Overview

overview

9

Static

static

1

9107be160f...ff.exe

windows10-1703-x64

9

Resubmissions

13/04/2023, 22:45

230413-2pel4agb8x 9

13/04/2023, 22:41

230413-2l2x8aeg57 9

Analysis

  • max time kernel
    41s
  • max time network
    44s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    13/04/2023, 22:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9107be160f7b639d68fe3670de58ed254d81de6aec9a41ad58d91aa814a247ff.exe

  • Size

    5.1MB

  • MD5

    9880fae6551d1e9ee921f39751a6f3c0

  • SHA1

    30466ccd4ec7bcafb370510855da2cd631f74b7a

  • SHA256

    9107be160f7b639d68fe3670de58ed254d81de6aec9a41ad58d91aa814a247ff

  • SHA512

    c38b5c7fc6f0089e6b0318ff63b4053f9015f7d71c19545e1e3bcbfda2f314f628897f2033360f29a459efa701fb0a12b546239d1a1e7b12fb51ebe6f0407b4b

  • SSDEEP

    49152:S4mkYp+03HbhndpeoVK9/0cjXd77yg6PxHuy7vDKD12K5EKGHg1q14gUynCLgIMk:UF31ed/XB7AbvbAEKGpTI7

Score
9/10
ransomwarespywarestealer

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Windows directory 7 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\9107be160f7b639d68fe3670de58ed254d81de6aec9a41ad58d91aa814a247ff.exe
    "C:\Users\Admin\AppData\Local\Temp\9107be160f7b639d68fe3670de58ed254d81de6aec9a41ad58d91aa814a247ff.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2968
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /Quiet
      2⤵
      • Interacts with shadow copies
      PID:4692
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2956
  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    1⤵
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4784
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
    1⤵
    • Drops file in Windows directory
    PID:2228
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1860

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\HMM2HWB4\microsoft.windows[1].xml
    Filesize

    97B

    MD5

    4503bfb04f999fbac8cd8ab3bb047b46

    SHA1

    c517630abd9e2e9fd7c35e1dfd6f9a9e463dbf40

    SHA256

    944db1fddd6071f23eefe130cc59ae3e41631b4d4b95e9bb88bb6863bce23fde

    SHA512

    4ec4a51643752a64b735834189a65fd79036344b81a1d2e3d83ec3e29b72a54ea081021319e46240b1d554bd976352864ec3aeaa990021f652d9c3f6b6ebf2cf

    Download Submit

  • C:\Users\Admin\AppData\Local\RECOVERY_DARKBIT.txt
    Filesize

    1KB

    MD5

    96105b566c113b7a0248eead1e9e0344

    SHA1

    1d37a0c6bc90eecfecf62deecf9a7cf31e924ae4

    SHA256

    fca050431ba94630d691a7d6cbdd491354c69f738b0d8e03b531173a741ad286

    SHA512

    cca4f7407326145f5ab3288d41b4f221c7227ecffd0bb4cd5fe068857807aacc76f16f30fdb4d93a2f5e3377e47ea4cf0a9486ff6b0ad6ecdb7b81c326f72e23

    Download Submit

  • memory/2228-2633-0x00000254DA8E0000-0x00000254DA8F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2228-2638-0x00000254DA920000-0x00000254DA930000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2228-2673-0x00000254DF660000-0x00000254DF661000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2228-2676-0x00000254DF7A0000-0x00000254DF7A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2228-2713-0x00000254DF7C0000-0x00000254DF7C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2968-215-0x0000000000100000-0x000000000068A000-memory.dmp

    Filesize

    5.5MB

    Download

  • memory/2968-2426-0x0000000000100000-0x000000000068A000-memory.dmp

    Filesize

    5.5MB

    Download

  • memory/2968-2941-0x0000000000100000-0x000000000068A000-memory.dmp

    Filesize

    5.5MB

    Download

  • memory/4784-2533-0x000001C613EC0000-0x000001C613EE0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4784-2568-0x000001BE10F60000-0x000001BE10F80000-memory.dmp

    Filesize

    128KB

    Download