630f0ff24aeeae0c8f04383f3e193ac541ff07d371c584d1d8b2aa1f1d6492ed

Resubmissions

05-01-2024 21:06

05-01-2024 21:06

31-12-2023 03:06

max time kernel
0s
max time network
65s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2024 21:06

Target

630f0ff24aeeae0c8f04383f3e193ac541ff07d371c584d1d8b2aa1f1d6492ed.exe
Size

225KB
MD5

3a087bb7ce04eef64a82958ee3507548
SHA1

ee0a57ac86e2d6e87e8a29109c984a44aab53296
SHA256

630f0ff24aeeae0c8f04383f3e193ac541ff07d371c584d1d8b2aa1f1d6492ed
SHA512

4b314dd8b1992994b8194b6e729055feafb64f873b53289537a3d81f8a54929f5fc9a32bc134ffa3c44a71d7a7ded2f99af77459e3e186d7ccfadbba1747904e
SSDEEP

3072:n6syAG2L/wgMrxFSbY3Fq5dQWQC0F0+aLTZtjaPPZMtcdlrRMC/p2wc:6iG2EgwFSc3U5dv0FOTDaPPZME9Bc

Score

1^/10

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

630f0ff24aeeae0c8f04383f3e193ac541ff07d371c584d1d8b2aa1f1d6492ed.exe

pid	process
1344	630f0ff24aeeae0c8f04383f3e193ac541ff07d371c584d1d8b2aa1f1d6492ed.exe
1344	630f0ff24aeeae0c8f04383f3e193ac541ff07d371c584d1d8b2aa1f1d6492ed.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

vssvc.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	3232	vssvc.exe
Token: SeRestorePrivilege	3232	vssvc.exe
Token: SeAuditPrivilege	3232	vssvc.exe
Token: SeIncreaseQuotaPrivilege	5040	WMIC.exe
Token: SeSecurityPrivilege	5040	WMIC.exe
Token: SeTakeOwnershipPrivilege	5040	WMIC.exe
Token: SeLoadDriverPrivilege	5040	WMIC.exe
Token: SeSystemProfilePrivilege	5040	WMIC.exe
Token: SeSystemtimePrivilege	5040	WMIC.exe
Token: SeProfSingleProcessPrivilege	5040	WMIC.exe
Token: SeIncBasePriorityPrivilege	5040	WMIC.exe
Token: SeCreatePagefilePrivilege	5040	WMIC.exe
Token: SeBackupPrivilege	5040	WMIC.exe
Token: SeRestorePrivilege	5040	WMIC.exe
Token: SeShutdownPrivilege	5040	WMIC.exe
Token: SeDebugPrivilege	5040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5040	WMIC.exe
Token: SeRemoteShutdownPrivilege	5040	WMIC.exe
Token: SeUndockPrivilege	5040	WMIC.exe
Token: SeManageVolumePrivilege	5040	WMIC.exe
Token: 33	5040	WMIC.exe
Token: 34	5040	WMIC.exe
Token: 35	5040	WMIC.exe
Token: 36	5040	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

630f0ff24aeeae0c8f04383f3e193ac541ff07d371c584d1d8b2aa1f1d6492ed.execmd.exe

description	pid	process	target process
PID 1344 wrote to memory of 436	1344	630f0ff24aeeae0c8f04383f3e193ac541ff07d371c584d1d8b2aa1f1d6492ed.exe	cmd.exe
PID 1344 wrote to memory of 436	1344	630f0ff24aeeae0c8f04383f3e193ac541ff07d371c584d1d8b2aa1f1d6492ed.exe	cmd.exe
PID 436 wrote to memory of 5040	436	cmd.exe	WMIC.exe
PID 436 wrote to memory of 5040	436	cmd.exe	WMIC.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3AE3DAEE-CBFF-4ED4-B41E-A530010AD1E1}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3232

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3AE3DAEE-CBFF-4ED4-B41E-A530010AD1E1}'" delete
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5040