Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
04-02-2024 13:22
General
-
Target
VirusShare_c9ef69554082be3467df433a15e7ab45.exe
-
Size
321KB
-
MD5
c9ef69554082be3467df433a15e7ab45
-
SHA1
79c01bf85a712ddf6a4d54e9db281a8310a12c15
-
SHA256
0db818ad2b03a8003c1b923985b3cd74ed82272205b3372796b192d2661824ac
-
SHA512
13d818b734a9ee2d1cd2bda66ae6213f7fb7e9a74f0175ae37b85906816341e6224cdf1d5f57487e21b80d9782cee75db8acbd3752a303569fc8c6fa2598a4f9
-
SSDEEP
6144:cL42La41ctAaWLBbYcTDASiBdRIGt4MCZnsdbTo07BTT9OyIO:I42LasctABLBz/Udu04MEnsdbTo01VO8
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_oejbt.html
https://kb63vhjuk3wh4ex7.onion.to/CDBDF95AA8ABC5E0</a>
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\restore_files_oejbt.txt
http://qw2234duoiyu.h2fyr6785jhdhfg.com/CDBDF95AA8ABC5E0
http://awoeinf832as.wo49i277rnw.com/CDBDF95AA8ABC5E0
https://kb63vhjuk3wh4ex7.onion.to/CDBDF95AA8ABC5E0
http://kb63vhjuk3wh4ex7.onion/CDBDF95AA8ABC5E0
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (416) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Modifies system certificate store 2 TTPs 6 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_c9ef69554082be3467df433a15e7ab45.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_c9ef69554082be3467df433a15e7ab45.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\vcwbur.exeC:\Users\Admin\AppData\Roaming\vcwbur.exe2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet3⤵
- Interacts with shadow copies
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT3⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RESTORE_FILES.HTML3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2444 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet3⤵
- Interacts with shadow copies
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwbur.exe >> NUL3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE >> NUL2⤵
- Deletes itself
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD57b6e77637a98277fd685cfae0b493c85
SHA14783508c60ec6bd4030008d610ee65699e43f715
SHA2564b49988fc2173a3bc18ed6d7df05c15cbf698b087695b1df820f2a16e6921e1b
SHA5127bb30f6d94d8e1b19f0487dadc68a9b8f2df1cea7cff7ea16f772a19162969a97683750663414bc70891043daa88e29a85d1b650c54f3e9b4a61231c0db14342
-
Filesize
2KB
MD5d693d645a72cbe364a60688a42afa894
SHA130b09b98c7d36de431f44e69c439202bbefff7d2
SHA2563033ed9c4af2f321471ddcd04855cbcab866255f73271abb99cf85ae552b40c8
SHA512f39aaf76397ed27008f0b04f069761e4ae0a7c0d7947a5cd4edeaee4a8ac6520a45326f4bb3fe729953d52ae98042dc3419966ad689c2a343870feba35c79331
-
Filesize
5B
MD55bfa51f3a417b98e7443eca90fc94703
SHA18c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA5124cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
Filesize
344B
MD5e377224935fa1ff92a1f93f3705ed923
SHA110af7828261a539288e31964d9d95fbeaa5d5006
SHA256ef9426cbebdcb2d359907c4c5c6878ddf12bb824ab7bce1e0495a9bf9aee7f42
SHA512e12902b91a4ca7ef25528ba5f286556b2a37afcbb93ada0b06cf62f179ebd42134b0e7d618d6491a3697e4700961b5ee6a960a6d0d06f891c9529785b5b2bb15
-
Filesize
344B
MD5a2cfd40d87fca565877888255fea0f9a
SHA11226bf8d60815de4340cce930273eba49882c634
SHA256b1c3d0489e9806b10a97aed118dafb8b0eeec25fef9a727f8c2fe1511f5cf3ff
SHA51263f347b3e0dbbdc55874a33ea61a1e0db150f03dd8ff50242429a7204a7ef4fce73007c72076a5a08fb1808e8c503bb78259bbab3d85c8d730890e6ba5aedd1f
-
Filesize
344B
MD56084641d657ece135244fc07f577059a
SHA14893df6283a565aee806f176a8f5101529deab37
SHA2565e9743c3b04108b59a9dd1308ac27ffbe2d79ad51e127918b89a115c81cabce5
SHA512231851e137bed2317b8054646fda6ad6474513cf26eb5c6c8cd05cde7797008a6d9e1a009f389fc4d0490129a0d2a549c2f624c4646801c38c79a8925f8bd297
-
Filesize
344B
MD5758a8715597f4bf46251bd406d8d97f6
SHA16749971af746034238c2c42e149f92a2c4eb2c52
SHA25604cfcfa299cbf103745bf56ce48383adb74687045132dc3ee78de4618a21fa9b
SHA5123cee7e2078934218789f3ada7ee7de94453204b927265a2dc4dbff95c7e9f0bd6aec464a41fc36e51754dd60d7a60c5ef66ffc5a5fd3a3cb6b0de9c646a6558b
-
Filesize
344B
MD50fc91b5cde9774424e8f7e94173e4e4c
SHA11a45f7ab5f935b37066d25591e398211302f0c18
SHA25697b800c27761c788aa01630e5e217bf0fac6e838678267ab419cfb3e51303c5f
SHA512a0f63e3a3e7823c91f1ef3f11283ec607a9f369e646f8f6c17b7a9a0f89977d196231707a9b9a1c736fabf7577eba50df12d9132a961aba48c1604d1a0ac05b0
-
Filesize
344B
MD5230c42e939ea593e41baee49039b4362
SHA1529bc0bdb2a6ce6e2168784a4ef62203de6410f1
SHA256708e24a17e68bf5e4ed27e960c41b3060f6528a86b5e163cd8d4bb84de063c0a
SHA5123f691c5f8545a8e3a9bacd01eb47b8c8ac8b19714c67029506c3edc9087deb5d7026fc0f3a66b7caafa5508dd68a344190bc7aed2683f61590d25e58810ee422
-
Filesize
344B
MD5ecb0f3b2304d81d676275ee8d4fb5c2c
SHA191b53a2ab6007447951d88fbad17a36fe4071a92
SHA25658287793e8147df19a9ba6f6d0c647b9f1fff35f8ff711603aa02ee70c520f97
SHA512fda53f03e9b035f136caa32ba119a7417a63d3f62a43746956f89c3063dcb295a96b38950376ab7d5c8eadd25370bcc5d931c523ad84b45d27361a24072fa97b
-
Filesize
344B
MD5a7138d75c15e7834b87272256080ee87
SHA1419f3077bdfff08f5c206edf5807e1314e020cf3
SHA2568e43bb702ce65914c73fafe1aca8c8b288a10a4159d605ea45bfa83522ff1f7c
SHA5124985f7f50b397811e62628a4aa5e7ba2ba835f039cfac0676dc4af62eba9b0c84d957110029d3c49e5f1f65299ab27e57d6fe96ade1ca1947a242080ce9c76ab
-
Filesize
344B
MD516c3936c5626af0b78c7798733686312
SHA1b56fbfe0c1f4da4612533d128f7feb14e100d51e
SHA256d612ec8fbb5f59df9f4cc83a142337ec321aecee949640b07065e6ecaa8cbe3d
SHA5124b85c6652daf5170f6d059e4f0008ae4ef6a5462388bc8709c1ac36dacc0f2d48eadf4e9685f2b02433e538b37bee72753f653e553fc2ef47ff85db83b2756fe
-
Filesize
344B
MD57feb415b6e6ec6d2003d8aa1a2f46bff
SHA1d2839bd40b96544b681bca8fc4250fa08ebb5a4e
SHA256cfad65248ac2d2b0a9eb9e6dcdfa7fa995ee2e3710d17f67e7f80cf1552ea44b
SHA512d7d15375561e499af543e3be12a871377ce08f7045f62d2a08c3270bfb0c09a5bb958da870a5a19bdb6c96938f1005116d50f26195afffdf972757ff195e4187
-
Filesize
344B
MD51c521e73e566e01c1b9b2fdd78e40b3d
SHA149f74ce5f39b6896cf902ae578640ea8513a961d
SHA256c483b70233c58e568d218870bcf9be445b51ec8351559c3fd33a33979bf9b7db
SHA512da17fc031bbf4762752631e8232969af1e306f7a161b516a475426a0081535d6fe89f7ac03f0a13df201c4e2307df8e6f32f0aaad48bc7022b81ce1c88c5686b
-
Filesize
344B
MD52126e0a38b7671092aa78d8426788a48
SHA1f74556d99d0334092bd58454257a0241462af10f
SHA2562bfaef4d52f1615d457246e38c6579a470f1f0ccd96e4a9a6d90f3803a3597df
SHA5128c2b2e8e0af9cfc45a95ba71a12eda36cf99ec6da17378cf6d92855dd441dcfe44e8d1de3a3c8e5e091c0c8c4b791dac24a604a3396434e3fd089de842c305f7
-
Filesize
344B
MD50da464ada7929752445088a298b25360
SHA1b80e81f030e18904128c2e3744eff41ac7c5616e
SHA256d992dea05039a2b185aa264de99a2ed4fd5c31707f336552eed5ad5848b1a5c5
SHA512fb1a5cd2fade2c42e6ec98c678c1be6f4cb2deffefda95843793e52f31657e2f73db916cb0823d873a31eaa457222786ea26da27e610f7a18040f030c34c605a
-
Filesize
344B
MD52ce212f573fb7bfe4e351a0127a69d5b
SHA1c062b8d3174d56acd87d588cfe679308c3ed79a1
SHA256cf248c5b513aee6b0e5ea9525d16e5fd8c48df64ad89e780ba437b5558b6a09a
SHA5125276a699127373113570e17ce8298f6a2965c6268c1a8b87363e4dfad0a109a6a050d7fdbdccb16c1611f291b010ad2d6b53189304ec56e1b258bb6f43ba17fe
-
Filesize
344B
MD5c7a682f7f2f6ec078700335ddbb88707
SHA13e8682412b89e3a3d9623b8bc269a2b26b56eaa9
SHA256ff2dce5b678870b62387bfaada6bc49424f6d09851a6459299b9af513f6c6e3a
SHA512a8f9f8d822f449e726e2f1b8d6956ec93c3ca857951b2bb8f029469cab5bfb12aca9031717dc64715d328f376b6d32172ab7c9558d309598c837617a8640ce47
-
Filesize
344B
MD5c74c0fc36a45fb7f3837b71a992a682c
SHA182208acbd42a256cd0194731d575889aeb013dbe
SHA2566ab6129d3eb61530f805d61ce711450d3f099ae0f209eda8b0857e9a1d249622
SHA5127dc5765dda19b767c3b686ca26b6a576f0b4a2babbe649321e2473e8af1f50948bfe37cc1ace82f32202e3d9a6fc5d617141ab75409b03f886d7af5690fb3591
-
Filesize
344B
MD53f3c89a5d1d0da741f68ef58a968b964
SHA1c1fa349d8bf4d355655f8afcd8c9ee49c9898d7a
SHA256ed383a8d565dd506a7de7fbf2b25e3af76d3dac7c6df23ced1836ac330b3d1d4
SHA51218813c4d00c5810c61abd73ac3208b5d6aceb6c22097d069c9c220a53f0cfea868ce84c47713ead40d8a5ac15ce3375b41f48dce17c5237dc149f4b7ec139f4f
-
Filesize
344B
MD58a408bfa578271a2f6bbc2b838cf5c95
SHA10fd5cba825467d54aa8fa39b1f132f44247346a5
SHA2562649f115b14aa6eef69375f65edf1c682b4b9992fa5f4fe6295a9e819ff4aaa1
SHA512593b7663cde23a6f5126837e3e5df2738413f4fc5825a5fbdeda4dcf377ce0bae9e26404397c0b9ca98b75658cd23a7aa9cd2f64a12f0ae26500ac9f528cbe4c
-
Filesize
344B
MD52051b9f7cac0cc688da5be9b9f22b6b8
SHA18428d00be7b326f35d74d4ecb7f3e8dd42270c28
SHA256bb82155a6012b145a23ae3b6039bea56a4c52d972f3b474ff1aae37729484c61
SHA512186fd2fb5191989d814e00bf228f9b04e267df563a598313e6c0fb6c5bd83a19492746a8c07bbe84ce71ffbed67db2613943a8ef9d799f785a5c9e16fa941b8a
-
Filesize
344B
MD54e5e066ad2810f5d165673a292e98f5f
SHA160cb95aa70e451d914e1e134ca28d8138a719fa9
SHA256087016820bc3e23c5ad8b3a8d17bd89c408311e5bb3bd6bd882bbb797e2cc8f7
SHA512db2854958a20c3f52078c70c8b3bc481f7fdfed8075a1319f1a075a3df3d140784e50a7692db50cdd5b37dcdfbaf5e20761224fdc1d022cf705d18d748fbbc1e
-
Filesize
344B
MD533643cfd8d2785f0bdd9d1e801bf42df
SHA1a31de951101983a3f5ceffe45cf061c82085eb11
SHA2564b05efab20952b039e4c22d07f9b5c98a560d820fab29427cab9f3555cb75c1c
SHA512e6491044b4c2026ccf04f8db09211829d64c18bc4f465dab4b4d52bb00cc428482ba0e421051570ee7ec3dd325a4a1d3cfbb34ca0d7fe13697bf4df6d892f0dd
-
Filesize
344B
MD5f2acc306a792a30c8ae0d6eeea9a82a3
SHA1dd7e00b0a577259c6cff3468b48c39b6b8dc4a38
SHA2560c8e6bd129026a6d999edff9e94683fee46c8cd76534def9b685b928fd0aee4d
SHA5128b9f2af40ee11780d0357dfa1d255f5457a3e565685f72d818b0bf06ce168b3493c35b082d0b559a4c11f23386c5c07755d34fa4135070bf267d5d1ad831b43e
-
Filesize
242B
MD5cffb6f375c9afbaf594effb61f710327
SHA18baf00ec86a222267411b9c679a4ffaf74a30428
SHA25649598af561273f7be8ee65aea38d7ad251e71756a2f0c423350ddd508e4fe41f
SHA5129b86609007bf7b0e8eccdd22017e6441f94389442ccb585fc00c4d722503b72c54c34e19591d3fe1f74b23e284df641e098966b2ee9813c2b641952513a4d080
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
321KB
MD5c9ef69554082be3467df433a15e7ab45
SHA179c01bf85a712ddf6a4d54e9db281a8310a12c15
SHA2560db818ad2b03a8003c1b923985b3cd74ed82272205b3372796b192d2661824ac
SHA51213d818b734a9ee2d1cd2bda66ae6213f7fb7e9a74f0175ae37b85906816341e6224cdf1d5f57487e21b80d9782cee75db8acbd3752a303569fc8c6fa2598a4f9
-
Filesize
1.9MB
MD5a0a50d8f988e1bdc047cd01e2ffd2416
SHA11dd122662d102a4ac76f9e93c08c40c793e8345b
SHA2563867133229af80a67b29e03b6529f88885d5dc82a9ccc6c902a9b106beffcacd
SHA512ecda409050f4048587499d603ed87af30dc8cb3d94cf71bd11af04bc3765abdc0c8d0dd61eafb8dfb49c10e2da34b6154bf662e57152d17a74090dc00bd53830
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
12KB
-
Filesize
2.6MB
-
Filesize
16KB
-
Filesize
2.6MB
-
Filesize
8KB
-
Filesize
2.6MB
-
Filesize
2.6MB
-
Filesize
2.6MB
-
Filesize
2.6MB
-
Filesize
16KB
-
Filesize
2.6MB
