fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3

Analysis

max time kernel
1s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 12:56

Target

fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe
Size

245KB
MD5

ea34ac6bf9e8a70bec84e37afeea458a
SHA1

fd443460ccd1110b0a77385f2f66a38d3f527966
SHA256

fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3
SHA512

d3bb774467813d0f1e0a8e046dc14a4b372bdd61a6c5448c3b296e09f5f9f7493167b82aa7a6824979154f538ba05178af23247c55e7688fa78414168c13dbfa
SSDEEP

3072:ZO459Ejzjz10wKaEcKBIacm6QBDOmkm9wXcIfGBF5UgbB67Z:T8HzKxhcKB0VQBLk7XcIkbkt

Score

1^/10

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2200	fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe
2200	fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeBackupPrivilege	4776	vssvc.exe
Token: SeRestorePrivilege	4776	vssvc.exe
Token: SeAuditPrivilege	4776	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3060	WMIC.exe
Token: SeSecurityPrivilege	3060	WMIC.exe
Token: SeTakeOwnershipPrivilege	3060	WMIC.exe
Token: SeLoadDriverPrivilege	3060	WMIC.exe
Token: SeSystemProfilePrivilege	3060	WMIC.exe
Token: SeSystemtimePrivilege	3060	WMIC.exe
Token: SeProfSingleProcessPrivilege	3060	WMIC.exe
Token: SeIncBasePriorityPrivilege	3060	WMIC.exe
Token: SeCreatePagefilePrivilege	3060	WMIC.exe
Token: SeBackupPrivilege	3060	WMIC.exe
Token: SeRestorePrivilege	3060	WMIC.exe
Token: SeShutdownPrivilege	3060	WMIC.exe
Token: SeDebugPrivilege	3060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3060	WMIC.exe
Token: SeRemoteShutdownPrivilege	3060	WMIC.exe
Token: SeUndockPrivilege	3060	WMIC.exe
Token: SeManageVolumePrivilege	3060	WMIC.exe
Token: 33	3060	WMIC.exe
Token: 34	3060	WMIC.exe
Token: 35	3060	WMIC.exe
Token: 36	3060	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 4392	2200	fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe	34
PID 2200 wrote to memory of 4392	2200	fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe	34
PID 4392 wrote to memory of 3060	4392	cmd.exe	31
PID 4392 wrote to memory of 3060	4392	cmd.exe	31

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe
"C:\Users\Admin\AppData\Local\Temp\fb49b940570cfd241dea27ae768ac420e863d9f26c5d64f0d10aea4dd0bf0ce3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{452152C3-F185-4421-B80F-3194D0E6AA41}'" delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4392

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{452152C3-F185-4421-B80F-3194D0E6AA41}'" delete
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3060