2db52b3206c573c63688bbd66c9f25caf8ef72458e2095d07b922cefeb366c9b

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
09-10-2023 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2db52b3206c573c63688bbd66c9f25caf8ef72458e2095d07b922cefeb366c9b.exe
Size

2.1MB
MD5

f2f184c8baa512d77c99fb3010bf4985
SHA1

34d804d25b3657e0cb333b8fccac175b94e3b879
SHA256

2db52b3206c573c63688bbd66c9f25caf8ef72458e2095d07b922cefeb366c9b
SHA512

8b6f53dc3b50f644e4c80a3b291e0a77352582952549141ab8b8c3177b87ef52ac4cb3d917166191f802c636008605c52ee598499ab2929c1af69c4b870e0d26
SSDEEP

24576:P+KpPzIzkQoU6cvTJdCm6pMtGMt0p0LkeoqP5nV6BQ1s2Y/tJGnX+LuiehI6YL2+:Dq9FTZGkvtOqYwrUPJwzjdQsh6b

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2420 vssadmin.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2632 vssvc.exe
Token: SeRestorePrivilege 2632 vssvc.exe
Token: SeAuditPrivilege 2632 vssvc.exe

pid	process
2420	vssadmin.exe

description	pid	process
Token: SeBackupPrivilege	2632	vssvc.exe
Token: SeRestorePrivilege	2632	vssvc.exe
Token: SeAuditPrivilege	2632	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2db52b3206c573c63688bbd66c9f25caf8ef72458e2095d07b922cefeb366c9b.exe

description	pid	process	target process
PID 2128 wrote to memory of 2420	2128	2db52b3206c573c63688bbd66c9f25caf8ef72458e2095d07b922cefeb366c9b.exe	vssadmin.exe
PID 2128 wrote to memory of 2420	2128	2db52b3206c573c63688bbd66c9f25caf8ef72458e2095d07b922cefeb366c9b.exe	vssadmin.exe
PID 2128 wrote to memory of 2420	2128	2db52b3206c573c63688bbd66c9f25caf8ef72458e2095d07b922cefeb366c9b.exe	vssadmin.exe
PID 2128 wrote to memory of 2420	2128	2db52b3206c573c63688bbd66c9f25caf8ef72458e2095d07b922cefeb366c9b.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2db52b3206c573c63688bbd66c9f25caf8ef72458e2095d07b922cefeb366c9b.exe
"C:\Users\Admin\AppData\Local\Temp\2db52b3206c573c63688bbd66c9f25caf8ef72458e2095d07b922cefeb366c9b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\SysWOW64\vssadmin.exe
delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:2420

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads