Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
16-03-2024 15:13
General
-
Target
fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe
-
Size
121KB
-
MD5
eac0a08470ee67c63b14ae2ce7f6aa61
-
SHA1
285c0163376d5d9a5806364411652fe73424d571
-
SHA256
fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7
-
SHA512
f3fd7eeae18843d049443f0d5e818302eb3b3f73ad85e26c01e1ddc0a102a0a22b065afe01879aafc95ff3a2d15b5c302394bd03d91e6c4401648cd4222bddc5
-
SSDEEP
1536:3THoX8wNjiMsyPcjgbKx534oU6Llg/iLBkZhifkdol9LYuVF5yZbn:DjksYKx5o3Slg/itMg8+LYu9ubn
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops desktop.ini file(s) 26 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
NTFS ADS 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe"C:\Users\Admin\AppData\Local\Temp\fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe"C:\Users\Admin\AppData\Local\Temp\fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop VVS3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop VVS4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wscsvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop wscsvc4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop WinDefend3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop wuauserv3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop BITS3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc stop BITS4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop ERSvc3⤵
-
C:\Windows\SysWOW64\sc.exesc stop ERSvc4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop WerSvc3⤵
-
C:\Windows\SysWOW64\sc.exesc stop WerSvc4⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet3⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled No3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Users\Admin\AppData\Roaming\BC1C9B74EA.exeC:\Users\Admin\AppData\Roaming\BC1C9B74EA.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\BC1C9B74EA.exeC:\Users\Admin\AppData\Roaming\BC1C9B74EA.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_HELP_INSTRUCTION.TXT5⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\_HELP_INSTRUCTION.TXTFilesize
1KB
MD5f480f3c998a5f67a35659cf835b6198e
SHA1c87c6e95868517c1040adf5f07a1410f6b1093c7
SHA256896223c6736729eeb6ea5dbed5df3a784baef1a2bcc97b76ec33396135f55fb2
SHA5122fd2bbb7ce257ab2ff0c884dd837f38b60416adde92380797d7d463c03bfd4e18b12c3d1bf1c91eaccb6fbb42e5c2962d506f705f652b1c77e837bba3f889371
-
\Users\Admin\AppData\Roaming\BC1C9B74EA.exeFilesize
121KB
MD5eac0a08470ee67c63b14ae2ce7f6aa61
SHA1285c0163376d5d9a5806364411652fe73424d571
SHA256fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7
SHA512f3fd7eeae18843d049443f0d5e818302eb3b3f73ad85e26c01e1ddc0a102a0a22b065afe01879aafc95ff3a2d15b5c302394bd03d91e6c4401648cd4222bddc5
-
memory/1344-21-0x0000000000390000-0x0000000000490000-memory.dmpFilesize
1024KB
-
memory/1444-4-0x00000000005B0000-0x00000000006B0000-memory.dmpFilesize
1024KB
-
memory/1708-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1708-3-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/1708-6-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-80-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-100-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-35-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-40-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-45-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-50-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-55-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-60-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-65-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-70-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-75-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-29-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-85-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-90-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-95-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-31-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-105-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-26-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-121-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-127-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-134-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-140-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-145-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-147-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-149-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-151-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-153-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-155-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2332-614-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB