afa6503c9de3f2f6995fdfd357d4ec8781045f78245ed3877a48f35a39e9adb0

Analysis

max time kernel
141s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2023, 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

138KB
MD5

29cd4e58fa0e2eb5fe000153fccbeaa4
SHA1

6eb4bde6dd030a02800be2d374087b23aecd2503
SHA256

ad328952c84a602fff1affae679f1a5edcd9b481e752c9963fdb23c2ee6a5d68
SHA512

1843d3d221f82830a246f4ca6f118ee4e67654bc852674b62dcd3b8381697c0d945e6e01ac43d6b27e2f72059cf05c692148e7b9aa5ba9c5630dc403d35dbb75
SSDEEP

3072:/Pgv1uTga8za7/aApO6fCR6kMglPTX8jI8VD/dJJO04aN5uvvmRE7xIxT62Bb09Q:HKNTMPVDdzR1N5sAxJN9dRd

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (9900) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	sample.exe
File opened (read-only)	\??\D:	sample.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunec.jar	sample.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.EMAIL=[[email protected]]ID=[908D28930971C614].harward	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_4.m4a	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d6.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-hover.svg	sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-40.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-150.png	sample.exe
File created	C:\Program Files\Internet Explorer\images\FILE ENCRYPTED.txt	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Reflection.DispatchProxy.dll	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp.EMAIL=[[email protected]]ID=[908D28930971C614].harward	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-256_altform-unplated_devicefamily-colorfulunplated.png	sample.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\Microsoft.PackageManagement.resources.dll	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected]	sample.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\FILE ENCRYPTED.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\ui-strings.js.EMAIL=[[email protected]]ID=[908D28930971C614].harward	sample.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Printing.resources.dll	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\SmallLogo.png.DATA.EMAIL=[[email protected]]ID=[908D28930971C614].harward	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\FILE ENCRYPTED.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ko-kr\ui-strings.js.EMAIL=[[email protected]]ID=[908D28930971C614].harward	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ppd.xrm-ms	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageSmallTile.scale-200.png	sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\CompleteCheckmark.png	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\FILE ENCRYPTED.txt	sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-20_altform-unplated.png	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADALPREVIOUS.DLL	sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml.EMAIL=[[email protected]]ID=[908D28930971C614].harward	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Interfaces.dll.EMAIL=[[email protected]]ID=[908D28930971C614].harward	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsWideTile.scale-100.png	sample.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\avtransport.xml	sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_fr.dll.EMAIL=[[email protected]]ID=[908D28930971C614].harward	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_contrast-black.png	sample.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\logging.properties	sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libfaad_plugin.dll.EMAIL=[[email protected]]ID=[908D28930971C614].harward	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\ui-strings.js.EMAIL=[[email protected]]ID=[908D28930971C614].harward	sample.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-ae\FILE ENCRYPTED.txt	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare150x150Logo.scale-125_contrast-black.png	sample.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldBeLessThan.snippets.ps1xml	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-ms	sample.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\as80.xsl.EMAIL=[[email protected]]ID=[908D28930971C614].harward	sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-256.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf.EMAIL=[[email protected]]ID=[908D28930971C614].harward	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.EMAIL=[[email protected]]ID=[908D28930971C614].harward	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-environment-l1-1-0.dll.EMAIL=[[email protected]]ID=[908D28930971C614].harward	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\RHP_icons.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-30_contrast-black.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookSmallTile.scale-150.png	sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libkaraoke_plugin.dll.EMAIL=[[email protected]]ID=[908D28930971C614].harward	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\cloud_secured_lg.png.EMAIL=[[email protected]]ID=[908D28930971C614].harward	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\s_agreement_filetype.svg	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ul-oob.xrm-ms.EMAIL=[[email protected]]ID=[908D28930971C614].harward	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Standard.targetsize-20_contrast-black.png	sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InputPersonalization.exe.mui	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ca-ES\FILE ENCRYPTED.txt	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\dd_arrow_small.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ru-ru\ui-strings.js.EMAIL=[[email protected]]ID=[908D28930971C614].harward	sample.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\setup_wm.exe.mui	sample.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\FILE ENCRYPTED.txt	sample.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-100_contrast-black.png	sample.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4148	vssadmin.exe
2808	vssadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe
4008	sample.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	5352	vssvc.exe
Token: SeRestorePrivilege	5352	vssvc.exe
Token: SeAuditPrivilege	5352	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3788	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 3680	4008	sample.exe	88
PID 4008 wrote to memory of 3680	4008	sample.exe	88
PID 3680 wrote to memory of 4148	3680	cmd.exe	90
PID 3680 wrote to memory of 4148	3680	cmd.exe	90
PID 4008 wrote to memory of 4292	4008	sample.exe	100
PID 4008 wrote to memory of 4292	4008	sample.exe	100
PID 4292 wrote to memory of 2808	4292	cmd.exe	102
PID 4292 wrote to memory of 2808	4292	cmd.exe	102

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4148
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4292
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2808

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5352

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:1648

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\FILE ENCRYPTED.txt

Filesize
332B

MD5
8d247069f409856bb7c8795d2f57a8db

SHA1
34b7f0c49e9a24d70c9cbb2f874404fe66ffaf4a

SHA256
4eacc71e0663eb5b6d06118effe5f35af4cb33ca10084b61a5d326a8b6ce3fa1

SHA512
a596c4a0c6a2024a7fa7757e3977a0c52328bf2442f0aa608642121adea679e6e3183ea7de7da77ba30c7a7c8161afcd13c2a2fe7589699b3992ee4e81ceb883

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
14KB

MD5
0cdf944d4f8cb598a4f6a95245fcc35d

SHA1
bbc33ebc42c2c7cea498d9217414dd8f62aacde7

SHA256
fcbf8a23c859cacabd4c9f687ce43b434d3d7c6e9c55fe4377135dc5bbc99e09

SHA512
59f0945fc850fa8b60583d01a480cd19dfdad2a093891128f1905b6dfda879ef44cf68d8032ac89a17b745da07bb0889922ce1a2a4eb3078fcac9bd60d3578c0

Download Submit