9babc90e51e36cf84d14ae6e8003412e4ef154cb886e685ef6737bd3c1bcb37a

General

Target

1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe
Size

216KB
MD5

d0e6827c65a12b12a2694faf686c7a2f
SHA1

7c7bf8661237efbd03e40bc03eb204bf605a6878
SHA256

9babc90e51e36cf84d14ae6e8003412e4ef154cb886e685ef6737bd3c1bcb37a
SHA512

7eef8d9a14a7ac253f1dcff5cf613f22b6eb7285d517bf6d3d23dabb1b4b2baf72226db1721690a30f291d544dd0ff310d7a8114e530b3fbc3f7bea7cf9b8ab1
SSDEEP

3072:m17DaAz38w3v47F6PFwgBZTGFKQ+avVe+gGooSlFC2OLKKZAFEMpo4Iv1k:Gb8xF6Pf2KQ+aVB2fJqh4Id

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe
File opened (read-only)	\??\I:	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe
File opened (read-only)	\??\A:	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe
File opened (read-only)	\??\G:	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe
File opened (read-only)	\??\J:	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe
File opened (read-only)	\??\B:	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe
File opened (read-only)	\??\E:	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe
File opened (read-only)	\??\Y:	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe
File opened (read-only)	\??\S:	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe
File opened (read-only)	\??\L:	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe
File opened (read-only)	\??\W:	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe
File opened (read-only)	\??\T:	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe
File opened (read-only)	\??\O:	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe
File opened (read-only)	\??\X:	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe
File opened (read-only)	\??\V:	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe
File opened (read-only)	\??\N:	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe
File opened (read-only)	\??\R:	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe
File opened (read-only)	\??\U:	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe
File opened (read-only)	\??\P:	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe
File opened (read-only)	\??\H:	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe
File opened (read-only)	\??\K:	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe
File opened (read-only)	\??\Z:	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe
File opened (read-only)	\??\M:	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe

Modifies boot configuration data using bcdedit 4 IoCs

pid	Process
2872	bcdedit.exe
2864	bcdedit.exe
1676	bcdedit.exe
2744	bcdedit.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2620	vssadmin.exe
2472	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1980	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2096	1980	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe	30
PID 1980 wrote to memory of 2096	1980	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe	30
PID 1980 wrote to memory of 2096	1980	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe	30
PID 1980 wrote to memory of 292	1980	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe	28
PID 1980 wrote to memory of 292	1980	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe	28
PID 1980 wrote to memory of 292	1980	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe	28
PID 1980 wrote to memory of 2768	1980	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe	27
PID 1980 wrote to memory of 2768	1980	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe	27
PID 1980 wrote to memory of 2768	1980	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe	27
PID 1980 wrote to memory of 2820	1980	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe	16
PID 1980 wrote to memory of 2820	1980	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe	16
PID 1980 wrote to memory of 2820	1980	1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe	16

C:\Users\Admin\AppData\Local\Temp\1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe
"C:\Users\Admin\AppData\Local\Temp\1f244618036218fe5bad01282f41a97a32ba879d4a8dd171ba698e98401859c1.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit / set{ default } bootstatuspolicy ignoreallfailures
  2⤵
  PID:2820
- - C:\Windows\system32\bcdedit.exe
    bcdedit / set{ default } bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit / set{ default } recoveryenabled No
  2⤵
  PID:2768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY DELETE
  2⤵
  PID:292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  PID:2096
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit / set{ default } bootstatuspolicy ignoreallfailures
  2⤵
  PID:2396
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit / set{ default } recoveryenabled No
  2⤵
  PID:1908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY DELETE
  2⤵
  PID:904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  PID:2568

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2848

C:\Windows\System32\Wbem\WMIC.exe
wmic SHADOWCOPY DELETE
1⤵
PID:2876

C:\Windows\system32\bcdedit.exe
bcdedit / set{ default } recoveryenabled No
1⤵
- Modifies boot configuration data using bcdedit
PID:2864

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:2620

C:\Windows\system32\bcdedit.exe
bcdedit / set{ default } recoveryenabled No
1⤵
- Modifies boot configuration data using bcdedit
PID:1676

C:\Windows\system32\bcdedit.exe
bcdedit / set{ default } bootstatuspolicy ignoreallfailures
1⤵
- Modifies boot configuration data using bcdedit
PID:2744

C:\Windows\System32\Wbem\WMIC.exe
wmic SHADOWCOPY DELETE
1⤵
PID:2524

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2

T1070

File Deletion

2

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\WhatHappened.txt

Filesize
1KB

MD5
b05e32b7e78e82f01f6f0c7d1411ee67

SHA1
2e1dda46f8561858b378d19a24b839062f794274

SHA256
f058bc2a88431119f286f2708751f25449dc1d58e1c87de3bb38aff764c814a8

SHA512
6cb7c842a48b9f982ac87280ded95e206e2b9055f9f51ea84f6060470a61a35decbb688650c0d6b7c318df018078af0c0a1afe0ce65db1b460d75ae7800e2d3c

Download Submit

Analysis

Sharing