983844e147b498c2cb448fba7b9543e4150a99bf5658b5e866c5fa2ca2639dc4

Analysis

max time kernel
204s
max time network
44s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
Size

775KB
MD5

0b486fe0503524cfe4726a4022fa6a68
SHA1

297dea71d489768ce45d23b0f8a45424b469ab00
SHA256

1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2
SHA512

f4273ca5cc3a9360af67f4b4ee0bf067cf218c5dc8caeafbfa1b809715effe742f2e1f54e4fe9ec8d4b8e3ae697d57f91c2b49bdf203648508d75d4a76f53619
SSDEEP

24576:TCs99+OXLpMePfI8TgmBTCDqEbOpPtpFhyxfq:5GOXLpMePfzVTCD7gPtLhSfq

Score

10^/10

evasion ransomware trojan

Malware Config

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	1548	wmic.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	1548	wmic.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	1548	wmic.exe	29

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
File opened (read-only)	\??\R:	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
File opened (read-only)	\??\H:	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
File opened (read-only)	\??\I:	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
File opened (read-only)	\??\L:	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
File opened (read-only)	\??\P:	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
File opened (read-only)	\??\Q:	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
File opened (read-only)	\??\S:	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
File opened (read-only)	\??\T:	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
File opened (read-only)	\??\U:	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
File opened (read-only)	\??\B:	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
File opened (read-only)	\??\E:	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
File opened (read-only)	\??\M:	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
File opened (read-only)	\??\Y:	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
File opened (read-only)	\??\W:	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
File opened (read-only)	\??\X:	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
File opened (read-only)	\??\G:	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
File opened (read-only)	\??\K:	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
File opened (read-only)	\??\V:	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
File opened (read-only)	\??\Z:	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
File opened (read-only)	\??\A:	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
File opened (read-only)	\??\J:	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
File opened (read-only)	\??\N:	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1996	vssadmin.exe
2448	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1452	wmic.exe
Token: SeSecurityPrivilege	1452	wmic.exe
Token: SeTakeOwnershipPrivilege	1452	wmic.exe
Token: SeLoadDriverPrivilege	1452	wmic.exe
Token: SeSystemProfilePrivilege	1452	wmic.exe
Token: SeSystemtimePrivilege	1452	wmic.exe
Token: SeProfSingleProcessPrivilege	1452	wmic.exe
Token: SeIncBasePriorityPrivilege	1452	wmic.exe
Token: SeCreatePagefilePrivilege	1452	wmic.exe
Token: SeBackupPrivilege	1452	wmic.exe
Token: SeRestorePrivilege	1452	wmic.exe
Token: SeShutdownPrivilege	1452	wmic.exe
Token: SeDebugPrivilege	1452	wmic.exe
Token: SeSystemEnvironmentPrivilege	1452	wmic.exe
Token: SeRemoteShutdownPrivilege	1452	wmic.exe
Token: SeUndockPrivilege	1452	wmic.exe
Token: SeManageVolumePrivilege	1452	wmic.exe
Token: 33	1452	wmic.exe
Token: 34	1452	wmic.exe
Token: 35	1452	wmic.exe
Token: SeIncreaseQuotaPrivilege	860	wmic.exe
Token: SeSecurityPrivilege	860	wmic.exe
Token: SeTakeOwnershipPrivilege	860	wmic.exe
Token: SeLoadDriverPrivilege	860	wmic.exe
Token: SeSystemProfilePrivilege	860	wmic.exe
Token: SeSystemtimePrivilege	860	wmic.exe
Token: SeProfSingleProcessPrivilege	860	wmic.exe
Token: SeIncBasePriorityPrivilege	860	wmic.exe
Token: SeCreatePagefilePrivilege	860	wmic.exe
Token: SeBackupPrivilege	860	wmic.exe
Token: SeRestorePrivilege	860	wmic.exe
Token: SeShutdownPrivilege	860	wmic.exe
Token: SeDebugPrivilege	860	wmic.exe
Token: SeSystemEnvironmentPrivilege	860	wmic.exe
Token: SeRemoteShutdownPrivilege	860	wmic.exe
Token: SeUndockPrivilege	860	wmic.exe
Token: SeManageVolumePrivilege	860	wmic.exe
Token: 33	860	wmic.exe
Token: 34	860	wmic.exe
Token: 35	860	wmic.exe
Token: SeIncreaseQuotaPrivilege	2324	wmic.exe
Token: SeSecurityPrivilege	2324	wmic.exe
Token: SeTakeOwnershipPrivilege	2324	wmic.exe
Token: SeLoadDriverPrivilege	2324	wmic.exe
Token: SeSystemProfilePrivilege	2324	wmic.exe
Token: SeSystemtimePrivilege	2324	wmic.exe
Token: SeProfSingleProcessPrivilege	2324	wmic.exe
Token: SeIncBasePriorityPrivilege	2324	wmic.exe
Token: SeCreatePagefilePrivilege	2324	wmic.exe
Token: SeBackupPrivilege	2324	wmic.exe
Token: SeRestorePrivilege	2324	wmic.exe
Token: SeShutdownPrivilege	2324	wmic.exe
Token: SeDebugPrivilege	2324	wmic.exe
Token: SeSystemEnvironmentPrivilege	2324	wmic.exe
Token: SeRemoteShutdownPrivilege	2324	wmic.exe
Token: SeUndockPrivilege	2324	wmic.exe
Token: SeManageVolumePrivilege	2324	wmic.exe
Token: 33	2324	wmic.exe
Token: 34	2324	wmic.exe
Token: 35	2324	wmic.exe
Token: SeIncreaseQuotaPrivilege	1452	wmic.exe
Token: SeSecurityPrivilege	1452	wmic.exe
Token: SeTakeOwnershipPrivilege	1452	wmic.exe
Token: SeLoadDriverPrivilege	1452	wmic.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2308	2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe	36
PID 2416 wrote to memory of 2308	2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe	36
PID 2416 wrote to memory of 2308	2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe	36
PID 2416 wrote to memory of 2308	2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe	36
PID 2416 wrote to memory of 1996	2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe	41
PID 2416 wrote to memory of 1996	2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe	41
PID 2416 wrote to memory of 1996	2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe	41
PID 2416 wrote to memory of 1996	2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe	41
PID 2416 wrote to memory of 1704	2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe	43
PID 2416 wrote to memory of 1704	2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe	43
PID 2416 wrote to memory of 1704	2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe	43
PID 2416 wrote to memory of 1704	2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe	43
PID 2416 wrote to memory of 2448	2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe	45
PID 2416 wrote to memory of 2448	2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe	45
PID 2416 wrote to memory of 2448	2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe	45
PID 2416 wrote to memory of 2448	2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe	45
PID 2416 wrote to memory of 2616	2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe	47
PID 2416 wrote to memory of 2616	2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe	47
PID 2416 wrote to memory of 2616	2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe	47
PID 2416 wrote to memory of 2616	2416	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe	47

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe
"C:\Users\Admin\AppData\Local\Temp\1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2416
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:2308
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1996
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:1704
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2448
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic SHADOWCOPY DELETE /nointeractive
  2⤵
  PID:2616

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:860