6e567b610de23ee7623cc172d550268df53542d54910c400e85e3881f4447b5e

Resubmissions

09/01/2024, 12:57

240109-p6546ababj 9

09/01/2024, 12:55

240109-p6ay1sahhp 9

Analysis

max time kernel
0s
max time network
46s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 12:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9243bdcbe30fbd430a841a623e9e1bcc894e4fdc136d46e702a94dad4b10dfdc.exe
Size

216KB
MD5

18baedf43f4a68455e8d36b657aff03c
SHA1

5770b7c3931f6ed12650ad27b7fb2bf0752b80dc
SHA256

9243bdcbe30fbd430a841a623e9e1bcc894e4fdc136d46e702a94dad4b10dfdc
SHA512

3c3161e2b209b7589be33be288076af6b0e81c000ab66f7eb184ce54114b7e4687cc33e95bc9daf8b61394d8f847f85858bf0c978dbf829c0cd1fd9620231d4e
SSDEEP

3072:h17DaAz38w3vQ7F6PFwgBZTGFKQ+avVe+gGooSlFC2OLKKZAFEMpo4Iv1k:Fb8JF6Pf2KQ+aVB2fJqh4Id

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 4 IoCs

pid	Process
3060	bcdedit.exe
748	bcdedit.exe
4808	bcdedit.exe
2248	bcdedit.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
8	vssadmin.exe
980	vssadmin.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1300	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1568	9243bdcbe30fbd430a841a623e9e1bcc894e4fdc136d46e702a94dad4b10dfdc.exe
1568	9243bdcbe30fbd430a841a623e9e1bcc894e4fdc136d46e702a94dad4b10dfdc.exe

C:\Users\Admin\AppData\Local\Temp\9243bdcbe30fbd430a841a623e9e1bcc894e4fdc136d46e702a94dad4b10dfdc.exe
"C:\Users\Admin\AppData\Local\Temp\9243bdcbe30fbd430a841a623e9e1bcc894e4fdc136d46e702a94dad4b10dfdc.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit / set{ default } bootstatuspolicy ignoreallfailures
  2⤵
  PID:1820
- - C:\Windows\system32\bcdedit.exe
    bcdedit / set{ default } bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:748
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit / set{ default } recoveryenabled No
  2⤵
  PID:2708
- - C:\Windows\system32\bcdedit.exe
    bcdedit / set{ default } recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY DELETE
  2⤵
  PID:2968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  PID:3896
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit / set{ default } bootstatuspolicy ignoreallfailures
  2⤵
  PID:1016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit / set{ default } recoveryenabled No
  2⤵
  PID:4700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY DELETE
  2⤵
  PID:1140
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  PID:1176

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:8

C:\Windows\System32\Wbem\WMIC.exe
wmic SHADOWCOPY DELETE
1⤵
PID:3944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:468

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:980

C:\Windows\System32\Wbem\WMIC.exe
wmic SHADOWCOPY DELETE
1⤵
PID:3976

C:\Windows\system32\bcdedit.exe
bcdedit / set{ default } bootstatuspolicy ignoreallfailures
1⤵
- Modifies boot configuration data using bcdedit
PID:4808

C:\Windows\system32\bcdedit.exe
bcdedit / set{ default } recoveryenabled No
1⤵
- Modifies boot configuration data using bcdedit
PID:2248

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WhatHappened.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\WhatHappened.txt

Filesize
1KB

MD5
b05e32b7e78e82f01f6f0c7d1411ee67

SHA1
2e1dda46f8561858b378d19a24b839062f794274

SHA256
f058bc2a88431119f286f2708751f25449dc1d58e1c87de3bb38aff764c814a8

SHA512
6cb7c842a48b9f982ac87280ded95e206e2b9055f9f51ea84f6060470a61a35decbb688650c0d6b7c318df018078af0c0a1afe0ce65db1b460d75ae7800e2d3c

Download Submit