Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
28-03-2024 10:05
Static task
static1
Behavioral task
behavioral1
Sample
without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
Resource
win10v2004-20240226-en
General
-
Target
without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
-
Size
1.0MB
-
MD5
cd4a0b371cd7dc9dab6b442b0583550c
-
SHA1
0612c1ed908bcd754d31edb662ada2c88431e8c2
-
SHA256
bcf4ad8687af0d79971e5f73ab152b7732bf3540726f71654da87f36e54cff6f
-
SHA512
6d843ea93fed3c7475863abdd8d86bef559d700111d03e7b4827d4ff4777ab1c98bbb08880219e82deff4cd76135f8a74edb9437c301f7ec9cb8a2f31b5bae02
-
SSDEEP
24576:lrORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9TvaozQ:l2EYTb8atv1orq+pEiSDTj1VyvBao
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2880 bcdedit.exe 2308 bcdedit.exe -
Drops desktop.ini file(s) 14 IoCs
Processes:
without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exedescription ioc process File opened for modification C:\Users\Admin\Documents\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\Users\Admin\Music\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\Users\Admin\Searches\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\Users\Admin\Videos\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\Users\Admin\Links\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exedescription ioc process File opened (read-only) \??\e: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\j: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\k: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\l: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\r: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\x: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\z: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\g: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\i: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\m: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\o: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\p: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\u: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\a: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\h: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\n: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\q: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\t: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\v: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\b: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\s: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\w: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\y: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\F: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe -
Drops file in Program Files directory 5 IoCs
Processes:
without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exedescription ioc process File created C:\PROGRA~1\COMMON~1\without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\PROGRA~1\COMMON~1\without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\PROGRA~1\COMMON~1\log.txt without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File created C:\PROGRA~1\COMMON~1\928766446928766446 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\PROGRA~1\COMMON~1\644667829 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2680 vssadmin.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WITHOU~1.EXEpid process 1276 WITHOU~1.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2376 vssvc.exe Token: SeRestorePrivilege 2376 vssvc.exe Token: SeAuditPrivilege 2376 vssvc.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
without_readme_cd4a0b371cd7dc9dab6b442b0583550c.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2908 wrote to memory of 2720 2908 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe cmd.exe PID 2908 wrote to memory of 2720 2908 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe cmd.exe PID 2908 wrote to memory of 2720 2908 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe cmd.exe PID 2720 wrote to memory of 2592 2720 cmd.exe schtasks.exe PID 2720 wrote to memory of 2592 2720 cmd.exe schtasks.exe PID 2720 wrote to memory of 2592 2720 cmd.exe schtasks.exe PID 2908 wrote to memory of 2556 2908 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe cmd.exe PID 2908 wrote to memory of 2556 2908 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe cmd.exe PID 2908 wrote to memory of 2556 2908 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe cmd.exe PID 2908 wrote to memory of 2632 2908 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe cmd.exe PID 2908 wrote to memory of 2632 2908 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe cmd.exe PID 2908 wrote to memory of 2632 2908 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe cmd.exe PID 2908 wrote to memory of 2760 2908 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe cmd.exe PID 2908 wrote to memory of 2760 2908 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe cmd.exe PID 2908 wrote to memory of 2760 2908 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe cmd.exe PID 2556 wrote to memory of 2924 2556 cmd.exe cmd.exe PID 2556 wrote to memory of 2924 2556 cmd.exe cmd.exe PID 2556 wrote to memory of 2924 2556 cmd.exe cmd.exe PID 2760 wrote to memory of 2884 2760 cmd.exe cmd.exe PID 2760 wrote to memory of 2884 2760 cmd.exe cmd.exe PID 2760 wrote to memory of 2884 2760 cmd.exe cmd.exe PID 2556 wrote to memory of 2680 2556 cmd.exe vssadmin.exe PID 2556 wrote to memory of 2680 2556 cmd.exe vssadmin.exe PID 2556 wrote to memory of 2680 2556 cmd.exe vssadmin.exe PID 2632 wrote to memory of 2128 2632 cmd.exe cmd.exe PID 2632 wrote to memory of 2128 2632 cmd.exe cmd.exe PID 2632 wrote to memory of 2128 2632 cmd.exe cmd.exe PID 2760 wrote to memory of 2880 2760 cmd.exe bcdedit.exe PID 2760 wrote to memory of 2880 2760 cmd.exe bcdedit.exe PID 2760 wrote to memory of 2880 2760 cmd.exe bcdedit.exe PID 2632 wrote to memory of 2308 2632 cmd.exe bcdedit.exe PID 2632 wrote to memory of 2308 2632 cmd.exe bcdedit.exe PID 2632 wrote to memory of 2308 2632 cmd.exe bcdedit.exe PID 2908 wrote to memory of 1276 2908 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe WITHOU~1.EXE PID 2908 wrote to memory of 1276 2908 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe WITHOU~1.EXE PID 2908 wrote to memory of 1276 2908 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe WITHOU~1.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe"C:\Users\Admin\AppData\Local\Temp\without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /sc onlogon /tn 928766446 /rl highest /tr C:\PROGRA~1\COMMON~1\WITHOU~1.EXE2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /sc onlogon /tn 928766446 /rl highest /tr C:\PROGRA~1\COMMON~1\WITHOU~1.EXE3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C title 8405009|vssadmin.exe Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" title 8405009"3⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C title 6096844|bcdedit /set {default} recoveryenabled No2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" title 6096844"3⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C title 7450420|bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" title 7450420"3⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Users\Admin\AppData\Local\Temp\WITHOU~1.EXEC:\Users\Admin\AppData\Local\Temp\WITHOU~1.EXE2⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~1\COMMON~1\644667829Filesize
16B
MD54af22e43f15ad1f6665a588ddba7b8d1
SHA1a2a05244cc61227683ad87525fdde08b9b99badc
SHA256c8465b12ce2cb7d8ffb5fc36c73aa0c23b5eccce86241a9988dbf810e2ca0c3f
SHA5127153f7fdd3c482f3eaf1ac1eeec789533b78c629f2aa1879c604e2b05631199e4af4eda13f451f165bbe3063edafdf87479521c953bfe6ad7118429999f8063e
-
C:\PROGRA~1\COMMON~1\log.txtFilesize
4KB
MD5e33884a2250a417f3907a885f7e76864
SHA1098070c2a6723772f8f9cbb1ed34458f909cdc31
SHA25665f715ef134b1aea342ad1f86607ad926642dfaebea22ba34c3cd805d5672a9b
SHA5122f69e423c09dcc55367f144a659ca6b78603c09d6a80631cc0ba3cfc181d63414482dad4791988047c9e428cd5be27186b82ff0097780214215516092cb77466
-
C:\PROGRA~1\COMMON~1\log.txtFilesize
647B
MD56859e6a8fb8ef8a73239cc5e536d0552
SHA103d47f1ab4c1e83b3c532d06bf477f7cd1266687
SHA256ac9bb3f8bd1731b3b61e6bfbe744d3c5389466b2281b0e566a70b2f1829e8762
SHA512b56dd030d839ae2766f8a386203c87e3a0b36f9b4d25fe17370d35b361f24e62508b25903b660c470d8bf0e3a1af29b337024380b24a083588466d76f6aa1b37
-
C:\PROGRA~1\COMMON~1\log.txtFilesize
10KB
MD5d6a73e42b405cac2dbefed36851b320d
SHA17f89ffb1f99db6306f9914e1aafc7f5f1104bbc5
SHA25605825dfa4d3e4fb43301a1998628957dd8c709c3343b870472626664a5675745
SHA512cd6575792d257a05a2f84c495b3703da4be541ea33dcf83c7803aff59ec9b000a7faca4c5ba0126797e7df40afa51912ef593751ee50495c0b8ccd7ca0b6397f
-
C:\Users\Admin\Desktop\ExitRename.tifFilesize
588KB
MD5898a7c95bde9c0823577cdc1945d7e8d
SHA12caff9a89e1f7e054b1034b49e8e9273e91bfe07
SHA256c0505cd6fbdc226acaece4318ab59e9b9f3c30f746fd0c0968f6b03ddb96dcaa
SHA5127d398af274e1fc4eec545ff222fae46c763842ae9ecb1c4dfb680e37fc82fbe7d749b84e918eab8cdb6c973b958e3efd0b1e37e13e0642343be7f595a338bbe8
-
C:\Users\Admin\Favorites\MSN Websites\MSN Autos.urlFilesize
133B
MD5b85026155b964b6f3a883c9a8b62dfe3
SHA15c38290813cd155c68773c19b0dd5371b7b1c337
SHA25657ffc9ca3beb6ee6226c28248ab9c77b2076ef6acffba839cec21fac28a8fd1f
SHA512c6953aea1f31da67d3ac33171617e01252672932a6e6eae0382e68fa9048b0e78871b68467945c6b940f1ea6e815231e0c95fbe97090b53bf2181681ecf6c2dd