Overview

overview

10

Static

static

10

64CO.exe

windows7-x64

9

64CO.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2023 01:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    64CO.exe

  • Size

    1.2MB

  • MD5

    a80b79de02d6881d5e54afcefa38298a

  • SHA1

    e0d3e2612a757ff5be818b114028a0e4bb562bc5

  • SHA256

    033b4950a8f249b20eb86ec6f8f2ea0a1567bb164289d1aa7fb0ba51f9bbe46c

  • SHA512

    1fbe52a0086a33a98e48f501c669f3a9e82b5795550702eb61ccc281c77ba29fe217a5897b6caf55582ca1c16d062a2d3219a596d4372c70782bc49499e0ed4f

  • SSDEEP

    24576:FCLKd8jHzb9904e43wa2SZ6Es9S+Nm0m:4K099ReumEwS+

Score
9/10
evasionpersistenceransomwarespywarestealer

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (629) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes System State backups 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Drops file in Drivers directory 12 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 39 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 52 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 13 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\64CO.exe
    "C:\Users\Admin\AppData\Local\Temp\64CO.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4880
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
      2⤵
      • Interacts with shadow copies
      PID:3564
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
      2⤵
      • Interacts with shadow copies
      PID:2024
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:4156
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:2832
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:2360
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:900
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1760
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1908
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:4064
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3824
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:4164
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:2932
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:3384
    • C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe /set {default} recoveryenabled No
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:4444
    • C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:4876
    • C:\Windows\SYSTEM32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP
      2⤵
      • Deletes System State backups
      • Drops file in Windows directory
      PID:4360
    • C:\Windows\SYSTEM32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
      2⤵
      • Deletes System State backups
      • Drops file in Windows directory
      PID:740
    • C:\Windows\System32\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2284
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\64CO.exe >> NUL
      2⤵
        PID:4404
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3696
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
      1⤵
      • Drops file in System32 directory
      PID:64

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\398EE64D66758B5715368AA94044B13A.keversen
      Filesize

      710B

      MD5

      31c5920536e892041123cc3552756b95

      SHA1

      3537449938f8fb73a9e37e79ed973270586ddaf3

      SHA256

      ccc671deb21fdf5ee401574f6573990509b11a1c1d3dda6aa61e8f85be7816be

      SHA512

      97deba22755862befdb5c53dee4fe0674421eae74f7608c2b394bbc4970c300cafe02e0e897b7efe27b3bb5945ff299c8fa361e9f4568242c152ba0b076609cd

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.keversen
      Filesize

      850B

      MD5

      0eb6e1875269be11df9201496aff5a83

      SHA1

      878dd586c9b45c1dca1a52f9df96f4466e995048

      SHA256

      e3f71c19d7a60e2030c57e3d77183da83e7ac3e51707785d67c4a1636e25e748

      SHA512

      1b327bbec6adc3b4c91e9d2d265888110f966597605e82247d3bfb121188343ed4c4c6f154a47246d0074f157c13e8ac31583f0908511f694faad252bb3085bd

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.keversen
      Filesize

      842B

      MD5

      e5ec6c3c57a2b3872912a4a8eb1e1004

      SHA1

      538204c8b668e4980477a4adefb999b108ef4f13

      SHA256

      e4799dc078e016952719338909f339b3ac38019a0a05206ce2e16393b0f5e6fc

      SHA512

      c3727fad1484fe53edfcd47ecf5024f9e08b42c7c03019ace72e24515ecd860774e77cea34f53e421676a9dd47b9560c5b429b390686c911b09f10290c74bc39

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7.keversen
      Filesize

      770B

      MD5

      c0ec87ea5071471b443ece8bf23e86b7

      SHA1

      72600953fb557732c8d2710b0ca4d10ffb038452

      SHA256

      e5369e24eb34a96813bd9daa62fb63464640ff67cc605a4173a4a38b72709e2b

      SHA512

      10f04a0d8f41c4e11fbd886eb585e4e2ea1dab3e2663cbfdc1ba345072a14696670ad8032eda78851bcd46c128f294808add9551f976b5191eeaf751a39ea505

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.keversen
      Filesize

      842B

      MD5

      b00998e7184e9d4d4c79747441b2b3bb

      SHA1

      e42f1d6ce9c43ed673bcb46e5282ddbfc3ed540e

      SHA256

      0871cc581cd8610812795430819cbf48a081a7be7876674a5b7af0ea327247d8

      SHA512

      c7b3fa71a90cc649eee9f7bcf052f59c82ba170f5aef07df59683e4c04020cef92ab0539d6d47b7a7b306e635656fe065898a001c05920c9ceb8caa28eb0ee92

      Download Submit

    • C:\Windows\System32\catroot2\dberr.txt
      Filesize

      149KB

      MD5

      23c80d155e245ba8a6ceeec50b15746f

      SHA1

      144ddad37dc61843d8fe01a112d50382649fb554

      SHA256

      4f129e2ab632a5d65ac76389303df9de0e5df39ad187b49b9bdc59a985cd3dad

      SHA512

      66e956fcdd5dbce6a71a35f160cc4a0023997159ca95e5e496aa72f52790f048c67c92254997443b7902835098a3971059cad56438e55d7e25fb7d1ef3d083ca

      Download Submit

    • C:\Windows\System32\catroot2\edb.log
      Filesize

      2.0MB

      MD5

      7ee5c1f681b959b8eff0c3e54f46976d

      SHA1

      8c7e2f9ee17db5a80bbc0603baef87583a343901

      SHA256

      f1e74880a14afba83a83e5274bfc8d18d3a84f441976dcf781a9ef86de147f5d

      SHA512

      a017e55a70e7167313dcfb17d8e435d2e0b6556d8874bb4ce55c38bd19c182aa4f4f34afb7081d6abfa25456e6adf5fc9d854c5b8c0269e3c4ce8a53335d3e1f

      Download Submit

    • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
      Filesize

      814B

      MD5

      7f34ae4b60b3da7ababa8b129cc35fa6

      SHA1

      28e763c23fbdd863b41ca8ec9ee9460fb99fbfd6

      SHA256

      598e6c630e279f3dd1ee4fcfd77bdfce374a839fdbf5941b2ebece5c337f286f

      SHA512

      4917502265c4057e9888ef6d2f9a8cc2afb94be37f98fafd699ddcb619dd5170772129bc9d920f704098e5101789d4a11da04cdc24f338017e31f24cd0de71a1

      Download Submit

    • memory/64-813-0x000001FE3C330000-0x000001FE3C331000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-850-0x000001FE3EC70000-0x000001FE3EC71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-784-0x000001FE3B060000-0x000001FE3B061000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-785-0x000001FE3B190000-0x000001FE3B191000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-786-0x000001FE3B1B0000-0x000001FE3B1B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-779-0x000001FE3AF80000-0x000001FE3AF81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-789-0x000001FE3B2E0000-0x000001FE3B2E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-790-0x000001FE3BF70000-0x000001FE3BF71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-794-0x000001FE3C850000-0x000001FE3C851000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-801-0x000001FE3C850000-0x000001FE3C851000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-803-0x000001FE3CEF0000-0x000001FE3CEF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-804-0x000001FE3DBD0000-0x000001FE3DBD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-805-0x000001FE3DBD0000-0x000001FE3DBD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-807-0x000001FE3B6B0000-0x000001FE3B6B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-811-0x000001FE3E490000-0x000001FE3E491000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-812-0x000001FE3E490000-0x000001FE3E491000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-729-0x000001FE363A0000-0x000001FE363B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/64-815-0x000001FE3E960000-0x000001FE3E961000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-843-0x000001FE3EC70000-0x000001FE3EC71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-782-0x000001FE3B060000-0x000001FE3B061000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-858-0x000001FE3F650000-0x000001FE3F651000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-868-0x000001FE3BA70000-0x000001FE3BA71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-875-0x000001FE3BA70000-0x000001FE3BA71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-1015-0x000001FE40660000-0x000001FE40661000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-1016-0x000001FE410B0000-0x000001FE410B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-1017-0x000001FE410B0000-0x000001FE410B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-1019-0x000001FE415A0000-0x000001FE415A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-1020-0x000001FE42610000-0x000001FE42611000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-1021-0x000001FE40970000-0x000001FE40971000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-1023-0x000001FE42650000-0x000001FE42651000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-1033-0x000001FE43010000-0x000001FE43011000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-1037-0x000001FE42030000-0x000001FE42031000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-1038-0x000001FE42030000-0x000001FE42031000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-1040-0x000001FE443F0000-0x000001FE443F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-778-0x000001FE3AF60000-0x000001FE3AF61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-777-0x000001FE3AE20000-0x000001FE3AE21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-775-0x000001FE3AE20000-0x000001FE3AE21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-753-0x000001FE3AA40000-0x000001FE3AA41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-745-0x000001FE3AD80000-0x000001FE3AD81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/64-735-0x000001FE36950000-0x000001FE36960000-memory.dmp

      Filesize

      64KB

      Download