4aeb348bd9cdcc8ec42396d66114c1e9945388f71103ccc5e8f042d43c7a8e12

Analysis

max time kernel
34s
max time network
38s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
07-07-2023 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4aeb348bd9cdcc8ec42396d66114c1e9945388f71103ccc5e8f042d43c7a8e12.exe
Size

4.0MB
MD5

1b97f1c8a03b0f4a6132d8960bc66737
SHA1

76c0ff36342891ee632ce856d03af6957d9614e3
SHA256

4aeb348bd9cdcc8ec42396d66114c1e9945388f71103ccc5e8f042d43c7a8e12
SHA512

04cec2c5d7aa4bcc506c427d245f94bf704019d7749bc35706726722fa6c455c75da79c342dbe05c5805f86322a08edb27679194f024285fee0f79d73ec6ff39
SSDEEP

49152:r2r2M/8Y+1zE3usDbOnwsHrYDUFsjVeYBCwyNP4lb3aDVRe+9v2wNNHbEUPTs:O2hdEMX5Re+VHEU7

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\EditReset.png.enc	4aeb348bd9cdcc8ec42396d66114c1e9945388f71103ccc5e8f042d43c7a8e12.exe
File created	C:\Users\Admin\Pictures\RequestMount.raw.enc	4aeb348bd9cdcc8ec42396d66114c1e9945388f71103ccc5e8f042d43c7a8e12.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.enc	4aeb348bd9cdcc8ec42396d66114c1e9945388f71103ccc5e8f042d43c7a8e12.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
300	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2200	4aeb348bd9cdcc8ec42396d66114c1e9945388f71103ccc5e8f042d43c7a8e12.exe
2200	4aeb348bd9cdcc8ec42396d66114c1e9945388f71103ccc5e8f042d43c7a8e12.exe
2200	4aeb348bd9cdcc8ec42396d66114c1e9945388f71103ccc5e8f042d43c7a8e12.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2200	4aeb348bd9cdcc8ec42396d66114c1e9945388f71103ccc5e8f042d43c7a8e12.exe
Token: SeBackupPrivilege	996	vssvc.exe
Token: SeRestorePrivilege	996	vssvc.exe
Token: SeAuditPrivilege	996	vssvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2004	2200	4aeb348bd9cdcc8ec42396d66114c1e9945388f71103ccc5e8f042d43c7a8e12.exe	32
PID 2200 wrote to memory of 2004	2200	4aeb348bd9cdcc8ec42396d66114c1e9945388f71103ccc5e8f042d43c7a8e12.exe	32
PID 2200 wrote to memory of 2004	2200	4aeb348bd9cdcc8ec42396d66114c1e9945388f71103ccc5e8f042d43c7a8e12.exe	32
PID 2004 wrote to memory of 300	2004	cmd.exe	33
PID 2004 wrote to memory of 300	2004	cmd.exe	33
PID 2004 wrote to memory of 300	2004	cmd.exe	33

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4aeb348bd9cdcc8ec42396d66114c1e9945388f71103ccc5e8f042d43c7a8e12.exe
"C:\Users\Admin\AppData\Local\Temp\4aeb348bd9cdcc8ec42396d66114c1e9945388f71103ccc5e8f042d43c7a8e12.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\system32\cmd.exe
  "cmd" /C "vssadmin delete shadows /all /quiet"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:300

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabE46.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit