17188840e0be125d91b563f879529132aad5bbd5a74ac10065216d55514ede53

General

Target

526613447e3fab1375062a6cd1a92f9494d712f1384f850ef46f364a6cc1a411.exe
Size

6.6MB
MD5

c624568e033887437008f25588e3d9ce
SHA1

86a6e0446fbd19a7a9bbd097bcd0de4f8d41f8d9
SHA256

526613447e3fab1375062a6cd1a92f9494d712f1384f850ef46f364a6cc1a411
SHA512

8b195760bed271a00ca615a36d8c50c9feac6328c8061ec3340c716177c61e79fd84c5c1665a2b4cee2fcb537c54501c25173476b9970409ebdfa8be7218006a
SSDEEP

196608:2ESpuhPRSIIlKBX0EOJ7+n22Ze0+4O9D0FT:8uxstlKBX0EQaZS40Ql

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2184	526613447e3fab1375062a6cd1a92f9494d712f1384f850ef46f364a6cc1a411.exe
2184	526613447e3fab1375062a6cd1a92f9494d712f1384f850ef46f364a6cc1a411.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\READ_ME_GET_HELP.txt	526613447e3fab1375062a6cd1a92f9494d712f1384f850ef46f364a6cc1a411.exe
File created	C:\Program Files\READ_ME_GET_HELP.txt	526613447e3fab1375062a6cd1a92f9494d712f1384f850ef46f364a6cc1a411.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\READ_ME_GET_HELP.txt	526613447e3fab1375062a6cd1a92f9494d712f1384f850ef46f364a6cc1a411.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1704	vssadmin.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2776	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2184	526613447e3fab1375062a6cd1a92f9494d712f1384f850ef46f364a6cc1a411.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2720	vssvc.exe
Token: SeRestorePrivilege	2720	vssvc.exe
Token: SeAuditPrivilege	2720	vssvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2596	2184	526613447e3fab1375062a6cd1a92f9494d712f1384f850ef46f364a6cc1a411.exe	28
PID 2184 wrote to memory of 2596	2184	526613447e3fab1375062a6cd1a92f9494d712f1384f850ef46f364a6cc1a411.exe	28
PID 2184 wrote to memory of 2596	2184	526613447e3fab1375062a6cd1a92f9494d712f1384f850ef46f364a6cc1a411.exe	28
PID 2184 wrote to memory of 2596	2184	526613447e3fab1375062a6cd1a92f9494d712f1384f850ef46f364a6cc1a411.exe	28
PID 2596 wrote to memory of 1704	2596	cmd.exe	30
PID 2596 wrote to memory of 1704	2596	cmd.exe	30
PID 2596 wrote to memory of 1704	2596	cmd.exe	30
PID 2596 wrote to memory of 1704	2596	cmd.exe	30
PID 2184 wrote to memory of 2508	2184	526613447e3fab1375062a6cd1a92f9494d712f1384f850ef46f364a6cc1a411.exe	32
PID 2184 wrote to memory of 2508	2184	526613447e3fab1375062a6cd1a92f9494d712f1384f850ef46f364a6cc1a411.exe	32
PID 2184 wrote to memory of 2508	2184	526613447e3fab1375062a6cd1a92f9494d712f1384f850ef46f364a6cc1a411.exe	32
PID 2184 wrote to memory of 2508	2184	526613447e3fab1375062a6cd1a92f9494d712f1384f850ef46f364a6cc1a411.exe	32

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\526613447e3fab1375062a6cd1a92f9494d712f1384f850ef46f364a6cc1a411.exe
"C:\Users\Admin\AppData\Local\Temp\526613447e3fab1375062a6cd1a92f9494d712f1384f850ef46f364a6cc1a411.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2508

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\READ_ME_GET_HELP.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2

T1070

File Deletion

2

T1070.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\READ_ME_GET_HELP.txt

Filesize
1KB

MD5
21f97b53f395009106f24d8351cae280

SHA1
1c29652a8dd1c8bec0d984f8a2f75465c60f5fbc

SHA256
4b53b8751d700c396d97d0a3619317fa9530f3c5ef3f936baad8d4bc6bab2177

SHA512
11ee522ae029a0bea25e65771478bc0c81c09dd342e99921ce5f4aca2d169395aa301a359107bfa54ea726caef8af024036b1046a417945d83cd7b7599dc0ef5

Download Submit
C:\Users\Admin\Desktop\READ_ME_GET_HELP.txt

Filesize
1KB

MD5
21f97b53f395009106f24d8351cae280

SHA1
1c29652a8dd1c8bec0d984f8a2f75465c60f5fbc

SHA256
4b53b8751d700c396d97d0a3619317fa9530f3c5ef3f936baad8d4bc6bab2177

SHA512
11ee522ae029a0bea25e65771478bc0c81c09dd342e99921ce5f4aca2d169395aa301a359107bfa54ea726caef8af024036b1046a417945d83cd7b7599dc0ef5

Download Submit
memory/2184-5-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2184-0-0x0000000000400000-0x0000000000E67000-memory.dmp

Filesize
10.4MB

Download
memory/2184-7-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2184-6-0x00000000777A0000-0x00000000777A1000-memory.dmp

Filesize
4KB

Download
memory/2184-10-0x0000000000400000-0x0000000000E67000-memory.dmp

Filesize
10.4MB

Download
memory/2184-9-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2184-12-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2184-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2184-328-0x0000000000400000-0x0000000000E67000-memory.dmp

Filesize
10.4MB

Download
memory/2184-3-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2184-333-0x0000000000400000-0x0000000000E67000-memory.dmp

Filesize
10.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads