Overview

overview

10

Static

static

7

Ransomware...er.exe

windows10-2004-x64

8

Ransomware/7ev3n.exe

windows10-2004-x64

Ransomware...le.exe

windows10-2004-x64

Ransomware...it.exe

windows10-2004-x64

Ransomware/Birele.exe

windows10-2004-x64

10

Ransomware...r5.exe

windows10-2004-x64

8

Ransomware...us.exe

windows10-2004-x64

10

Ransomware...er.exe

windows10-2004-x64

10

Ransomware...ll.exe

windows10-2004-x64

7

Ransomware...ck.exe

windows10-2004-x64

7

Ransomware/Dharma.exe

windows10-2004-x64

9

Ransomware/Fantom.exe

windows10-2004-x64

10

Ransomware...ab.exe

windows10-2004-x64

10

Ransomware...ye.exe

windows10-2004-x64

10

Ransomware...Eye.js

windows10-2004-x64

10

Ransomware...pt.exe

windows10-2004-x64

10

Ransomware...en.exe

windows10-2004-x64

8

Ransomware...AZ.dll

windows10-2004-x64

3

Ransomware...om.exe

windows10-2004-x64

10

Ransomware...ya.exe

windows10-2004-x64

10

Ransomware...ap.exe

windows10-2004-x64

1

Ransomware....A.exe

windows10-2004-x64

6

Ransomware...om.exe

windows10-2004-x64

10

Ransomware...nt.exe

windows10-2004-x64

Ransomware...ot.exe

windows10-2004-x64

Ransomware/RedEye.exe

windows10-2004-x64

Ransomware...re.exe

windows10-2004-x64

7

Ransomware/Rokku.exe

windows10-2004-x64

10

Ransomware/Satana.exe

windows10-2004-x64

5

Ransomware/Seftad.exe

windows10-2004-x64

6

Ransomware...re.exe

windows10-2004-x64

10

Ransomware/UIWIX.dll

windows10-2004-x64

1

Resubmissions

18-03-2024 22:36

240318-2h9hwsba88 10

Analysis

  • max time kernel
    1694s
  • max time network
    1700s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-03-2024 22:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ransomware/SporaRansomware.exe

  • Size

    24KB

  • MD5

    4a4a6d26e6c8a7df0779b00a42240e7b

  • SHA1

    8072bada086040e07fa46ce8c12bf7c453c0e286

  • SHA256

    7ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02

  • SHA512

    c7a7b15d8dbf8e8f8346a4dab083bb03565050281683820319906da4d23b97b39e88f841b30fc8bd690c179a8a54870238506ca60c0f533d34ac11850cdc1a95

  • SSDEEP

    384:akN70EPxIDesCUxvDuzbKGxc5X4LtOFV4U7vqydPNdG2l2Zk1mvlCnqA+PQ+O9G:vZPxIuQunKGxJ44OdPNc2lEfCnqA+PQ+

Score
10/10
evasionransomwarespywarestealer

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ransomware\SporaRansomware.exe
    "C:\Users\Admin\AppData\Local\Temp\Ransomware\SporaRansomware.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:3700
    • C:\Windows\SysWOW64\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3792
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\USBD1-44XZT-ZTZTX-HTXRT-ZYYYY.HTML
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4536
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca5da46f8,0x7ffca5da4708,0x7ffca5da4718
        3⤵
          PID:3332
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,12708624292935063371,1036968422176451442,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
          3⤵
            PID:2988
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,12708624292935063371,1036968422176451442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2664
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,12708624292935063371,1036968422176451442,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
            3⤵
              PID:1004
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12708624292935063371,1036968422176451442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
              3⤵
                PID:4452
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12708624292935063371,1036968422176451442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
                3⤵
                  PID:2936
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,12708624292935063371,1036968422176451442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
                  3⤵
                    PID:4124
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,12708624292935063371,1036968422176451442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
                    3⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4716
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12708624292935063371,1036968422176451442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2272 /prefetch:1
                    3⤵
                      PID:4896
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12708624292935063371,1036968422176451442,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
                      3⤵
                        PID:3736
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12708624292935063371,1036968422176451442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
                        3⤵
                          PID:5208
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12708624292935063371,1036968422176451442,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
                          3⤵
                            PID:5216
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,12708624292935063371,1036968422176451442,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1256 /prefetch:2
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:5884
                      • C:\Windows\system32\cmd.exe
                        cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                        1⤵
                        • Process spawned unexpected child process
                        • Suspicious use of WriteProcessMemory
                        PID:3980
                        • C:\Windows\system32\vssadmin.exe
                          vssadmin.exe delete shadows /all /quiet
                          2⤵
                          • Interacts with shadow copies
                          PID:4516
                        • C:\Windows\system32\bcdedit.exe
                          bcdedit.exe /set {default} recoveryenabled no
                          2⤵
                          • Modifies boot configuration data using bcdedit
                          PID:1336
                        • C:\Windows\system32\bcdedit.exe
                          bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                          2⤵
                          • Modifies boot configuration data using bcdedit
                          PID:996
                      • C:\Windows\system32\vssvc.exe
                        C:\Windows\system32\vssvc.exe
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3144
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:4396
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:732

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            f35bb0615bb9816f562b83304e456294

                            SHA1

                            1049e2bd3e1bbb4cea572467d7c4a96648659cb4

                            SHA256

                            05e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71

                            SHA512

                            db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            1eb86108cb8f5a956fdf48efbd5d06fe

                            SHA1

                            7b2b299f753798e4891df2d9cbf30f94b39ef924

                            SHA256

                            1b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40

                            SHA512

                            e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            6KB

                            MD5

                            4dc5b383e0284bc7ff0db72cee63b351

                            SHA1

                            b0220825398934baf5bd215f317093f99b2204cd

                            SHA256

                            1d7f9f1a6e92a7175e60558ae8284a07c37151b49660946f52d565fdb3e10e5a

                            SHA512

                            40e952f0bc4478815803546c6c9883e821b03014c4f897a5bd4f6c38f7b1841d5d101000b3228fa04d41fafcac37130afa5d99b3e4e39863c58e1a0dafc379ca

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            6KB

                            MD5

                            ded56525d3e7acb58398eaf59882470d

                            SHA1

                            71e4870e37ad36e10d2d4b86a083726a3addde2f

                            SHA256

                            b1bfb47e12be331c98c8a5d6cf4f888abb8c7cf0f496cd5d7f8962b46747a685

                            SHA512

                            c4c1ecce48f10925e74bbdaad38e1dbfadc5a7a6916c169e4d50467a9908f834c5ff1a0344cc73b3346302d4a4903b4d90ef2b5cf2de3d403765009a18b712ec

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                            Filesize

                            16B

                            MD5

                            6752a1d65b201c13b62ea44016eb221f

                            SHA1

                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                            SHA256

                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                            SHA512

                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                            Filesize

                            11KB

                            MD5

                            ec4e08c388f3408de95e13bafd7cf731

                            SHA1

                            553bc920489a0cc81b346ef846095450c08a16c0

                            SHA256

                            7aebb7c595c6edc1e8d796f52dc74a459b8c92c5bb2eb5e4513b5217ae7c6495

                            SHA512

                            250574de6dee1d50d4f07bf9e9a1183c23a9bc4ca1bd7b080cd3068c4482d9fc2705956f36fd89f39c54e3c279d6ca6e9ec44e648850ffa52ba1b9dac0efdcfe

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\USBD1-44XZT-ZTZTX-HTXRT-ZYYYY.HTML
                            Filesize

                            8KB

                            MD5

                            89ca7538ca80df8d671760a8c84aeab2

                            SHA1

                            3662d891390540978e740aa9b3e43c0101e73a34

                            SHA256

                            cf772df0abe3df9950267d67058358edfbe78b266b203fd0deea32a47104055d

                            SHA512

                            5c4a88a472a603867164c82eda15349310993ce4e6ca8c38ce7707cb54dc90687046894b8b26de44713145e6f1409db18bae333e70199b1a1b67d8a59d545f45

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\USBD1-44XZT-ZTZTX-HTXRT-ZYYYY.KEY
                            Filesize

                            1KB

                            MD5

                            624f33681028d101c5596d1967c0eef7

                            SHA1

                            fa3cc4e9051eaf2896f1184cbdabd7967c433324

                            SHA256

                            c1c1ceee63d15f149f8cf40809d930639205533b77a28d1c3d27427bf7c17bce

                            SHA512

                            7cb5310abd8d6301ed838f57bfb4d60d6e74cc9df9bbdf5e53d413cf34ca2c109d05b2e9139d481473e4c70a3adbdfa262de0b3d0065acae72f103397ed703f4

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\USBD1-44XZT-ZTZTX-HTXRT-ZYYYY.LST
                            Filesize

                            2KB

                            MD5

                            6f5298d50c722766adf9bd15e5f9b02c

                            SHA1

                            5f146c7f66f5ba2e128aaa5d38865a299a850f5d

                            SHA256

                            d518bf9d0faaa0c04861d034c118dd12f6dafb80efe4e705efbb42bd464fa5ec

                            SHA512

                            d0681522f4a3021240d355e69804f1ef17b5858e35ffc72576b7c990353fbcb61de07c28979658d0bb798ba0d15b0aff7761f882e73fbbdc13a463bad0d19f48

                            Download Submit

                          • memory/3700-0-0x0000000000400000-0x0000000000407200-memory.dmp

                            Filesize

                            28KB

                            Download

                          • memory/3700-142-0x0000000000400000-0x0000000000407200-memory.dmp

                            Filesize

                            28KB

                            Download