e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766

Analysis

max time kernel
92s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2024 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe
Size

32KB
MD5

d513beb2bac27c307c3ac5a5a501dc66
SHA1

34adc018f611f65572dafed37518418832aad994
SHA256

e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766
SHA512

f09569379f22c24cc5d7e169404b85fd01ba93573098c729c84db89900982901c1f88c2cb29a9986490ba72487e3f0f917279672ee18354165fbb9d535c7cf5b
SSDEEP

768:C2gQ2nGtvZmI1yK0gEBYsuii6bEarouRwe2oTyoGETDA7vyWD2IpdN:qQh+I14gbm8uR1LAjdfrN

Score

9^/10

evasion persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1108	bcdedit.exe
4392	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3968	wbadmin.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe\""	e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1632	4368	WerFault.exe	23

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3296	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeBackupPrivilege	1824	vssvc.exe
Token: SeRestorePrivilege	1824	vssvc.exe
Token: SeAuditPrivilege	1824	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3332	WMIC.exe
Token: SeSecurityPrivilege	3332	WMIC.exe
Token: SeTakeOwnershipPrivilege	3332	WMIC.exe
Token: SeLoadDriverPrivilege	3332	WMIC.exe
Token: SeSystemProfilePrivilege	3332	WMIC.exe
Token: SeSystemtimePrivilege	3332	WMIC.exe
Token: SeProfSingleProcessPrivilege	3332	WMIC.exe
Token: SeIncBasePriorityPrivilege	3332	WMIC.exe
Token: SeCreatePagefilePrivilege	3332	WMIC.exe
Token: SeBackupPrivilege	3332	WMIC.exe
Token: SeRestorePrivilege	3332	WMIC.exe
Token: SeShutdownPrivilege	3332	WMIC.exe
Token: SeDebugPrivilege	3332	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3332	WMIC.exe
Token: SeRemoteShutdownPrivilege	3332	WMIC.exe
Token: SeUndockPrivilege	3332	WMIC.exe
Token: SeManageVolumePrivilege	3332	WMIC.exe
Token: 33	3332	WMIC.exe
Token: 34	3332	WMIC.exe
Token: 35	3332	WMIC.exe
Token: 36	3332	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3332	WMIC.exe
Token: SeSecurityPrivilege	3332	WMIC.exe
Token: SeTakeOwnershipPrivilege	3332	WMIC.exe
Token: SeLoadDriverPrivilege	3332	WMIC.exe
Token: SeSystemProfilePrivilege	3332	WMIC.exe
Token: SeSystemtimePrivilege	3332	WMIC.exe
Token: SeProfSingleProcessPrivilege	3332	WMIC.exe
Token: SeIncBasePriorityPrivilege	3332	WMIC.exe
Token: SeCreatePagefilePrivilege	3332	WMIC.exe
Token: SeBackupPrivilege	3332	WMIC.exe
Token: SeRestorePrivilege	3332	WMIC.exe
Token: SeShutdownPrivilege	3332	WMIC.exe
Token: SeDebugPrivilege	3332	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3332	WMIC.exe
Token: SeRemoteShutdownPrivilege	3332	WMIC.exe
Token: SeUndockPrivilege	3332	WMIC.exe
Token: SeManageVolumePrivilege	3332	WMIC.exe
Token: 33	3332	WMIC.exe
Token: 34	3332	WMIC.exe
Token: 35	3332	WMIC.exe
Token: 36	3332	WMIC.exe
Token: SeBackupPrivilege	2232	wbengine.exe
Token: SeRestorePrivilege	2232	wbengine.exe
Token: SeSecurityPrivilege	2232	wbengine.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 4992	4368	e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe	70
PID 4368 wrote to memory of 4992	4368	e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe	70
PID 4992 wrote to memory of 3296	4992	cmd.exe	71
PID 4992 wrote to memory of 3296	4992	cmd.exe	71
PID 4992 wrote to memory of 3332	4992	cmd.exe	91
PID 4992 wrote to memory of 3332	4992	cmd.exe	91
PID 4992 wrote to memory of 4392	4992	cmd.exe	95
PID 4992 wrote to memory of 4392	4992	cmd.exe	95
PID 4992 wrote to memory of 1108	4992	cmd.exe	94
PID 4992 wrote to memory of 1108	4992	cmd.exe	94
PID 4992 wrote to memory of 3968	4992	cmd.exe	93
PID 4992 wrote to memory of 3968	4992	cmd.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe
"C:\Users\Admin\AppData\Local\Temp\e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Users\Admin\AppData\Local\Temp\e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe
  "C:\Users\Admin\AppData\Local\Temp\e40fbde08891baf1f1ce86d879d02a32d2a007368e65348155a298079e2b8766.exe" n4368
  2⤵
  PID:1784
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3296
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3332
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:3968
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1108
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 724
  2⤵
  - Program crash
  PID:1632