45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315

Analysis

max time kernel
93s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe
Size

231KB
MD5

aacef4e2151c264dc30963823bd3bb17
SHA1

9492c378a14e9606157145d49e35a9841383121d
SHA256

45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315
SHA512

30b14c06c8f21eb1db8f0ffd738258b0283a145c85ace85a298d397dd2618a74048835a7933ebbb27d7bea7887cb4070ba852e7282a7ae877b6613a8e91a72c1
SSDEEP

3072:ge9f4GwJqzPG927z6r7JGSxS0S4/J2cux2Ut8q7frsF1G1yH:z9fkgzP4HQSxSuJ2c/AnU1+yH

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3412	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe
3412	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeBackupPrivilege	624	vssvc.exe
Token: SeRestorePrivilege	624	vssvc.exe
Token: SeAuditPrivilege	624	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1524	WMIC.exe
Token: SeSecurityPrivilege	1524	WMIC.exe
Token: SeTakeOwnershipPrivilege	1524	WMIC.exe
Token: SeLoadDriverPrivilege	1524	WMIC.exe
Token: SeSystemProfilePrivilege	1524	WMIC.exe
Token: SeSystemtimePrivilege	1524	WMIC.exe
Token: SeProfSingleProcessPrivilege	1524	WMIC.exe
Token: SeIncBasePriorityPrivilege	1524	WMIC.exe
Token: SeCreatePagefilePrivilege	1524	WMIC.exe
Token: SeBackupPrivilege	1524	WMIC.exe
Token: SeRestorePrivilege	1524	WMIC.exe
Token: SeShutdownPrivilege	1524	WMIC.exe
Token: SeDebugPrivilege	1524	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1524	WMIC.exe
Token: SeRemoteShutdownPrivilege	1524	WMIC.exe
Token: SeUndockPrivilege	1524	WMIC.exe
Token: SeManageVolumePrivilege	1524	WMIC.exe
Token: 33	1524	WMIC.exe
Token: 34	1524	WMIC.exe
Token: 35	1524	WMIC.exe
Token: 36	1524	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1524	WMIC.exe
Token: SeSecurityPrivilege	1524	WMIC.exe
Token: SeTakeOwnershipPrivilege	1524	WMIC.exe
Token: SeLoadDriverPrivilege	1524	WMIC.exe
Token: SeSystemProfilePrivilege	1524	WMIC.exe
Token: SeSystemtimePrivilege	1524	WMIC.exe
Token: SeProfSingleProcessPrivilege	1524	WMIC.exe
Token: SeIncBasePriorityPrivilege	1524	WMIC.exe
Token: SeCreatePagefilePrivilege	1524	WMIC.exe
Token: SeBackupPrivilege	1524	WMIC.exe
Token: SeRestorePrivilege	1524	WMIC.exe
Token: SeShutdownPrivilege	1524	WMIC.exe
Token: SeDebugPrivilege	1524	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1524	WMIC.exe
Token: SeRemoteShutdownPrivilege	1524	WMIC.exe
Token: SeUndockPrivilege	1524	WMIC.exe
Token: SeManageVolumePrivilege	1524	WMIC.exe
Token: 33	1524	WMIC.exe
Token: 34	1524	WMIC.exe
Token: 35	1524	WMIC.exe
Token: 36	1524	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 2576	3412	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	27
PID 3412 wrote to memory of 2576	3412	45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe	27
PID 2576 wrote to memory of 1524	2576	cmd.exe	24
PID 2576 wrote to memory of 1524	2576	cmd.exe	24

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe
"C:\Users\Admin\AppData\Local\Temp\45c317200e27e5c5692c59d06768ca2e7eeb446d6d495084f414d0f261f75315.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{452152C3-F185-4421-B80F-3194D0E6AA41}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{452152C3-F185-4421-B80F-3194D0E6AA41}'" delete
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1524

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads