Overview

overview

9

Static

static

3

9928a35bc4...7e.exe

windows7-x64

9

9928a35bc4...7e.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    14/11/2023, 18:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9928a35bc486aa85387397966d205b8e3a69f14232d1933f8aaeac7d9026c17e.exe

  • Size

    326KB

  • MD5

    c40c5bcb6c4cceadca53b2ca29a7fe0b

  • SHA1

    f7aa8ebc0c7a745e3c75082c031780dfbab6e4a9

  • SHA256

    9928a35bc486aa85387397966d205b8e3a69f14232d1933f8aaeac7d9026c17e

  • SHA512

    5b5a217bc49493fde14e9d6a866244c76d73a9a0de2d0f01f46d2d6bdcec011906f63a24f9caedd16a8ac54c21a40be8d020acbfd9726ff7e8a4066f43c1a680

  • SSDEEP

    6144:4Ozb+3+UEoTkUdiJxemmh/9p2Aj+wDPc0gQUCrkftmfdOjwzxH4T:9+EoTkUdmxSh/9p2W00FUCrkFm5zxH4

Score
9/10
persistenceransomware

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\9928a35bc486aa85387397966d205b8e3a69f14232d1933f8aaeac7d9026c17e.exe
    "C:\Users\Admin\AppData\Local\Temp\9928a35bc486aa85387397966d205b8e3a69f14232d1933f8aaeac7d9026c17e.exe"
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2564
    • C:\Windows\syswow64\explorer.exe
      "C:\Windows\syswow64\explorer.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2448
      • C:\Windows\syswow64\svchost.exe
        -k netsvcs
        3⤵
          PID:2816
        • C:\Windows\syswow64\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          3⤵
          • Interacts with shadow copies
          PID:544
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2800

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Cab32A6.tmp
      Filesize

      61KB

      MD5

      f3441b8572aae8801c04f3060b550443

      SHA1

      4ef0a35436125d6821831ef36c28ffaf196cda15

      SHA256

      6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

      SHA512

      5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar3384.tmp
      Filesize

      163KB

      MD5

      9441737383d21192400eca82fda910ec

      SHA1

      725e0d606a4fc9ba44aa8ffde65bed15e65367e4

      SHA256

      bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

      SHA512

      7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

      Download Submit

    • memory/2448-9-0x0000000000130000-0x0000000000162000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2448-13-0x0000000000130000-0x0000000000162000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2564-0-0x0000000002480000-0x00000000024E0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2564-1-0x0000000002760000-0x0000000002761000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2564-2-0x0000000002760000-0x0000000002761000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2564-3-0x0000000002480000-0x00000000024E0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2564-4-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/2564-8-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/2816-11-0x0000000000080000-0x00000000000B2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2816-14-0x0000000000080000-0x00000000000B2000-memory.dmp

      Filesize

      200KB

      Download