Analysis
-
max time kernel
93s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 10:05
Static task
static1
Behavioral task
behavioral1
Sample
without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
Resource
win10v2004-20240226-en
General
-
Target
without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
-
Size
1.0MB
-
MD5
cd4a0b371cd7dc9dab6b442b0583550c
-
SHA1
0612c1ed908bcd754d31edb662ada2c88431e8c2
-
SHA256
bcf4ad8687af0d79971e5f73ab152b7732bf3540726f71654da87f36e54cff6f
-
SHA512
6d843ea93fed3c7475863abdd8d86bef559d700111d03e7b4827d4ff4777ab1c98bbb08880219e82deff4cd76135f8a74edb9437c301f7ec9cb8a2f31b5bae02
-
SSDEEP
24576:lrORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9TvaozQ:l2EYTb8atv1orq+pEiSDTj1VyvBao
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 844 bcdedit.exe 4192 bcdedit.exe -
Drops desktop.ini file(s) 17 IoCs
Processes:
without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exedescription ioc process File opened for modification C:\Users\Admin\OneDrive\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\Users\Admin\Searches\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\$RECYCLE.BIN\S-1-5-21-3270530367-132075249-2153716227-1000\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\Users\Admin\Links\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\Users\Admin\Videos\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\Users\Admin\Documents\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\Users\Admin\Music\desktop.ini without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exedescription ioc process File opened (read-only) \??\l: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\n: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\r: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\t: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\g: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\k: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\p: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\v: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\x: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\F: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\j: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\m: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\o: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\q: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\u: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\s: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\w: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\y: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\a: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\b: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\e: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\h: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\i: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened (read-only) \??\z: without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe -
Drops file in Program Files directory 5 IoCs
Processes:
without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exedescription ioc process File created C:\PROGRA~1\COMMON~1\265141313265141313 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\PROGRA~1\COMMON~1\313141562 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File created C:\PROGRA~1\COMMON~1\without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\PROGRA~1\COMMON~1\without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe File opened for modification C:\PROGRA~1\COMMON~1\log.txt without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4956 vssadmin.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WITHOU~1.EXEpid process 3328 WITHOU~1.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 4064 vssvc.exe Token: SeRestorePrivilege 4064 vssvc.exe Token: SeAuditPrivilege 4064 vssvc.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
without_readme_cd4a0b371cd7dc9dab6b442b0583550c.execmd.execmd.execmd.execmd.exedescription pid process target process PID 380 wrote to memory of 4168 380 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe cmd.exe PID 380 wrote to memory of 4168 380 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe cmd.exe PID 4168 wrote to memory of 3920 4168 cmd.exe schtasks.exe PID 4168 wrote to memory of 3920 4168 cmd.exe schtasks.exe PID 380 wrote to memory of 5084 380 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe cmd.exe PID 380 wrote to memory of 5084 380 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe cmd.exe PID 380 wrote to memory of 4996 380 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe cmd.exe PID 380 wrote to memory of 4996 380 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe cmd.exe PID 380 wrote to memory of 4068 380 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe cmd.exe PID 380 wrote to memory of 4068 380 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe cmd.exe PID 4996 wrote to memory of 2300 4996 cmd.exe cmd.exe PID 4996 wrote to memory of 2300 4996 cmd.exe cmd.exe PID 4068 wrote to memory of 5012 4068 cmd.exe cmd.exe PID 4068 wrote to memory of 5012 4068 cmd.exe cmd.exe PID 5084 wrote to memory of 3504 5084 cmd.exe cmd.exe PID 5084 wrote to memory of 3504 5084 cmd.exe cmd.exe PID 4068 wrote to memory of 844 4068 cmd.exe bcdedit.exe PID 4068 wrote to memory of 844 4068 cmd.exe bcdedit.exe PID 4996 wrote to memory of 4192 4996 cmd.exe bcdedit.exe PID 4996 wrote to memory of 4192 4996 cmd.exe bcdedit.exe PID 5084 wrote to memory of 4956 5084 cmd.exe vssadmin.exe PID 5084 wrote to memory of 4956 5084 cmd.exe vssadmin.exe PID 380 wrote to memory of 3328 380 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe WITHOU~1.EXE PID 380 wrote to memory of 3328 380 without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe WITHOU~1.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe"C:\Users\Admin\AppData\Local\Temp\without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /sc onlogon /tn 265141313 /rl highest /tr C:\PROGRA~1\COMMON~1\WITHOU~1.EXE2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /sc onlogon /tn 265141313 /rl highest /tr C:\PROGRA~1\COMMON~1\WITHOU~1.EXE3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C title 8405009|vssadmin.exe Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" title 8405009"3⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C title 6096844|bcdedit /set {default} recoveryenabled No2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" title 6096844"3⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C title 7450420|bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" title 7450420"3⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Users\Admin\AppData\Local\Temp\WITHOU~1.EXEC:\Users\Admin\AppData\Local\Temp\WITHOU~1.EXE2⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~1\COMMON~1\313141562Filesize
26B
MD5c0013564b6565fb074bd848eaad15ee3
SHA1207f820affdec4771abcea5991ab640387cd58c7
SHA25662829bd2f05880fe2e52d87c3fb282c5a951d812b40eda60edd9c31e8cdde489
SHA512581e8feccbacbda7479366d6da3070704b91aa58a4dfa2e100ad2bdc66754e0dc0b40e474c813e741690269ab3c9f3e07f6ccdbe9970961e09024e9de08312c6
-
C:\PROGRA~1\COMMON~1\log.txtFilesize
4KB
MD5b275fa2d121f089260e952f053b6d68e
SHA1a50a336b250b0c5bc538c0197ce904eef807ef83
SHA256e59877c3e4b0f2ec68584210179927c3a208e125e92ffb98a6d498048f35f342
SHA51292c531fb1afabce896b71a338b8c4e6b0d1086eeb43e721acdb82d63651695224091502ba00daa141a3a110e28179ae6fd9a466df691337af431d8d162a8ae60
-
C:\PROGRA~1\COMMON~1\log.txtFilesize
7KB
MD55cf522c2130f8bfa421e4b7e8ed40990
SHA11ce7a0e7af87e604fb6a9544dc7fe3ca7440aa24
SHA2565acb4b78d4310545dde9e97290fa3fecd5949ff38406a7f9d30b20f4fb82c8f2
SHA512fd86d3e7846f6019036eb2b73fc2e92fc5942771c4de7f4738d813553dc67143779d9a64c8442f5bd809f7f35f65b465c4a878ef28e7cab4e5bafa75abd5b3d6
-
C:\Users\Admin\Desktop\CompressSkip.vssxFilesize
521KB
MD511176462e091bfbe03cdc072c1a5aef7
SHA1eeb8388e5ef301a5cb6bc16e5c10e9fe8b0d51bc
SHA25697b8718f15bcff99549f4d6562a6177d67ed8a1d689119b7b86977a4a12230bc
SHA512e24cd9e1881adf156a1459969aa6bb9465c78fd6e58fed34b73dfaba0a530674c0a9a18ee13811f163543ada4aefe2c940285b3b0d4d24327a6e973ca74d1790