Analysis
-
max time kernel
92s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 14:55
Static task
static1
Behavioral task
behavioral1
Sample
215c37360388d16653ffc1740c639d486753a9db69a8ad4f3e1b172b1b712df4.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe
-
Size
208KB
-
MD5
12bc78e07cb69dd6ec32729240dbe537
-
SHA1
7b7d9b115ec10074f7166ec3379fead6e816da59
-
SHA256
5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9
-
SHA512
c974592671b081d0af48c1aab9f9f02243773a081d9fadf70e3caa7454dca657b45bece27852397e74f601df1abdf5db496c821a5df624057355fd15c807e15a
-
SSDEEP
3072:GXbUMNAwQ2Jpo/AkQCUyevi8xRpz81NADJ2:ibUMKwQ2J4ReviSjeKN
Malware Config
Signatures
-
CryptoLocker
Ransomware family with multiple variants.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation 5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3244 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2136 WMIC.exe Token: SeSecurityPrivilege 2136 WMIC.exe Token: SeTakeOwnershipPrivilege 2136 WMIC.exe Token: SeLoadDriverPrivilege 2136 WMIC.exe Token: SeSystemProfilePrivilege 2136 WMIC.exe Token: SeSystemtimePrivilege 2136 WMIC.exe Token: SeProfSingleProcessPrivilege 2136 WMIC.exe Token: SeIncBasePriorityPrivilege 2136 WMIC.exe Token: SeCreatePagefilePrivilege 2136 WMIC.exe Token: SeBackupPrivilege 2136 WMIC.exe Token: SeRestorePrivilege 2136 WMIC.exe Token: SeShutdownPrivilege 2136 WMIC.exe Token: SeDebugPrivilege 2136 WMIC.exe Token: SeSystemEnvironmentPrivilege 2136 WMIC.exe Token: SeRemoteShutdownPrivilege 2136 WMIC.exe Token: SeUndockPrivilege 2136 WMIC.exe Token: SeManageVolumePrivilege 2136 WMIC.exe Token: 33 2136 WMIC.exe Token: 34 2136 WMIC.exe Token: 35 2136 WMIC.exe Token: 36 2136 WMIC.exe Token: SeDebugPrivilege 4568 taskmgr.exe Token: SeSystemProfilePrivilege 4568 taskmgr.exe Token: SeCreateGlobalPrivilege 4568 taskmgr.exe Token: 33 4568 taskmgr.exe Token: SeIncBasePriorityPrivilege 4568 taskmgr.exe -
Suspicious use of FindShellTrayWindow 41 IoCs
pid Process 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe -
Suspicious use of SendNotifyMessage 41 IoCs
pid Process 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe 4568 taskmgr.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4312 wrote to memory of 1456 4312 5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe 87 PID 4312 wrote to memory of 1456 4312 5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe 87 PID 4312 wrote to memory of 5096 4312 5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe 89 PID 4312 wrote to memory of 5096 4312 5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe 89 PID 1456 wrote to memory of 2136 1456 cmd.exe 91 PID 1456 wrote to memory of 2136 1456 cmd.exe 91 PID 5096 wrote to memory of 3244 5096 cmd.exe 92 PID 5096 wrote to memory of 3244 5096 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe"C:\Users\Admin\AppData\Local\Temp\5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\System32\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All/ Quiet2⤵
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All/ Quiet3⤵
- Interacts with shadow copies
PID:3244
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4568