45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe
Size

231KB
MD5

aacef4e2151c264dc30963823bd3bb17
SHA1

9492c378a14e9606157145d49e35a9841383121d
SHA256

45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315
SHA512

30b14c06c8f21eb1db8f0ffd738258b0283a145c85ace85a298d397dd2618a74048835a7933ebbb27d7bea7887cb4070ba852e7282a7ae877b6613a8e91a72c1
SSDEEP

3072:ge9f4GwJqzPG927z6r7JGSxS0S4/J2cux2Ut8q7frsF1G1yH:z9fkgzP4HQSxSuJ2c/AnU1+yH

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2756	vssvc.exe
Token: SeRestorePrivilege	2756	vssvc.exe
Token: SeAuditPrivilege	2756	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2720	WMIC.exe
Token: SeSecurityPrivilege	2720	WMIC.exe
Token: SeTakeOwnershipPrivilege	2720	WMIC.exe
Token: SeLoadDriverPrivilege	2720	WMIC.exe
Token: SeSystemProfilePrivilege	2720	WMIC.exe
Token: SeSystemtimePrivilege	2720	WMIC.exe
Token: SeProfSingleProcessPrivilege	2720	WMIC.exe
Token: SeIncBasePriorityPrivilege	2720	WMIC.exe
Token: SeCreatePagefilePrivilege	2720	WMIC.exe
Token: SeBackupPrivilege	2720	WMIC.exe
Token: SeRestorePrivilege	2720	WMIC.exe
Token: SeShutdownPrivilege	2720	WMIC.exe
Token: SeDebugPrivilege	2720	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2720	WMIC.exe
Token: SeRemoteShutdownPrivilege	2720	WMIC.exe
Token: SeUndockPrivilege	2720	WMIC.exe
Token: SeManageVolumePrivilege	2720	WMIC.exe
Token: 33	2720	WMIC.exe
Token: 34	2720	WMIC.exe
Token: 35	2720	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2720	WMIC.exe
Token: SeSecurityPrivilege	2720	WMIC.exe
Token: SeTakeOwnershipPrivilege	2720	WMIC.exe
Token: SeLoadDriverPrivilege	2720	WMIC.exe
Token: SeSystemProfilePrivilege	2720	WMIC.exe
Token: SeSystemtimePrivilege	2720	WMIC.exe
Token: SeProfSingleProcessPrivilege	2720	WMIC.exe
Token: SeIncBasePriorityPrivilege	2720	WMIC.exe
Token: SeCreatePagefilePrivilege	2720	WMIC.exe
Token: SeBackupPrivilege	2720	WMIC.exe
Token: SeRestorePrivilege	2720	WMIC.exe
Token: SeShutdownPrivilege	2720	WMIC.exe
Token: SeDebugPrivilege	2720	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2720	WMIC.exe
Token: SeRemoteShutdownPrivilege	2720	WMIC.exe
Token: SeUndockPrivilege	2720	WMIC.exe
Token: SeManageVolumePrivilege	2720	WMIC.exe
Token: 33	2720	WMIC.exe
Token: 34	2720	WMIC.exe
Token: 35	2720	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2724	WMIC.exe
Token: SeSecurityPrivilege	2724	WMIC.exe
Token: SeTakeOwnershipPrivilege	2724	WMIC.exe
Token: SeLoadDriverPrivilege	2724	WMIC.exe
Token: SeSystemProfilePrivilege	2724	WMIC.exe
Token: SeSystemtimePrivilege	2724	WMIC.exe
Token: SeProfSingleProcessPrivilege	2724	WMIC.exe
Token: SeIncBasePriorityPrivilege	2724	WMIC.exe
Token: SeCreatePagefilePrivilege	2724	WMIC.exe
Token: SeBackupPrivilege	2724	WMIC.exe
Token: SeRestorePrivilege	2724	WMIC.exe
Token: SeShutdownPrivilege	2724	WMIC.exe
Token: SeDebugPrivilege	2724	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2724	WMIC.exe
Token: SeRemoteShutdownPrivilege	2724	WMIC.exe
Token: SeUndockPrivilege	2724	WMIC.exe
Token: SeManageVolumePrivilege	2724	WMIC.exe
Token: 33	2724	WMIC.exe
Token: 34	2724	WMIC.exe
Token: 35	2724	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2724	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2524	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	32
PID 2224 wrote to memory of 2524	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	32
PID 2224 wrote to memory of 2524	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	32
PID 2224 wrote to memory of 2524	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	32
PID 2524 wrote to memory of 2720	2524	cmd.exe	33
PID 2524 wrote to memory of 2720	2524	cmd.exe	33
PID 2524 wrote to memory of 2720	2524	cmd.exe	33
PID 2224 wrote to memory of 2952	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	34
PID 2224 wrote to memory of 2952	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	34
PID 2224 wrote to memory of 2952	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	34
PID 2224 wrote to memory of 2952	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	34
PID 2952 wrote to memory of 2724	2952	cmd.exe	36
PID 2952 wrote to memory of 2724	2952	cmd.exe	36
PID 2952 wrote to memory of 2724	2952	cmd.exe	36
PID 2224 wrote to memory of 2552	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	37
PID 2224 wrote to memory of 2552	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	37
PID 2224 wrote to memory of 2552	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	37
PID 2224 wrote to memory of 2552	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	37
PID 2552 wrote to memory of 2588	2552	cmd.exe	39
PID 2552 wrote to memory of 2588	2552	cmd.exe	39
PID 2552 wrote to memory of 2588	2552	cmd.exe	39
PID 2224 wrote to memory of 2148	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	40
PID 2224 wrote to memory of 2148	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	40
PID 2224 wrote to memory of 2148	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	40
PID 2224 wrote to memory of 2148	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	40
PID 2148 wrote to memory of 1716	2148	cmd.exe	42
PID 2148 wrote to memory of 1716	2148	cmd.exe	42
PID 2148 wrote to memory of 1716	2148	cmd.exe	42
PID 2224 wrote to memory of 1116	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	43
PID 2224 wrote to memory of 1116	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	43
PID 2224 wrote to memory of 1116	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	43
PID 2224 wrote to memory of 1116	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	43
PID 1116 wrote to memory of 1080	1116	cmd.exe	45
PID 1116 wrote to memory of 1080	1116	cmd.exe	45
PID 1116 wrote to memory of 1080	1116	cmd.exe	45
PID 2224 wrote to memory of 1612	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	46
PID 2224 wrote to memory of 1612	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	46
PID 2224 wrote to memory of 1612	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	46
PID 2224 wrote to memory of 1612	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	46
PID 1612 wrote to memory of 2648	1612	cmd.exe	48
PID 1612 wrote to memory of 2648	1612	cmd.exe	48
PID 1612 wrote to memory of 2648	1612	cmd.exe	48
PID 2224 wrote to memory of 2976	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	49
PID 2224 wrote to memory of 2976	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	49
PID 2224 wrote to memory of 2976	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	49
PID 2224 wrote to memory of 2976	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	49
PID 2976 wrote to memory of 3052	2976	cmd.exe	51
PID 2976 wrote to memory of 3052	2976	cmd.exe	51
PID 2976 wrote to memory of 3052	2976	cmd.exe	51
PID 2224 wrote to memory of 808	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	52
PID 2224 wrote to memory of 808	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	52
PID 2224 wrote to memory of 808	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	52
PID 2224 wrote to memory of 808	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	52
PID 808 wrote to memory of 1972	808	cmd.exe	54
PID 808 wrote to memory of 1972	808	cmd.exe	54
PID 808 wrote to memory of 1972	808	cmd.exe	54
PID 2224 wrote to memory of 2164	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	55
PID 2224 wrote to memory of 2164	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	55
PID 2224 wrote to memory of 2164	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	55
PID 2224 wrote to memory of 2164	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	55
PID 2164 wrote to memory of 2844	2164	cmd.exe	57
PID 2164 wrote to memory of 2844	2164	cmd.exe	57
PID 2164 wrote to memory of 2844	2164	cmd.exe	57
PID 2224 wrote to memory of 1676	2224	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	58

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe
"C:\Users\Admin\AppData\Local\Temp\45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8FA44BFD-FA1F-4DCD-A4F6-14CC53CAD6FF}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8FA44BFD-FA1F-4DCD-A4F6-14CC53CAD6FF}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AFE72AC8-3EBD-47B2-92F7-E77F60ACD00D}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{AFE72AC8-3EBD-47B2-92F7-E77F60ACD00D}'" delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2AEC120D-3A20-40DC-A758-BE46F7792880}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2AEC120D-3A20-40DC-A758-BE46F7792880}'" delete
    3⤵
    PID:2588
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{73972E8B-40C0-45C3-BA36-3BB62C9895BB}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{73972E8B-40C0-45C3-BA36-3BB62C9895BB}'" delete
    3⤵
    PID:1716
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{14C3B7BB-E3D1-4A7F-B9D5-965B30494446}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{14C3B7BB-E3D1-4A7F-B9D5-965B30494446}'" delete
    3⤵
    PID:1080
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FFAE94FE-C833-4E3E-B01A-AB3865C49748}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{FFAE94FE-C833-4E3E-B01A-AB3865C49748}'" delete
    3⤵
    PID:2648
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E8B94EBC-20A3-4F89-BBBE-7A96F17986E1}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E8B94EBC-20A3-4F89-BBBE-7A96F17986E1}'" delete
    3⤵
    PID:3052
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A96262D3-497F-4A7D-ADF1-16344B4C765A}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A96262D3-497F-4A7D-ADF1-16344B4C765A}'" delete
    3⤵
    PID:1972
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{79946AB7-635B-4BD2-B65D-B0F433D5F532}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{79946AB7-635B-4BD2-B65D-B0F433D5F532}'" delete
    3⤵
    PID:2844
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{34FB718A-E541-46AC-AC9B-BDE963BA4D66}'" delete
  2⤵
  PID:1676
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{34FB718A-E541-46AC-AC9B-BDE963BA4D66}'" delete
    3⤵
    PID:1076
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{22BA0FD3-BE37-4C17-B5C1-843082C12E98}'" delete
  2⤵
  PID:2828
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{22BA0FD3-BE37-4C17-B5C1-843082C12E98}'" delete
    3⤵
    PID:2036
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2CA557A7-8492-4072-B050-1535C2EB536D}'" delete
  2⤵
  PID:1340
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2CA557A7-8492-4072-B050-1535C2EB536D}'" delete
    3⤵
    PID:1196
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39226352-220B-4092-B154-9C7E9DB7975F}'" delete
  2⤵
  PID:1884
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39226352-220B-4092-B154-9C7E9DB7975F}'" delete
    3⤵
    PID:2316
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B70D1643-3808-4053-81F7-D9906B42477B}'" delete
  2⤵
  PID:3024
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B70D1643-3808-4053-81F7-D9906B42477B}'" delete
    3⤵
    PID:1948
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8161F8C4-8FCF-400F-A1A4-FFB329479019}'" delete
  2⤵
  PID:2024
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8161F8C4-8FCF-400F-A1A4-FFB329479019}'" delete
    3⤵
    PID:576
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D23619ED-D012-4195-AD2F-8E6B2C41E6FB}'" delete
  2⤵
  PID:2332
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D23619ED-D012-4195-AD2F-8E6B2C41E6FB}'" delete
    3⤵
    PID:2184
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4BB2020C-8D1D-4D87-B2B3-DB0468A02E37}'" delete
  2⤵
  PID:1172
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4BB2020C-8D1D-4D87-B2B3-DB0468A02E37}'" delete
    3⤵
    PID:944
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9502DCE-BF82-44AA-8729-B59C9539DE36}'" delete
  2⤵
  PID:1920
- - C:\Windows\System32\wbem\WMIC.exe
    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9502DCE-BF82-44AA-8729-B59C9539DE36}'" delete
    3⤵
    PID:1296

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2756

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads