117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464

General

Target

220629-p7hp9ahfel.exe
Size

7.7MB
MD5

a7ab0969bf6641cd0c7228ae95f6d217
SHA1

002971b6d178698bf7930b5b89c201750d80a07e
SHA256

117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464
SHA512

7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a
SSDEEP

49152:mwHittZSrb/TjvO90dL3BmAFd4A64nsfJTGNHltPgQjre0Q2hEsj2kcR9RsU/2LU:mwUs3dfC2at9kDXdmG55wuzZqGdE

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

220629-p7hp9ahfel.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*aster = "C:\\Users\\Public\\enc.exe"	220629-p7hp9ahfel.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2552 vssadmin.exe

pid	process
2552	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

220629-p7hp9ahfel.exe

pid	process
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe
2500	220629-p7hp9ahfel.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

220629-p7hp9ahfel.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2500	220629-p7hp9ahfel.exe
Token: SeBackupPrivilege	2560	vssvc.exe
Token: SeRestorePrivilege	2560	vssvc.exe
Token: SeAuditPrivilege	2560	vssvc.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

220629-p7hp9ahfel.execmd.exe

description	pid	process	target process
PID 2500 wrote to memory of 2528	2500	220629-p7hp9ahfel.exe	cmd.exe
PID 2500 wrote to memory of 2528	2500	220629-p7hp9ahfel.exe	cmd.exe
PID 2500 wrote to memory of 2528	2500	220629-p7hp9ahfel.exe	cmd.exe
PID 2528 wrote to memory of 2552	2528	cmd.exe	vssadmin.exe
PID 2528 wrote to memory of 2552	2528	cmd.exe	vssadmin.exe
PID 2528 wrote to memory of 2552	2528	cmd.exe	vssadmin.exe
PID 2500 wrote to memory of 812	2500	220629-p7hp9ahfel.exe	svchost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:812

C:\Users\Admin\AppData\Local\Temp\220629-p7hp9ahfel.exe
"C:\Users\Admin\AppData\Local\Temp\220629-p7hp9ahfel.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:2528