Analysis
-
max time kernel
361s -
max time network
390s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
10-01-2024 04:05
General
-
Target
4d7f6c6a051ecb1f8410243cd6941b339570165ebcfd3cc7db48d2a924874e99.exe
-
Size
2.1MB
-
MD5
4f813698141cb7144786cdc6f629a92b
-
SHA1
69feda9188dbebc2d2efec5926eb2af23ab78c5d
-
SHA256
4d7f6c6a051ecb1f8410243cd6941b339570165ebcfd3cc7db48d2a924874e99
-
SHA512
578e445bb595fd36c5095092abb1bc49b1878550469eeb5c9af4d8bd7994fa6540de453e34ccf2759832deee184060a3cb8928afff879bb31f8cd2261195bde0
-
SSDEEP
24576:R+KpPzIzkQoU6TPF8mkoSW12GR7qMA6v0Xwq8UcNV++e/i5dv9jOlRJYzyiMAIQR:Bq9LmKKe36MmYJPAvIPtHzH2h4UC4qk
Score
9/10
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d7f6c6a051ecb1f8410243cd6941b339570165ebcfd3cc7db48d2a924874e99.exe"C:\Users\Admin\AppData\Local\Temp\4d7f6c6a051ecb1f8410243cd6941b339570165ebcfd3cc7db48d2a924874e99.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exedelete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken