Overview

overview

10

Static

static

7

Ransomware...er.exe

windows10-2004-x64

8

Ransomware/7ev3n.exe

windows10-2004-x64

Ransomware...le.exe

windows10-2004-x64

Ransomware...it.exe

windows10-2004-x64

10

Ransomware/Birele.exe

windows10-2004-x64

10

Ransomware...r5.exe

windows10-2004-x64

8

Ransomware...us.exe

windows10-2004-x64

10

Ransomware...er.exe

windows10-2004-x64

10

Ransomware...ll.exe

windows10-2004-x64

7

Ransomware...ck.exe

windows10-2004-x64

7

Ransomware/Dharma.exe

windows10-2004-x64

9

Ransomware/Fantom.exe

windows10-2004-x64

10

Ransomware...ab.exe

windows10-2004-x64

7

Ransomware...ye.exe

windows10-2004-x64

10

Ransomware...Eye.js

windows10-2004-x64

10

Ransomware...pt.exe

windows10-2004-x64

10

Ransomware...en.exe

windows10-2004-x64

8

Ransomware...AZ.dll

windows10-2004-x64

3

Ransomware...om.exe

windows10-2004-x64

10

Ransomware...ya.exe

windows10-2004-x64

10

Ransomware...ap.exe

windows10-2004-x64

1

Ransomware....A.exe

windows10-2004-x64

6

Ransomware...om.exe

windows10-2004-x64

10

Ransomware...nt.exe

windows10-2004-x64

Ransomware...ot.exe

windows10-2004-x64

Ransomware/RedEye.exe

windows10-2004-x64

Ransomware...re.exe

windows10-2004-x64

7

Ransomware/Rokku.exe

windows10-2004-x64

10

Ransomware/Satana.exe

windows10-2004-x64

5

Ransomware/Seftad.exe

windows10-2004-x64

6

Ransomware...re.exe

windows10-2004-x64

10

Ransomware/UIWIX.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    141s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-uk
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-uklocale:uk-uaos:windows10-2004-x64systemwindows
  • submitted
    03-03-2024 13:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ransomware/SporaRansomware.exe

  • Size

    24KB

  • MD5

    4a4a6d26e6c8a7df0779b00a42240e7b

  • SHA1

    8072bada086040e07fa46ce8c12bf7c453c0e286

  • SHA256

    7ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02

  • SHA512

    c7a7b15d8dbf8e8f8346a4dab083bb03565050281683820319906da4d23b97b39e88f841b30fc8bd690c179a8a54870238506ca60c0f533d34ac11850cdc1a95

  • SSDEEP

    384:akN70EPxIDesCUxvDuzbKGxc5X4LtOFV4U7vqydPNdG2l2Zk1mvlCnqA+PQ+O9G:vZPxIuQunKGxJ44OdPNc2lEfCnqA+PQ+

Score
10/10
evasionransomwarespywarestealer

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ransomware\SporaRansomware.exe
    "C:\Users\Admin\AppData\Local\Temp\Ransomware\SporaRansomware.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:3424
    • C:\Windows\SysWOW64\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:384
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\UKD12-B9XOT-XTATX-HTGTZ.HTML
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:756
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec25146f8,0x7ffec2514708,0x7ffec2514718
        3⤵
          PID:3064
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,1699901282880248618,1197552170379607604,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
          3⤵
            PID:2988
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,1699901282880248618,1197552170379607604,131072 --lang=uk --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1920
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1836,1699901282880248618,1197552170379607604,131072 --lang=uk --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
            3⤵
              PID:3596
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,1699901282880248618,1197552170379607604,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
              3⤵
                PID:5068
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,1699901282880248618,1197552170379607604,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
                3⤵
                  PID:4348
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1836,1699901282880248618,1197552170379607604,131072 --lang=uk --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
                  3⤵
                    PID:1184
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1836,1699901282880248618,1197552170379607604,131072 --lang=uk --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
                    3⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2368
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,1699901282880248618,1197552170379607604,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
                    3⤵
                      PID:2092
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,1699901282880248618,1197552170379607604,131072 --lang=uk --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
                      3⤵
                        PID:456
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,1699901282880248618,1197552170379607604,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
                        3⤵
                          PID:4416
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,1699901282880248618,1197552170379607604,131072 --lang=uk --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
                          3⤵
                            PID:4404
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,1699901282880248618,1197552170379607604,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1944 /prefetch:2
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:1864
                      • C:\Windows\system32\cmd.exe
                        cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                        1⤵
                        • Process spawned unexpected child process
                        PID:3784
                        • C:\Windows\system32\vssadmin.exe
                          vssadmin.exe delete shadows /all /quiet
                          2⤵
                          • Interacts with shadow copies
                          PID:2916
                        • C:\Windows\system32\bcdedit.exe
                          bcdedit.exe /set {default} recoveryenabled no
                          2⤵
                          • Modifies boot configuration data using bcdedit
                          PID:4972
                        • C:\Windows\system32\bcdedit.exe
                          bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                          2⤵
                          • Modifies boot configuration data using bcdedit
                          PID:3932
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:2352
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:1552
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1512

                          Network

                          MITRE ATT&CK Matrix ATT&CK v13

                          Initial Access

                          Execution

                          Persistence

                          Privilege Escalation

                          Defense Evasion

                          Indicator Removal

                          2
                          T1070

                          File Deletion

                          2
                          T1070.004

                          Credential Access

                          Unsecured Credentials

                          1
                          T1552

                          Credentials In Files

                          1
                          T1552.001

                          Discovery

                          Query Registry

                          2
                          T1012

                          System Information Discovery

                          3
                          T1082

                          Lateral Movement

                          Collection

                          Data from Local System

                          1
                          T1005

                          Exfiltration

                          Command and Control

                          Impact

                          Inhibit System Recovery

                          3
                          T1490

                          Resource Development

                          Reconnaissance

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            cbec32729772aa6c576e97df4fef48f5

                            SHA1

                            6ec173d5313f27ba1e46ad66c7bbe7c0a9767dba

                            SHA256

                            d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e

                            SHA512

                            425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            279e783b0129b64a8529800a88fbf1ee

                            SHA1

                            204c62ec8cef8467e5729cad52adae293178744f

                            SHA256

                            3619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932

                            SHA512

                            32730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            6KB

                            MD5

                            618cc74d041069229581976144844f91

                            SHA1

                            8289b84f3ff7545745b12fcb39a22254324bba62

                            SHA256

                            c36f6dd22f86c68c263c3d8746d643ba90519800d8800b3a905e6ffa898975c0

                            SHA512

                            61ab22b5226b100a6298444ec454123b7c34e7cc2582aa0614f1e8aede5836b1b4001d0b692980a686d5eba71cffcf7b04fd50c8b88206d1bd8c4729e9ff14d4

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            6KB

                            MD5

                            c58d100decf9f580ace887a80431bb7f

                            SHA1

                            272ff8bac405cd9cb4d6fbbdfa3431269ffc3c75

                            SHA256

                            686bddb10279ed9744626ca395de1ec9466fd54de230781f0dbfb66949766796

                            SHA512

                            0ff6bd753ff225c7ee9740345fd2eaf4f7e6ccc3eb957ec627241bbec589e5c55c98438178c83f01a14d9f778317c85b8fff0c72c4e2f15c147da5c5e5f391e7

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                            Filesize

                            16B

                            MD5

                            6752a1d65b201c13b62ea44016eb221f

                            SHA1

                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                            SHA256

                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                            SHA512

                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                            Filesize

                            11KB

                            MD5

                            a2c0afc67bd02a2cfd003f4259c287c2

                            SHA1

                            dda74be920fabef69a34f32c7975925c68515b31

                            SHA256

                            bcbb9a8e114df7c89e8d0f3669fd5513e74fc356cbc8fd5295f4b4edb896e14b

                            SHA512

                            725ccb758023524cf73115fac4b9bf8aac8260353ec04eddcd262fc2def7124e7262618352b9a9f336e2b30368d8d5d7d53b71ba47f7688ecec00f20b9e9246f

                            Download Submit
                          • C:\Users\Admin\AppData\Roaming\UKD12-B9XOT-XTATX-HTGTZ.HTML
                            Filesize

                            8KB

                            MD5

                            f9c1e37f529be11aa58a9801d2b7913c

                            SHA1

                            5a11d2bd830f191e9b5c552b6eae2e8418093018

                            SHA256

                            ae8618b261801de0f4f8c7c733b800f67a55fdba993b8556f059d2845e1b26f5

                            SHA512

                            560f11a83795c5c7352db7137f4c1b11845aebd51a0de33d4d3c42edfbd440ce10b1acc520f7210a2b045a3df2c440e6c6e0074625359736e41345f3709bf73d

                            Download Submit
                          • C:\Users\Admin\AppData\Roaming\UKD12-B9XOT-XTATX-HTGTZ.KEY
                            Filesize

                            1KB

                            MD5

                            8b41620a65228674d60a9e231ee65358

                            SHA1

                            195cfb46c6e26606eaf6a72d69454696d6516c71

                            SHA256

                            21b11d81a13d4c0aefc3ee97a5f6178bbe6b47388c1262d0b5ea5a661c2e20a7

                            SHA512

                            77a7f1b6ab0344999285b87b7594418dd1a133d1348408d9543b73772400f3d6378c1bd7e5ad6b7fc92bb1ccdf99631c797a6e55574b3c2e0cd9b4515445ad44

                            Download Submit
                          • C:\Users\Admin\AppData\Roaming\UKD12-B9XOT-XTATX-HTGTZ.LST
                            Filesize

                            2KB

                            MD5

                            ab955d8b7dd6edeb53f836c6423a095f

                            SHA1

                            7b86acdb7ccc13f4fb871673b7adcd23d370f18e

                            SHA256

                            a40761a54334099cf8e172f6f2031e069bbafc1e7088b992d90bc72fb567f4f2

                            SHA512

                            0435990bb863b998369e8ec792ce72c51cb2713cc61d2ea55a69a4437fa9af6d82f275ad45608c869f199135c826b6d6b58daf6c8037fbf138efdcdbf98897c0

                            Download Submit
                          • \??\pipe\LOCAL\crashpad_756_YKOXUBDYNTSNEHFD
                            MD5

                            d41d8cd98f00b204e9800998ecf8427e

                            SHA1

                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                            SHA256

                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                            SHA512

                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                            Download Submit
                          • memory/3424-0-0x0000000000400000-0x0000000000407200-memory.dmp
                            Filesize

                            28KB

                            Download
                          • memory/3424-145-0x0000000000400000-0x0000000000407200-memory.dmp
                            Filesize

                            28KB

                            Download