5457e36971779555fc051dbf6969871394fc3c772027a985060b2c4242bc642a

General

Target

f4f16132ca4704exe_JC.exe
Size

131KB
MD5

f4f16132ca4704cc3ef881b2c136ee25
SHA1

33ff60ab4aec6f04f6ff204cd1e0dc86db7d5e07
SHA256

5457e36971779555fc051dbf6969871394fc3c772027a985060b2c4242bc642a
SHA512

b8ae47631905b19b950e4c82b0f2a8249b17b7773b4dfb14ea4752343568ad9e92addeb9af6c79742fb41d8b0c4a76d540d2de333f256374fed077b182f1eda5
SSDEEP

3072:wxb4zdcTtDRgqoru/Go5rWIy4m3WV1oqCgQfBUnPy8L2VBBh:w+OTttgxre1Q4m3WV1oqCgQfBUPy8L2L

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\201e3910.exe	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*01e391 = "C:\\201e3910\\201e3910.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Run\201e3910 = "C:\\Users\\Admin\\AppData\\Roaming\\201e3910.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*01e3910 = "C:\\Users\\Admin\\AppData\\Roaming\\201e3910.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Run\201e391 = "C:\\201e3910\\201e3910.exe"	explorer.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-addr.es
5	myexternalip.com

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2456	vssadmin.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2972	f4f16132ca4704exe_JC.exe
2228	explorer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	808	vssvc.exe
Token: SeRestorePrivilege	808	vssvc.exe
Token: SeAuditPrivilege	808	vssvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2228	2972	f4f16132ca4704exe_JC.exe	28
PID 2972 wrote to memory of 2228	2972	f4f16132ca4704exe_JC.exe	28
PID 2972 wrote to memory of 2228	2972	f4f16132ca4704exe_JC.exe	28
PID 2972 wrote to memory of 2228	2972	f4f16132ca4704exe_JC.exe	28
PID 2228 wrote to memory of 2312	2228	explorer.exe	29
PID 2228 wrote to memory of 2312	2228	explorer.exe	29
PID 2228 wrote to memory of 2312	2228	explorer.exe	29
PID 2228 wrote to memory of 2312	2228	explorer.exe	29
PID 2228 wrote to memory of 2456	2228	explorer.exe	30
PID 2228 wrote to memory of 2456	2228	explorer.exe	30
PID 2228 wrote to memory of 2456	2228	explorer.exe	30
PID 2228 wrote to memory of 2456	2228	explorer.exe	30

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f4f16132ca4704exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\f4f16132ca4704exe_JC.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\syswow64\explorer.exe
  "C:\Windows\syswow64\explorer.exe"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\syswow64\svchost.exe
    -k netsvcs
    3⤵
    PID:2312
- - C:\Windows\syswow64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2456

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
026d0787566eda6255c6dc4f04677004

SHA1
f4b85c0b0ee96f9700689d7c2bb227f31f655074

SHA256
1aa546472ba20832fc3c12dfb262ad6e5f690a7fa0429069a36c354f0a728483

SHA512
0fa9aca7f8c850956c2176388ba2d5c10253c400deb4bcbdc0c247a65f54b8c74f4f21e74c6ffd12933a467d94d180547e926345bbf8b96755e884357127c8be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
04857e2af5096bb5d6ece416e15f689e

SHA1
7b7fa323bafbfb2630b388c87bba5038fb9746a7

SHA256
87d43a96d896ae93b3287447d7bc30e65f69cb6e5c5962b45bc9561f3f5b90cb

SHA512
e5572b9c55a8e1d2a2133aae9aaa91c0c9044d892b69429c5ac6459e2385b307af4e327a89e77679aff68802a64e06c3ebf8d108f83e5fcc1e9beb1697990b6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e731c8ca0299efb6cd0f82ac09b451a5

SHA1
c6d35d25b0843686485795a622a9cd343700ad3a

SHA256
d08823eafd7ad1cd8812137ac7372bb5f9f88184d2f4bbb2ee3fc27b7beb2265

SHA512
6fb772407a51e52747c48787c81a175dfc4c6fec9aff1021d05081e2e7b847d7d4909a301ac6b8672c760f0c0e13e398f420d9b2ccc06eff83e91e31e21a05b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab986B.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar98BC.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
memory/2228-53-0x00000000000C0000-0x00000000000E5000-memory.dmp

Filesize
148KB

Download
memory/2228-54-0x00000000000C0000-0x00000000000E5000-memory.dmp

Filesize
148KB

Download
memory/2228-112-0x00000000000C0000-0x00000000000E5000-memory.dmp

Filesize
148KB

Download
memory/2312-58-0x0000000000080000-0x00000000000A5000-memory.dmp

Filesize
148KB

Download
memory/2312-59-0x0000000000080000-0x00000000000A5000-memory.dmp

Filesize
148KB

Download
memory/2312-113-0x0000000000080000-0x00000000000A5000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing