Overview

overview

9

Static

static

3

c638ac1eee...20.exe

windows7-x64

9

c638ac1eee...20.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    426s
  • max time network
    429s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/09/2023, 00:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c638ac1eeef2c97901d6a67e8669a265fecb16eeccda7c49b47e78667cc1fe20.exe

  • Size

    138KB

  • MD5

    ceececadd6c0a7265c3ca3d01ec9d20f

  • SHA1

    6154b81d146a4c7dedbbb546081628626a20e469

  • SHA256

    c638ac1eeef2c97901d6a67e8669a265fecb16eeccda7c49b47e78667cc1fe20

  • SHA512

    cef796740651ce4231748928eec48540e2d0dc68770cb88e3f61ca85c3716761a521a1d66adfe6fbdd37edf5e75d5d8fa7d8eee5d256a9b4f41dc1b9812c86f9

  • SSDEEP

    3072:tPgv1uTga8za7/aApO6fCR6kMgNjTX8jI8VD/dJJO04aN5uvvmRE7xIxT62B009Q:tKZTMPVDdzR1N5sAxKN9dRd

Score
9/10
ransomwarespywarestealer

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (11342) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\c638ac1eeef2c97901d6a67e8669a265fecb16eeccda7c49b47e78667cc1fe20.exe
    "C:\Users\Admin\AppData\Local\Temp\c638ac1eeef2c97901d6a67e8669a265fecb16eeccda7c49b47e78667cc1fe20.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:348
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2060
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2492
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:7780
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1472
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4692
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
      PID:648
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:7156

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\FILE ENCRYPTED.txt
      Filesize

      330B

      MD5

      04ff194c9661cb2e9602921f806618d5

      SHA1

      79efc9c5ac8680178f9652bf9abf814445859769

      SHA256

      be13ce3677357d50cd909b8acb34721a3a683539f40e05d978ee44ced8e1fdbe

      SHA512

      9e69960e4ea93625c8b40d93420a2b6186af642efce246c6f627c173e18edc392a558cfd3245c9aa5bac4150f5595d4a47f9360d088d6a800a705f72c719161c

      Download Submit

    • C:\Program Files (x86)\Microsoft\EdgeCore\116.0.1938.62\msedge.dll.EMAIL=[[email protected]]ID=[A7BF40638C0B7184].rival
      Filesize

      243.4MB

      MD5

      a8fa7257f6a649c555929e34599c52a2

      SHA1

      3d8d2993e8dea973f93041c22af6e65c7371b058

      SHA256

      398e274f6d51e82618cef1b74cff12a509ccae533a594503f1da44d60ae6cb84

      SHA512

      7607eef39b23b21a7c4fb1c973968bfcce63c201e8925e1ac1649085d0dc8083127929aced242e98c88ea753de098fa05147c01eae1d0c3f29347ee34a26a162

      Download Submit

    • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C3334BD0-12B8-4B45-9E44-89AF8D41F229}\MicrosoftEdge_X64_116.0.1938.62.exe.EMAIL=[[email protected]]ID=[A7BF40638C0B7184].rival
      Filesize

      145.6MB

      MD5

      bad3ab7cca9e6d182e05d7ab781274ab

      SHA1

      b48947c09aada5a39bc67481a0099a9275bea59f

      SHA256

      a8fd9c2fdc40cb45970b4ed5305e4e8d35137d4dddaa5b5b9913b27ec18f1bdf

      SHA512

      8e48e27b2ea296eba07bc4f67a280e892860ed5568f303a8ec35ee7240d35e587357d6c2cf562df06fac575f34bdf5ae1d62500298c988def2ad09c9fd523559

      Download Submit

    • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\116.0.1938.62\ResiliencyLinks\EdgeWebView.dat.DATA
      Filesize

      8KB

      MD5

      7a3b05a64f11e3048b1f0395f5e57c94

      SHA1

      7cf5dfcff76b53cf9ba26b1f782b0fcbff3df4f6

      SHA256

      287a351282b09470576c7d5c22dadd1a0377c76246dee2f89c969a51b97ca79f

      SHA512

      db8e06579af13b4112c431ba864aa34e4049eaaac2537976e6b54fa2c0e97cf9e8dae6971f188a9f932d5b62084a1a7a848440681bceff3167e1bc55784cdd94

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
      Filesize

      14KB

      MD5

      ad1550ededb9ae33836bed3a8e020bb6

      SHA1

      d97f555fafad1373359139e9746e2a7a619ecb97

      SHA256

      b467849d6c685359359d542f6a565dba1ea20847ac97a79b4689fd61ee1702e1

      SHA512

      e7db008eb29622ec2dcb3fdd7c911a2f1539646a713aa873c60c8f5d0ff3338b1ad11e25e3c104d8d5600b3e4d69e2c2f01ccc0f5e3c048a4d1c330f4e8b2537

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
      Filesize

      14KB

      MD5

      f0c52b5cef3946494f0d33d8147f23c6

      SHA1

      2990021322c21c9aed04719a96e722ae584034b7

      SHA256

      4dee12edb94732465db579c7525e200fd54b367c076a24cf5f20ca14f21f00cd

      SHA512

      b676a309dc56e3d3018f5c3c13c93827fbd74d70e1a6f73d29331a51b402d2ec7f569cfad6075f894081b13355ad96ee51973de0f6361297fef2d83c4e61fce8

      Download Submit