Analysis
-
max time kernel
104s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
03-04-2023 18:52
General
-
Target
666.exe
-
Size
86KB
-
MD5
a7f9d16f72ba1782aff84741fcc43a7a
-
SHA1
20536bb7463d83143a0221e56c4faf2155e73bc7
-
SHA256
1bf688e2b35c3e431a8458de0e55d30729a8ae2762568f82359ed0ccf75d65fa
-
SHA512
59b08739c0eeedf8956a7dc44730d11548996ed1f6ef2dc6beac753fc1a6b844545250640d9f341a6c7a06f108cd43b6db98e9e7166729405e54ab9e5513a3cd
-
SSDEEP
1536:2Uv4AYvNDT0aJQcc7T7yVx+a0NqlLjvCPTPRhnBu3gAjObfnapxjJeU:28ACb/6jIU
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Modifies WinLogon 2 TTPs 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 47 IoCs
-
Suspicious use of FindShellTrayWindow 18 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\666.exe"C:\Users\Admin\AppData\Local\Temp\666.exe"1⤵
- Disables RegEdit via registry modification
- Checks computer location settings
- Modifies WinLogon
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 476 -p 2488 -ip 24881⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2488 -s 17481⤵
- Program crash
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1972-133-0x00000000008D0000-0x00000000008EC000-memory.dmpFilesize
112KB
-
memory/1972-134-0x00000000058B0000-0x0000000005E54000-memory.dmpFilesize
5.6MB
-
memory/1972-135-0x00000000053A0000-0x0000000005432000-memory.dmpFilesize
584KB
-
memory/1972-136-0x00000000054E0000-0x00000000054F0000-memory.dmpFilesize
64KB
-
memory/1972-137-0x0000000002D60000-0x0000000002D6A000-memory.dmpFilesize
40KB
-
memory/1972-138-0x00000000054E0000-0x00000000054F0000-memory.dmpFilesize
64KB
-
memory/1972-139-0x00000000054E0000-0x00000000054F0000-memory.dmpFilesize
64KB
-
memory/1972-140-0x00000000054E0000-0x00000000054F0000-memory.dmpFilesize
64KB