595c869f8ec7eaf71fef44bad331d81bb934c886cdff99e1f013eec7acdaf8c9

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-05-2023 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

595c869f8ec7eaf71fef44bad331d81bb934c886cdff99e1f013eec7acdaf8c9.exe
Size

2.1MB
MD5

c46070b5e113a7f5d9a58de14a11e430
SHA1

5007943bec2cf5310cfe8b8c49d6f55f79ad0e4c
SHA256

595c869f8ec7eaf71fef44bad331d81bb934c886cdff99e1f013eec7acdaf8c9
SHA512

e77a2bbc22974f79f30f6673adaf78c8818d674532ef1cff4d61514ecb3d1aec0459d76c05595d1c650624bf25d4e4f06ee14841b5c2b1c5a20a27e4861ae818
SSDEEP

24576:R+KpPzIzkQoU6TPF8mkoSW12GR7qMA6v0Xwq8UcNV++e/i5dv9jOlRJYzyiMAIQB:Bq9LmKKe36MmYJPAvIPtHzHlh4UC4qki

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1296 vssadmin.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 472 vssvc.exe
Token: SeRestorePrivilege 472 vssvc.exe
Token: SeAuditPrivilege 472 vssvc.exe

pid	process
1296	vssadmin.exe

description	pid	process
Token: SeBackupPrivilege	472	vssvc.exe
Token: SeRestorePrivilege	472	vssvc.exe
Token: SeAuditPrivilege	472	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

595c869f8ec7eaf71fef44bad331d81bb934c886cdff99e1f013eec7acdaf8c9.exe

description	pid	process	target process
PID 924 wrote to memory of 1296	924	595c869f8ec7eaf71fef44bad331d81bb934c886cdff99e1f013eec7acdaf8c9.exe	vssadmin.exe
PID 924 wrote to memory of 1296	924	595c869f8ec7eaf71fef44bad331d81bb934c886cdff99e1f013eec7acdaf8c9.exe	vssadmin.exe
PID 924 wrote to memory of 1296	924	595c869f8ec7eaf71fef44bad331d81bb934c886cdff99e1f013eec7acdaf8c9.exe	vssadmin.exe
PID 924 wrote to memory of 1296	924	595c869f8ec7eaf71fef44bad331d81bb934c886cdff99e1f013eec7acdaf8c9.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\595c869f8ec7eaf71fef44bad331d81bb934c886cdff99e1f013eec7acdaf8c9.exe
"C:\Users\Admin\AppData\Local\Temp\595c869f8ec7eaf71fef44bad331d81bb934c886cdff99e1f013eec7acdaf8c9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1296

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads