Overview

overview

10

Static

static

10

Alex-2023-...2).zip

windows7-x64

1

Alex-2023-...2).zip

windows10-2004-x64

1

037f9434e8...53.ps1

windows7-x64

1

037f9434e8...53.ps1

windows10-2004-x64

1

05194b34f8...d4.exe

windows7-x64

1

05194b34f8...d4.exe

windows10-2004-x64

1

1285e648ef...9709ff

ubuntu-18.04-amd64

3

159fbb0d04...783614

windows7-x64

1

159fbb0d04...783614

windows10-2004-x64

1

1db1c4bf74...e85efd

ubuntu-18.04-amd64

1

1db1c4bf74...e85efd

debian-9-armhf

1

1db1c4bf74...e85efd

debian-9-mips

1

1db1c4bf74...e85efd

debian-9-mipsel

1

29dd920ac1...e5.zip

windows7-x64

1

29dd920ac1...e5.zip

windows10-2004-x64

1

2001.exe

windows7-x64

9

2001.exe

windows10-2004-x64

9

2bb60b1a8a...21.exe

windows7-x64

10

2bb60b1a8a...21.exe

windows10-2004-x64

10

6698f8ffb7...880c94

windows7-x64

1

6698f8ffb7...880c94

windows10-2004-x64

1

6c109d098a...8e.exe

windows7-x64

10

6c109d098a...8e.exe

windows10-2004-x64

10

70d176272e...ef.exe

windows7-x64

1

70d176272e...ef.exe

windows10-2004-x64

1

742d89c0c1...a1.exe

windows7-x64

9

742d89c0c1...a1.exe

windows10-2004-x64

9

75cd1339c8...bc.zip

windows7-x64

1

75cd1339c8...bc.zip

windows10-2004-x64

1

Dimples#1337.jar

windows7-x64

1

Dimples#1337.jar

windows10-2004-x64

7

832e563eb3...0cee4c

windows7-x64

1

Analysis

  • max time kernel
    131s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    01-01-2024 13:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2001.exe

  • Size

    138KB

  • MD5

    b9272a777740d1b5796cc6eaf7eff252

  • SHA1

    43526f39d742bb421ebe2514fa1e7bee2ec0f86d

  • SHA256

    df93154c63aeea6a56d0f2b4c89d424f38897c2a43d756495efa4cfa69f87aa4

  • SHA512

    2e19dd25e46400878b6fcecceb8a7f650a996e47f8b785f3a63e640710951a4a8fe6991842879d1959b65f59f25ccefc76b39bd9d46fa62e3acb5d5a481544bc

  • SSDEEP

    3072:1ZO75plD368W/5SeiLHpV3IhzfW+3g70XdlqgDuYUB/vemeeCLdJLVd:1C5px3HW/3iLHpV4hzu+jd7uYU5JexTd

Score
9/10
ransomware

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (248) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 5 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2001.exe
    "C:\Users\Admin\AppData\Local\Temp\2001.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2760
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
        PID:2604
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        2⤵
        • Interacts with shadow copies
        PID:2592
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic.exe SHADOWCOPY /nointeractive
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3024
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        2⤵
        • Interacts with shadow copies
        PID:2560
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic.exe SHADOWCOPY /nointeractive
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2708
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        2⤵
        • Interacts with shadow copies
        PID:2568
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic.exe SHADOWCOPY /nointeractive
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2208
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        2⤵
        • Interacts with shadow copies
        PID:2688
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic.exe SHADOWCOPY /nointeractive
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2728
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2772

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\readme.txt
      Filesize

      472B

      MD5

      774c818da867b4e5c398d9e91f7d0e13

      SHA1

      02e630fe998b509df40acb50b52654c35e3a8820

      SHA256

      48a4aecf214e7745eaea70da94f24b592b1cdf085f9ee27c05f0cecf2bb189e9

      SHA512

      4ddc5ec9a3b7d89b5475949ed2e4444fb9e40551f903f29eca7553e565a21a9c8a54f899361d8ce85a7b406bb38f408733cf518bf77058803a2b806c26f4d593

      Download Submit