483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74

Resubmissions

31/03/2024, 07:20

240331-h5425sfh6t 10

14/01/2024, 09:31

240114-lg9t9sfgfj 9

Analysis

max time kernel
183s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/01/2024, 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe
Size

974KB
MD5

45d20637261dea248644a849818659a0
SHA1

29a81b7cf0f5f4a69fe47c4ccf3d06a300899997
SHA256

483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74
SHA512

a9c935eb23fba99ba74299db7b8ac3a158183d9fe9ccaaa87e8a1b9d39c518d223563378d981e6bf386f058b159609fb42e14ca45c023f7688ca57e0c61d2519
SSDEEP

12288:fFDF/UI+c+xTOQUMnufZUgxXu/VzcccSCO4lkAjx9h/MR1V:fjnb+OQUMnufZ+tzcccSCO6ke3/Mf

Score

9^/10

evasion ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (139) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Albabat\\wallpaper_albabat.jpg"	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1416	sc.exe
2360	sc.exe
616	sc.exe
1544	sc.exe
1580	sc.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2700	vssadmin.exe

Kills process with taskkill 17 IoCs

evasion

pid	Process
344	taskkill.exe
3020	taskkill.exe
2864	taskkill.exe
1252	taskkill.exe
988	taskkill.exe
2168	taskkill.exe
2852	taskkill.exe
1272	taskkill.exe
2432	taskkill.exe
2268	taskkill.exe
2880	taskkill.exe
2536	taskkill.exe
2272	taskkill.exe
1976	taskkill.exe
1880	taskkill.exe
2524	taskkill.exe
1912	taskkill.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	taskkill.exe
Token: SeDebugPrivilege	2864	taskkill.exe
Token: SeDebugPrivilege	2432	taskkill.exe
Token: SeDebugPrivilege	2272	taskkill.exe
Token: SeDebugPrivilege	1272	taskkill.exe
Token: SeDebugPrivilege	2268	taskkill.exe
Token: SeDebugPrivilege	344	taskkill.exe
Token: SeDebugPrivilege	2852	taskkill.exe
Token: SeDebugPrivilege	1252	taskkill.exe
Token: SeDebugPrivilege	1976	taskkill.exe
Token: SeBackupPrivilege	2036	vssvc.exe
Token: SeRestorePrivilege	2036	vssvc.exe
Token: SeAuditPrivilege	2036	vssvc.exe
Token: SeDebugPrivilege	2536	taskkill.exe
Token: SeDebugPrivilege	988	taskkill.exe
Token: SeDebugPrivilege	1912	taskkill.exe
Token: SeDebugPrivilege	2524	taskkill.exe
Token: SeDebugPrivilege	2168	taskkill.exe
Token: SeDebugPrivilege	3020	taskkill.exe
Token: SeDebugPrivilege	1880	taskkill.exe
Token: 35	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 356 wrote to memory of 2700	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	31
PID 356 wrote to memory of 2700	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	31
PID 356 wrote to memory of 2700	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	31
PID 356 wrote to memory of 2752	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	29
PID 356 wrote to memory of 2752	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	29
PID 356 wrote to memory of 2752	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	29
PID 356 wrote to memory of 2740	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	32
PID 356 wrote to memory of 2740	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	32
PID 356 wrote to memory of 2740	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	32
PID 356 wrote to memory of 2928	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	33
PID 356 wrote to memory of 2928	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	33
PID 356 wrote to memory of 2928	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	33
PID 356 wrote to memory of 2760	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	87
PID 356 wrote to memory of 2760	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	87
PID 356 wrote to memory of 2760	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	87
PID 356 wrote to memory of 2676	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	86
PID 356 wrote to memory of 2676	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	86
PID 356 wrote to memory of 2676	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	86
PID 356 wrote to memory of 2800	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	85
PID 356 wrote to memory of 2800	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	85
PID 356 wrote to memory of 2800	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	85
PID 356 wrote to memory of 2420	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	35
PID 356 wrote to memory of 2420	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	35
PID 356 wrote to memory of 2420	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	35
PID 356 wrote to memory of 2924	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	84
PID 356 wrote to memory of 2924	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	84
PID 356 wrote to memory of 2924	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	84
PID 356 wrote to memory of 2712	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	83
PID 356 wrote to memory of 2712	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	83
PID 356 wrote to memory of 2712	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	83
PID 356 wrote to memory of 2884	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	81
PID 356 wrote to memory of 2884	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	81
PID 356 wrote to memory of 2884	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	81
PID 356 wrote to memory of 2576	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	80
PID 356 wrote to memory of 2576	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	80
PID 356 wrote to memory of 2576	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	80
PID 356 wrote to memory of 2572	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	78
PID 356 wrote to memory of 2572	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	78
PID 356 wrote to memory of 2572	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	78
PID 356 wrote to memory of 2724	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	76
PID 356 wrote to memory of 2724	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	76
PID 356 wrote to memory of 2724	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	76
PID 356 wrote to memory of 2596	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	75
PID 356 wrote to memory of 2596	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	75
PID 356 wrote to memory of 2596	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	75
PID 356 wrote to memory of 2604	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	61
PID 356 wrote to memory of 2604	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	61
PID 356 wrote to memory of 2604	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	61
PID 356 wrote to memory of 2552	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	36
PID 356 wrote to memory of 2552	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	36
PID 356 wrote to memory of 2552	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	36
PID 356 wrote to memory of 2112	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	60
PID 356 wrote to memory of 2112	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	60
PID 356 wrote to memory of 2112	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	60
PID 356 wrote to memory of 2620	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	58
PID 356 wrote to memory of 2620	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	58
PID 356 wrote to memory of 2620	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	58
PID 2800 wrote to memory of 2864	2800	cmd.exe	49
PID 2800 wrote to memory of 2864	2800	cmd.exe	49
PID 2800 wrote to memory of 2864	2800	cmd.exe	49
PID 2760 wrote to memory of 2880	2760	cmd.exe	48
PID 2760 wrote to memory of 2880	2760	cmd.exe	48
PID 2760 wrote to memory of 2880	2760	cmd.exe	48
PID 356 wrote to memory of 2896	356	483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe	47

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe
"C:\Users\Admin\AppData\Local\Temp\483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:356
- C:\Windows\system32\reg.exe
  "reg" add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableTaskMgr /t REG_DWORD /d 0
  2⤵
  PID:2752
- C:\Windows\System32\vssadmin.exe
  "C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2700
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM taskmgr.exe
  2⤵
  PID:2740
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM taskmgr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM code.exe
  2⤵
  PID:2928
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM code.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1252
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM mysqlworkbench.exe
  2⤵
  PID:2420
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM mysqlworkbench.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:988
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM msedge.exe
  2⤵
  PID:2552
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM msedge.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- C:\Windows\system32\cmd.exe
  "cmd" /c sc stop postgresql-x64-15
  2⤵
  PID:2376
- - C:\Windows\system32\sc.exe
    sc stop postgresql-x64-15
    3⤵
    - Launches sc.exe
    PID:1416
- C:\Windows\system32\cmd.exe
  "cmd" /c sc stop MySQL80
  2⤵
  PID:2340
- - C:\Windows\system32\sc.exe
    sc stop MySQL80
    3⤵
    - Launches sc.exe
    PID:1544
- C:\Windows\system32\cmd.exe
  "cmd" /c sc stop MySQL57
  2⤵
  PID:3000
- - C:\Windows\system32\sc.exe
    sc stop MySQL57
    3⤵
    - Launches sc.exe
    PID:2360
- C:\Windows\system32\cmd.exe
  "cmd" /c sc stop postgresql-x64-14
  2⤵
  PID:2904
- - C:\Windows\system32\sc.exe
    sc stop postgresql-x64-14
    3⤵
    - Launches sc.exe
    PID:1580
- C:\Windows\system32\cmd.exe
  "cmd" /c sc stop MySQL82
  2⤵
  PID:2896
- - C:\Windows\system32\sc.exe
    sc stop MySQL82
    3⤵
    - Launches sc.exe
    PID:616
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM postgres.exe
  2⤵
  PID:2620
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM postgres.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2524
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM excel.exe
  2⤵
  PID:2112
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM excel.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1880
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM winword.exe
  2⤵
  PID:2604
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM winword.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1976
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM cs2.exe
  2⤵
  PID:2596
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM onedrive.exe
  2⤵
  PID:2724
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM steam.exe
  2⤵
  PID:2572
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM powerpnt.exe
  2⤵
  PID:2576
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM msaccess.exe
  2⤵
  PID:2884
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM chrome.exe
  2⤵
  PID:2712
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM mspub.exe
  2⤵
  PID:2924
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM sublime_text.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2800
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM windowsterminal.exe
  2⤵
  PID:2676
- C:\Windows\system32\cmd.exe
  "cmd" /c taskkill /F /IM outlook.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2760
- C:\Windows\system32\cmd.exe
  "cmd" /C "del C:\Users\Admin\AppData\Roaming\483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74.exe"
  2⤵
  PID:884

C:\Windows\system32\taskkill.exe
taskkill /F /IM outlook.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\system32\taskkill.exe
taskkill /F /IM sublime_text.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\system32\taskkill.exe
taskkill /F /IM windowsterminal.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\system32\taskkill.exe
taskkill /F /IM mspub.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\system32\taskkill.exe
taskkill /F /IM steam.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:344

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\taskkill.exe
taskkill /F /IM msaccess.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\system32\taskkill.exe
taskkill /F /IM cs2.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\system32\taskkill.exe
taskkill /F /IM onedrive.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\system32\taskkill.exe
taskkill /F /IM powerpnt.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact