHA512
59b08739c0eeedf8956a7dc44730d11548996ed1f6ef2dc6beac753fc1a6b844545250640d9f341a6c7a06f108cd43b6db98e9e7166729405e54ab9e5513a3cd
-
SSDEEP
1536:2Uv4AYvNDT0aJQcc7T7yVx+a0NqlLjvCPTPRhnBu3gAjObfnapxjJeU:28ACb/6jIU
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables RegEdit via registry modification 1 IoCs
Processes:
666.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 666.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
666.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation 666.exe -
Modifies WinLogon 2 TTPs 1 IoCs
Processes:
666.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ShellExperience = "\"ShellExperience.exe\"" 666.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
666.exedescription ioc process File opened for modification \??\PhysicalDrive0 666.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3156 2488 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
666.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 1972 666.exe Token: SeDebugPrivilege 1972 666.exe Token: SeIncreaseQuotaPrivilege 2764 WMIC.exe Token: SeSecurityPrivilege 2764 WMIC.exe Token: SeTakeOwnershipPrivilege 2764 WMIC.exe Token: SeLoadDriverPrivilege 2764 WMIC.exe Token: SeSystemProfilePrivilege 2764 WMIC.exe Token: SeSystemtimePrivilege 2764 WMIC.exe Token: SeProfSingleProcessPrivilege 2764 WMIC.exe Token: SeIncBasePriorityPrivilege 2764 WMIC.exe Token: SeCreatePagefilePrivilege 2764 WMIC.exe Token: SeBackupPrivilege 2764 WMIC.exe Token: SeRestorePrivilege 2764 WMIC.exe Token: SeShutdownPrivilege 2764 WMIC.exe Token: SeDebugPrivilege 2764 WMIC.exe Token: SeSystemEnvironmentPrivilege 2764 WMIC.exe Token: SeRemoteShutdownPrivilege 2764 WMIC.exe Token: SeUndockPrivilege 2764 WMIC.exe Token: SeManageVolumePrivilege 2764 WMIC.exe Token: 33 2764 WMIC.exe Token: 34 2764 WMIC.exe Token: 35 2764 WMIC.exe Token: 36 2764 WMIC.exe Token: SeIncreaseQuotaPrivilege 2764 WMIC.exe Token: SeSecurityPrivilege 2764 WMIC.exe Token: SeTakeOwnershipPrivilege 2764 WMIC.exe Token: SeLoadDriverPrivilege 2764 WMIC.exe Token: SeSystemProfilePrivilege 2764 WMIC.exe Token: SeSystemtimePrivilege 2764 WMIC.exe Token: SeProfSingleProcessPrivilege 2764 WMIC.exe Token: SeIncBasePriorityPrivilege 2764 WMIC.exe Token: SeCreatePagefilePrivilege 2764 WMIC.exe Token: SeBackupPrivilege 2764 WMIC.exe Token: SeRestorePrivilege 2764 WMIC.exe Token: SeShutdownPrivilege 2764 WMIC.exe Token: SeDebugPrivilege 2764 WMIC.exe Token: SeSystemEnvironmentPrivilege 2764 WMIC.exe Token: SeRemoteShutdownPrivilege 2764 WMIC.exe Token: SeUndockPrivilege 2764 WMIC.exe Token: SeManageVolumePrivilege 2764 WMIC.exe Token: 33 2764 WMIC.exe Token: 34 2764 WMIC.exe Token: 35 2764 WMIC.exe Token: 36 2764 WMIC.exe Token: SeBackupPrivilege 232 vssvc.exe Token: SeRestorePrivilege 232 vssvc.exe Token: SeAuditPrivilege 232 vssvc.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
666.exepid process 1972 666.exe 1972 666.exe 1972 666.exe 1972 666.exe 1972 666.exe 1972 666.exe 1972 666.exe 1972 666.exe 1972 666.exe 1972 666.exe 1972 666.exe 1972 666.exe 1972 666.exe 1972 666.exe 1972 666.exe 1972 666.exe 1972 666.exe 1972 666.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
666.execmd.exedescription pid process target process PID 1972 wrote to memory of 492 1972 666.exe cmd.exe PID 1972 wrote to memory of 492 1972 666.exe cmd.exe PID 1972 wrote to memory of 492 1972 666.exe cmd.exe PID 492 wrote to memory of 2764 492 cmd.exe WMIC.exe PID 492 wrote to memory of 2764 492 cmd.exe WMIC.exe PID 492 wrote to memory of 2764 492 cmd.exe WMIC.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\666.exe"C:\Users\Admin\AppData\Local\Temp\666.exe"1⤵
- Disables RegEdit via registry modification
- Checks computer location settings
- Modifies WinLogon
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:232
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 476 -p 2488 -ip 24881⤵PID:3868
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2488 -s 17481⤵
- Program crash
PID:3156
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1972-133-0x00000000008D0000-0x00000000008EC000-memory.dmpFilesize
112KB
-
memory/1972-134-0x00000000058B0000-0x0000000005E54000-memory.dmpFilesize
5.6MB
-
memory/1972-135-0x00000000053A0000-0x0000000005432000-memory.dmpFilesize
584KB
-
memory/1972-136-0x00000000054E0000-0x00000000054F0000-memory.dmpFilesize
64KB
-
memory/1972-137-0x0000000002D60000-0x0000000002D6A000-memory.dmpFilesize
40KB
-
memory/1972-138-0x00000000054E0000-0x00000000054F0000-memory.dmpFilesize
64KB
-
memory/1972-139-0x00000000054E0000-0x00000000054F0000-memory.dmpFilesize
64KB
-
memory/1972-140-0x00000000054E0000-0x00000000054F0000-memory.dmpFilesize
64KB