52f03ab2a7ea80be35cb6cd4a41a450a154e4b6dca6f5244fb3b0ad157a01e1d

General

Target

9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926.exe
Size

2.9MB
MD5

afd5d656a42a746e95926ef07933f054
SHA1

04028a0a1d44f81709040c31af026785209d4343
SHA256

9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926
SHA512

9397ebac71847597852cc8ca9045dc4c66802d4afb612d7ebd30a5f4dd5b50c6714d2c76e5c4e4e408d12deef4f33b51b4a393e89ec23d984a159682f6e90999
SSDEEP

49152:cDVwASOLGtlqrRIU6i9+vazNqQlJZP1BMU2thA8mNtNCiJlrRUFcJ7HIPcLzk+5c:wm+GaNqqJJ12vlZol8cJ7rcl

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1080 vssadmin.exe

pid	process
1080	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1656 WINWORD.EXE

pid	process
1656	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

vssvc.exeAUDIODG.EXE

description	pid	process
Token: SeBackupPrivilege	1068	vssvc.exe
Token: SeRestorePrivilege	1068	vssvc.exe
Token: SeAuditPrivilege	1068	vssvc.exe
Token: 33	1476	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1476	AUDIODG.EXE
Token: 33	1476	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1476	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

WINWORD.EXEAcroRd32.exe

pid process

1656 WINWORD.EXE
1656 WINWORD.EXE
1656 WINWORD.EXE
1576 AcroRd32.exe
1576 AcroRd32.exe

pid	process
1656	WINWORD.EXE
1656	WINWORD.EXE
1656	WINWORD.EXE
1576	AcroRd32.exe
1576	AcroRd32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926.exe

description	pid	process	target process
PID 884 wrote to memory of 1080	884	9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926.exe	vssadmin.exe
PID 884 wrote to memory of 1080	884	9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926.exe	vssadmin.exe
PID 884 wrote to memory of 1080	884	9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926.exe
"C:\Users\Admin\AppData\Local\Temp\9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\System32\vssadmin.exe
delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1080

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\AddUnregister.docx"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1656

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x43c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Music\BackupRename.pdf"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1576

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1656-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads