117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464

Analysis

max time kernel
2s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2023 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
Size

7.7MB
MD5

a7ab0969bf6641cd0c7228ae95f6d217
SHA1

002971b6d178698bf7930b5b89c201750d80a07e
SHA256

117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464
SHA512

7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a
SSDEEP

49152:mwHittZSrb/TjvO90dL3BmAFd4A64nsfJTGNHltPgQjre0Q2hEsj2kcR9RsU/2LU:mwUs3dfC2at9kDXdmG55wuzZqGdE

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1808	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
Token: SeBackupPrivilege	4884	vssvc.exe
Token: SeRestorePrivilege	4884	vssvc.exe
Token: SeAuditPrivilege	4884	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 3160	4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe	90
PID 4140 wrote to memory of 3160	4140	117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe	90
PID 3160 wrote to memory of 1808	3160	cmd.exe	93
PID 3160 wrote to memory of 1808	3160	cmd.exe	93

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe
"C:\Users\Admin\AppData\Local\Temp\117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1808

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads