Analysis
-
max time kernel
123s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2023 17:48
Static task
static1
Behavioral task
behavioral1
Sample
VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe
Resource
win10v2004-20230220-en
General
-
Target
VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe
-
Size
137KB
-
MD5
21d01fa87dfcaf971ff7b63a1a6fda94
-
SHA1
f3caa9831fc715af4f47cd98803549902dffe30a
-
SHA256
ab0aa003d7238940cbdf7393677f968c4a252516de7f0699cd4654abd2e7ae83
-
SHA512
f89997f8c31d77029f1087257a5b24337f9989bebfbe4169067acae72a5dd50ce118d273fae00690ef2e2bf345901d723034992f53dd3e5b9df5cbe9be2e67fa
-
SSDEEP
1536:ASOoRSNl/XT9yYSvVKJJgpBy7bICS4AUsiz8djOK:WPaKJJctOqjOK
Malware Config
Extracted
C:\Recovery\8e2y81-readme.txt
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C8122D50B6F33773
Signatures
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConnectCheckpoint.png => \??\c:\users\admin\pictures\ConnectCheckpoint.png.8e2y81 VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened for modification \??\c:\users\admin\pictures\NewConvertFrom.tiff VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File renamed C:\Users\Admin\Pictures\SuspendHide.raw => \??\c:\users\admin\pictures\SuspendHide.raw.8e2y81 VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File renamed C:\Users\Admin\Pictures\UnpublishBlock.raw => \??\c:\users\admin\pictures\UnpublishBlock.raw.8e2y81 VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened for modification \??\c:\users\admin\pictures\UnpublishRedo.tiff VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File renamed C:\Users\Admin\Pictures\UnpublishRedo.tiff => \??\c:\users\admin\pictures\UnpublishRedo.tiff.8e2y81 VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File renamed C:\Users\Admin\Pictures\CompareFind.crw => \??\c:\users\admin\pictures\CompareFind.crw.8e2y81 VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File renamed C:\Users\Admin\Pictures\NewConvertFrom.tiff => \??\c:\users\admin\pictures\NewConvertFrom.tiff.8e2y81 VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File renamed C:\Users\Admin\Pictures\SplitResolve.tif => \??\c:\users\admin\pictures\SplitResolve.tif.8e2y81 VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File renamed C:\Users\Admin\Pictures\TraceResize.tif => \??\c:\users\admin\pictures\TraceResize.tif.8e2y81 VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File renamed C:\Users\Admin\Pictures\UnblockRepair.crw => \??\c:\users\admin\pictures\UnblockRepair.crw.8e2y81 VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exedescription ioc process File opened (read-only) \??\H: VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened (read-only) \??\P: VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened (read-only) \??\S: VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened (read-only) \??\U: VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened (read-only) \??\V: VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened (read-only) \??\A: VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened (read-only) \??\B: VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened (read-only) \??\G: VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened (read-only) \??\W: VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened (read-only) \??\Z: VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened (read-only) \??\T: VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened (read-only) \??\D: VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened (read-only) \??\F: VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened (read-only) \??\J: VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened (read-only) \??\O: VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened (read-only) \??\Q: VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened (read-only) \??\K: VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened (read-only) \??\M: VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened (read-only) \??\N: VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened (read-only) \??\R: VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened (read-only) \??\X: VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened (read-only) \??\Y: VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened (read-only) \??\E: VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened (read-only) \??\I: VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened (read-only) \??\L: VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6157fd78j5.bmp" VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe -
Drops file in Program Files directory 16 IoCs
Processes:
VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exedescription ioc process File opened for modification \??\c:\program files\ImportLimit.mpeg2 VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened for modification \??\c:\program files\ResolveUpdate.wdp VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened for modification \??\c:\program files\SubmitSend.vdx VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened for modification \??\c:\program files\ConfirmComplete.vst VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened for modification \??\c:\program files\InitializeRequest.vsw VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened for modification \??\c:\program files\PushSave.vsw VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened for modification \??\c:\program files\RestoreMount.m1v VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened for modification \??\c:\program files\CheckpointMeasure.mp3 VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened for modification \??\c:\program files\DenyPop.mpe VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened for modification \??\c:\program files\StopSend.gif VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened for modification \??\c:\program files\PublishReset.otf VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened for modification \??\c:\program files\UnpublishUninstall.m4a VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File created \??\c:\program files\8e2y81-readme.txt VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File created \??\c:\program files (x86)\8e2y81-readme.txt VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened for modification \??\c:\program files\ClearRepair.inf VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe File opened for modification \??\c:\program files\CloseConfirm.search-ms VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exepid process 2488 VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe 2488 VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe 2488 VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe 2488 VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exevssvc.exedescription pid process Token: SeDebugPrivilege 2488 VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe Token: SeTakeOwnershipPrivilege 2488 VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe Token: SeBackupPrivilege 552 vssvc.exe Token: SeRestorePrivilege 552 vssvc.exe Token: SeAuditPrivilege 552 vssvc.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3156
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:552
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD52c8cff78b31a71ce1688b3345cb31c37
SHA161fb194030b3b95cfb968736d0a193c3c83c40d7
SHA256d104919ccabb105907a06d0c91e7385c3d9bd047cdec13964db2651ebf8f0d85
SHA512046c0b7ed1c67ef743b744b57109f61f0f5954ffb9b5d963fd1bcf9e41804940c0c949ff7337db4198b0e06a12f90632434ef8310b8d551a5623c722361848f8