d7b21d35c8b924b9b59fbb4cb104c3e386a2cd2aec9eb9d149fd6f9cac9a4672

Analysis

max time kernel
590s
max time network
619s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe
Size

352KB
MD5

4f88b5e510ecbd0adefdfc87c552289c
SHA1

047ec67b8e3c001086284d7176b2d239db565fb5
SHA256

b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273
SHA512

75b86d6de4bec5285559f7e9a0dbf46df48dbdf78386023e5f8668a7814bc1db5322d8bf9d306cfd65175112b94366641d671175d59d3edacc3d2b2ba802f348
SSDEEP

6144:X9PrHO8306KFnBCzDIZXY3HJmui45mkA2/1:drHBpgkDuoEuXbJ

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Executes dropped EXE 1 IoCs

pid	Process
1628	dwa01.exe

Loads dropped DLL 2 IoCs

pid	Process
2532	b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe
2532	b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\{67B97992-033F-589A-AA66-FFC16ECB2C0C} = "C:\\Users\\Admin\\AppData\\Roaming\\dwa01.exe"	b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1088	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe
1628	dwa01.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	588	vssvc.exe
Token: SeRestorePrivilege	588	vssvc.exe
Token: SeAuditPrivilege	588	vssvc.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 1628	2532	b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe	29
PID 2532 wrote to memory of 1628	2532	b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe	29
PID 2532 wrote to memory of 1628	2532	b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe	29
PID 2532 wrote to memory of 1628	2532	b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe	29
PID 1628 wrote to memory of 1808	1628	dwa01.exe	30
PID 1628 wrote to memory of 1808	1628	dwa01.exe	30
PID 1628 wrote to memory of 1808	1628	dwa01.exe	30
PID 1628 wrote to memory of 1808	1628	dwa01.exe	30
PID 1628 wrote to memory of 332	1628	dwa01.exe	31
PID 1628 wrote to memory of 332	1628	dwa01.exe	31
PID 1628 wrote to memory of 332	1628	dwa01.exe	31
PID 1628 wrote to memory of 332	1628	dwa01.exe	31
PID 1628 wrote to memory of 2036	1628	dwa01.exe	33
PID 1628 wrote to memory of 2036	1628	dwa01.exe	33
PID 1628 wrote to memory of 2036	1628	dwa01.exe	33
PID 1628 wrote to memory of 2036	1628	dwa01.exe	33
PID 1808 wrote to memory of 1088	1808	cmd.exe	36
PID 1808 wrote to memory of 1088	1808	cmd.exe	36
PID 1808 wrote to memory of 1088	1808	cmd.exe	36
PID 1808 wrote to memory of 1088	1808	cmd.exe	36

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe
"C:\Users\Admin\AppData\Local\Temp\b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Roaming\dwa01.exe
  "C:\Users\Admin\AppData\Roaming\dwa01.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /All /Quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:1088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled No
    3⤵
    PID:332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2036

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\dwa01.exe

Filesize
352KB

MD5
4f88b5e510ecbd0adefdfc87c552289c

SHA1
047ec67b8e3c001086284d7176b2d239db565fb5

SHA256
b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273

SHA512
75b86d6de4bec5285559f7e9a0dbf46df48dbdf78386023e5f8668a7814bc1db5322d8bf9d306cfd65175112b94366641d671175d59d3edacc3d2b2ba802f348

Download Submit
memory/1628-22-0x00000000020C0000-0x0000000002129000-memory.dmp

Filesize
420KB

Download
memory/1628-23-0x00000000020C0000-0x0000000002129000-memory.dmp

Filesize
420KB

Download
memory/1628-24-0x00000000020C0000-0x0000000002129000-memory.dmp

Filesize
420KB

Download
memory/1628-25-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/1628-26-0x0000000003C10000-0x0000000003C40000-memory.dmp

Filesize
192KB

Download
memory/1628-36-0x0000000003C10000-0x0000000003C40000-memory.dmp

Filesize
192KB

Download
memory/1628-38-0x0000000003C10000-0x0000000003C40000-memory.dmp

Filesize
192KB

Download
memory/2532-0-0x0000000001F20000-0x0000000001F89000-memory.dmp

Filesize
420KB

Download
memory/2532-1-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

Filesize
4KB

Download
memory/2532-2-0x0000000001F20000-0x0000000001F89000-memory.dmp

Filesize
420KB

Download
memory/2532-3-0x0000000003D10000-0x0000000003D40000-memory.dmp

Filesize
192KB

Download