bcf4ad8687af0d79971e5f73ab152b7732bf3540726f71654da87f36e54cff6f

General

Target

without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
Size

1.0MB
MD5

cd4a0b371cd7dc9dab6b442b0583550c
SHA1

0612c1ed908bcd754d31edb662ada2c88431e8c2
SHA256

bcf4ad8687af0d79971e5f73ab152b7732bf3540726f71654da87f36e54cff6f
SHA512

6d843ea93fed3c7475863abdd8d86bef559d700111d03e7b4827d4ff4777ab1c98bbb08880219e82deff4cd76135f8a74edb9437c301f7ec9cb8a2f31b5bae02
SSDEEP

24576:lrORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9TvaozQ:l2EYTb8atv1orq+pEiSDTj1VyvBao

Score

9^/10

evasion ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2880 bcdedit.exe
2308 bcdedit.exe

pid	process
2880	bcdedit.exe
2308	bcdedit.exe

Drops desktop.ini file(s) 14 IoCs

Processes:

without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe

description	ioc	process
File opened (read-only)	\??\e:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\j:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\k:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\l:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\r:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\x:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\z:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\g:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\i:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\m:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\o:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\p:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\u:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\a:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\h:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\n:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\q:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\t:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\v:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\b:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\s:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\w:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\y:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\F:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe

Drops file in Program Files directory 5 IoCs

Processes:

without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe

description	ioc	process
File created	C:\PROGRA~1\COMMON~1\without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\PROGRA~1\COMMON~1\without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\PROGRA~1\COMMON~1\log.txt	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File created	C:\PROGRA~1\COMMON~1\928766446928766446	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\PROGRA~1\COMMON~1\644667829	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2592 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2680 vssadmin.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WITHOU~1.EXE

pid process

1276 WITHOU~1.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2376 vssvc.exe
Token: SeRestorePrivilege 2376 vssvc.exe
Token: SeAuditPrivilege 2376 vssvc.exe

pid	process
2592	schtasks.exe

pid	process
2680	vssadmin.exe

pid	process
1276	WITHOU~1.EXE

description	pid	process
Token: SeBackupPrivilege	2376	vssvc.exe
Token: SeRestorePrivilege	2376	vssvc.exe
Token: SeAuditPrivilege	2376	vssvc.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

without_readme_cd4a0b371cd7dc9dab6b442b0583550c.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2908 wrote to memory of 2720	2908	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	cmd.exe
PID 2908 wrote to memory of 2720	2908	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	cmd.exe
PID 2908 wrote to memory of 2720	2908	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	cmd.exe
PID 2720 wrote to memory of 2592	2720	cmd.exe	schtasks.exe
PID 2720 wrote to memory of 2592	2720	cmd.exe	schtasks.exe
PID 2720 wrote to memory of 2592	2720	cmd.exe	schtasks.exe
PID 2908 wrote to memory of 2556	2908	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	cmd.exe
PID 2908 wrote to memory of 2556	2908	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	cmd.exe
PID 2908 wrote to memory of 2556	2908	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	cmd.exe
PID 2908 wrote to memory of 2632	2908	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	cmd.exe
PID 2908 wrote to memory of 2632	2908	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	cmd.exe
PID 2908 wrote to memory of 2632	2908	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	cmd.exe
PID 2908 wrote to memory of 2760	2908	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	cmd.exe
PID 2908 wrote to memory of 2760	2908	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	cmd.exe
PID 2908 wrote to memory of 2760	2908	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	cmd.exe
PID 2556 wrote to memory of 2924	2556	cmd.exe	cmd.exe
PID 2556 wrote to memory of 2924	2556	cmd.exe	cmd.exe
PID 2556 wrote to memory of 2924	2556	cmd.exe	cmd.exe
PID 2760 wrote to memory of 2884	2760	cmd.exe	cmd.exe
PID 2760 wrote to memory of 2884	2760	cmd.exe	cmd.exe
PID 2760 wrote to memory of 2884	2760	cmd.exe	cmd.exe
PID 2556 wrote to memory of 2680	2556	cmd.exe	vssadmin.exe
PID 2556 wrote to memory of 2680	2556	cmd.exe	vssadmin.exe
PID 2556 wrote to memory of 2680	2556	cmd.exe	vssadmin.exe
PID 2632 wrote to memory of 2128	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 2128	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 2128	2632	cmd.exe	cmd.exe
PID 2760 wrote to memory of 2880	2760	cmd.exe	bcdedit.exe
PID 2760 wrote to memory of 2880	2760	cmd.exe	bcdedit.exe
PID 2760 wrote to memory of 2880	2760	cmd.exe	bcdedit.exe
PID 2632 wrote to memory of 2308	2632	cmd.exe	bcdedit.exe
PID 2632 wrote to memory of 2308	2632	cmd.exe	bcdedit.exe
PID 2632 wrote to memory of 2308	2632	cmd.exe	bcdedit.exe
PID 2908 wrote to memory of 1276	2908	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	WITHOU~1.EXE
PID 2908 wrote to memory of 1276	2908	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	WITHOU~1.EXE
PID 2908 wrote to memory of 1276	2908	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	WITHOU~1.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
"C:\Users\Admin\AppData\Local\Temp\without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /sc onlogon /tn 928766446 /rl highest /tr C:\PROGRA~1\COMMON~1\WITHOU~1.EXE
2⤵
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\system32\schtasks.exe
schtasks /create /sc onlogon /tn 928766446 /rl highest /tr C:\PROGRA~1\COMMON~1\WITHOU~1.EXE
3⤵
- Creates scheduled task(s)
PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C title 8405009|vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" title 8405009"
3⤵
PID:2924

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C title 6096844|bcdedit /set {default} recoveryenabled No
2⤵
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" title 6096844"
3⤵
PID:2128

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No
3⤵
- Modifies boot configuration data using bcdedit
PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C title 7450420|bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" title 7450420"
3⤵
PID:2884

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:2880

C:\Users\Admin\AppData\Local\Temp\WITHOU~1.EXE
C:\Users\Admin\AppData\Local\Temp\WITHOU~1.EXE
2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1276

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2376

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Indicator Removal

2

T1070

File Deletion

2

T1070.004

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

3

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\COMMON~1\644667829
Filesize
16B

MD5
4af22e43f15ad1f6665a588ddba7b8d1

SHA1
a2a05244cc61227683ad87525fdde08b9b99badc

SHA256
c8465b12ce2cb7d8ffb5fc36c73aa0c23b5eccce86241a9988dbf810e2ca0c3f

SHA512
7153f7fdd3c482f3eaf1ac1eeec789533b78c629f2aa1879c604e2b05631199e4af4eda13f451f165bbe3063edafdf87479521c953bfe6ad7118429999f8063e

Download Submit
C:\PROGRA~1\COMMON~1\log.txt
Filesize
4KB

MD5
e33884a2250a417f3907a885f7e76864

SHA1
098070c2a6723772f8f9cbb1ed34458f909cdc31

SHA256
65f715ef134b1aea342ad1f86607ad926642dfaebea22ba34c3cd805d5672a9b

SHA512
2f69e423c09dcc55367f144a659ca6b78603c09d6a80631cc0ba3cfc181d63414482dad4791988047c9e428cd5be27186b82ff0097780214215516092cb77466

Download Submit
C:\PROGRA~1\COMMON~1\log.txt
Filesize
647B

MD5
6859e6a8fb8ef8a73239cc5e536d0552

SHA1
03d47f1ab4c1e83b3c532d06bf477f7cd1266687

SHA256
ac9bb3f8bd1731b3b61e6bfbe744d3c5389466b2281b0e566a70b2f1829e8762

SHA512
b56dd030d839ae2766f8a386203c87e3a0b36f9b4d25fe17370d35b361f24e62508b25903b660c470d8bf0e3a1af29b337024380b24a083588466d76f6aa1b37

Download Submit
C:\PROGRA~1\COMMON~1\log.txt
Filesize
10KB

MD5
d6a73e42b405cac2dbefed36851b320d

SHA1
7f89ffb1f99db6306f9914e1aafc7f5f1104bbc5

SHA256
05825dfa4d3e4fb43301a1998628957dd8c709c3343b870472626664a5675745

SHA512
cd6575792d257a05a2f84c495b3703da4be541ea33dcf83c7803aff59ec9b000a7faca4c5ba0126797e7df40afa51912ef593751ee50495c0b8ccd7ca0b6397f

Download Submit
C:\Users\Admin\Desktop\ExitRename.tif
Filesize
588KB

MD5
898a7c95bde9c0823577cdc1945d7e8d

SHA1
2caff9a89e1f7e054b1034b49e8e9273e91bfe07

SHA256
c0505cd6fbdc226acaece4318ab59e9b9f3c30f746fd0c0968f6b03ddb96dcaa

SHA512
7d398af274e1fc4eec545ff222fae46c763842ae9ecb1c4dfb680e37fc82fbe7d749b84e918eab8cdb6c973b958e3efd0b1e37e13e0642343be7f595a338bbe8

Download Submit
C:\Users\Admin\Favorites\MSN Websites\MSN Autos.url
Filesize
133B

MD5
b85026155b964b6f3a883c9a8b62dfe3

SHA1
5c38290813cd155c68773c19b0dd5371b7b1c337

SHA256
57ffc9ca3beb6ee6226c28248ab9c77b2076ef6acffba839cec21fac28a8fd1f

SHA512
c6953aea1f31da67d3ac33171617e01252672932a6e6eae0382e68fa9048b0e78871b68467945c6b940f1ea6e815231e0c95fbe97090b53bf2181681ecf6c2dd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads