bcf4ad8687af0d79971e5f73ab152b7732bf3540726f71654da87f36e54cff6f

General

Target

without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
Size

1.0MB
MD5

cd4a0b371cd7dc9dab6b442b0583550c
SHA1

0612c1ed908bcd754d31edb662ada2c88431e8c2
SHA256

bcf4ad8687af0d79971e5f73ab152b7732bf3540726f71654da87f36e54cff6f
SHA512

6d843ea93fed3c7475863abdd8d86bef559d700111d03e7b4827d4ff4777ab1c98bbb08880219e82deff4cd76135f8a74edb9437c301f7ec9cb8a2f31b5bae02
SSDEEP

24576:lrORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9TvaozQ:l2EYTb8atv1orq+pEiSDTj1VyvBao

Score

9^/10

evasion ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

844 bcdedit.exe
4192 bcdedit.exe

pid	process
844	bcdedit.exe
4192	bcdedit.exe

Drops desktop.ini file(s) 17 IoCs

Processes:

without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe

description	ioc	process
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\$RECYCLE.BIN\S-1-5-21-3270530367-132075249-2153716227-1000\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe

description	ioc	process
File opened (read-only)	\??\l:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\n:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\r:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\t:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\g:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\k:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\p:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\v:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\x:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\F:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\j:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\m:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\o:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\q:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\u:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\s:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\w:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\y:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\a:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\b:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\e:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\h:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\i:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened (read-only)	\??\z:	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe

Drops file in Program Files directory 5 IoCs

Processes:

without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe

description	ioc	process
File created	C:\PROGRA~1\COMMON~1\265141313265141313	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\PROGRA~1\COMMON~1\313141562	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File created	C:\PROGRA~1\COMMON~1\without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\PROGRA~1\COMMON~1\without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
File opened for modification	C:\PROGRA~1\COMMON~1\log.txt	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3920 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4956 vssadmin.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WITHOU~1.EXE

pid process

3328 WITHOU~1.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 4064 vssvc.exe
Token: SeRestorePrivilege 4064 vssvc.exe
Token: SeAuditPrivilege 4064 vssvc.exe

pid	process
3920	schtasks.exe

pid	process
4956	vssadmin.exe

pid	process
3328	WITHOU~1.EXE

description	pid	process
Token: SeBackupPrivilege	4064	vssvc.exe
Token: SeRestorePrivilege	4064	vssvc.exe
Token: SeAuditPrivilege	4064	vssvc.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

without_readme_cd4a0b371cd7dc9dab6b442b0583550c.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 380 wrote to memory of 4168	380	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	cmd.exe
PID 380 wrote to memory of 4168	380	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	cmd.exe
PID 4168 wrote to memory of 3920	4168	cmd.exe	schtasks.exe
PID 4168 wrote to memory of 3920	4168	cmd.exe	schtasks.exe
PID 380 wrote to memory of 5084	380	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	cmd.exe
PID 380 wrote to memory of 5084	380	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	cmd.exe
PID 380 wrote to memory of 4996	380	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	cmd.exe
PID 380 wrote to memory of 4996	380	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	cmd.exe
PID 380 wrote to memory of 4068	380	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	cmd.exe
PID 380 wrote to memory of 4068	380	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	cmd.exe
PID 4996 wrote to memory of 2300	4996	cmd.exe	cmd.exe
PID 4996 wrote to memory of 2300	4996	cmd.exe	cmd.exe
PID 4068 wrote to memory of 5012	4068	cmd.exe	cmd.exe
PID 4068 wrote to memory of 5012	4068	cmd.exe	cmd.exe
PID 5084 wrote to memory of 3504	5084	cmd.exe	cmd.exe
PID 5084 wrote to memory of 3504	5084	cmd.exe	cmd.exe
PID 4068 wrote to memory of 844	4068	cmd.exe	bcdedit.exe
PID 4068 wrote to memory of 844	4068	cmd.exe	bcdedit.exe
PID 4996 wrote to memory of 4192	4996	cmd.exe	bcdedit.exe
PID 4996 wrote to memory of 4192	4996	cmd.exe	bcdedit.exe
PID 5084 wrote to memory of 4956	5084	cmd.exe	vssadmin.exe
PID 5084 wrote to memory of 4956	5084	cmd.exe	vssadmin.exe
PID 380 wrote to memory of 3328	380	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	WITHOU~1.EXE
PID 380 wrote to memory of 3328	380	without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe	WITHOU~1.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe
"C:\Users\Admin\AppData\Local\Temp\without_readme_cd4a0b371cd7dc9dab6b442b0583550c.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /sc onlogon /tn 265141313 /rl highest /tr C:\PROGRA~1\COMMON~1\WITHOU~1.EXE
2⤵
- Suspicious use of WriteProcessMemory
PID:4168

C:\Windows\system32\schtasks.exe
schtasks /create /sc onlogon /tn 265141313 /rl highest /tr C:\PROGRA~1\COMMON~1\WITHOU~1.EXE
3⤵
- Creates scheduled task(s)
PID:3920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C title 8405009|vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" title 8405009"
3⤵
PID:3504

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C title 6096844|bcdedit /set {default} recoveryenabled No
2⤵
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" title 6096844"
3⤵
PID:2300

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No
3⤵
- Modifies boot configuration data using bcdedit
PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C title 7450420|bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" title 7450420"
3⤵
PID:5012

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:844

C:\Users\Admin\AppData\Local\Temp\WITHOU~1.EXE
C:\Users\Admin\AppData\Local\Temp\WITHOU~1.EXE
2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3328

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4064

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Indicator Removal

2

T1070

File Deletion

2

T1070.004

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

3

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\COMMON~1\313141562
Filesize
26B

MD5
c0013564b6565fb074bd848eaad15ee3

SHA1
207f820affdec4771abcea5991ab640387cd58c7

SHA256
62829bd2f05880fe2e52d87c3fb282c5a951d812b40eda60edd9c31e8cdde489

SHA512
581e8feccbacbda7479366d6da3070704b91aa58a4dfa2e100ad2bdc66754e0dc0b40e474c813e741690269ab3c9f3e07f6ccdbe9970961e09024e9de08312c6

Download Submit
C:\PROGRA~1\COMMON~1\log.txt
Filesize
4KB

MD5
b275fa2d121f089260e952f053b6d68e

SHA1
a50a336b250b0c5bc538c0197ce904eef807ef83

SHA256
e59877c3e4b0f2ec68584210179927c3a208e125e92ffb98a6d498048f35f342

SHA512
92c531fb1afabce896b71a338b8c4e6b0d1086eeb43e721acdb82d63651695224091502ba00daa141a3a110e28179ae6fd9a466df691337af431d8d162a8ae60

Download Submit
C:\PROGRA~1\COMMON~1\log.txt
Filesize
7KB

MD5
5cf522c2130f8bfa421e4b7e8ed40990

SHA1
1ce7a0e7af87e604fb6a9544dc7fe3ca7440aa24

SHA256
5acb4b78d4310545dde9e97290fa3fecd5949ff38406a7f9d30b20f4fb82c8f2

SHA512
fd86d3e7846f6019036eb2b73fc2e92fc5942771c4de7f4738d813553dc67143779d9a64c8442f5bd809f7f35f65b465c4a878ef28e7cab4e5bafa75abd5b3d6

Download Submit
C:\Users\Admin\Desktop\CompressSkip.vssx
Filesize
521KB

MD5
11176462e091bfbe03cdc072c1a5aef7

SHA1
eeb8388e5ef301a5cb6bc16e5c10e9fe8b0d51bc

SHA256
97b8718f15bcff99549f4d6562a6177d67ed8a1d689119b7b86977a4a12230bc

SHA512
e24cd9e1881adf156a1459969aa6bb9465c78fd6e58fed34b73dfaba0a530674c0a9a18ee13811f163543ada4aefe2c940285b3b0d4d24327a6e973ca74d1790

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads