ae2b65de86e012e926c22d0f81c7d4e495d8cbcae8aa34c298c267477d2d3ec0

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f.exe
Size

79KB
MD5

7b910a871a5bb36d8f47094f51eaac46
SHA1

61817e25b0cfae37a3f289fc308e67146f874342
SHA256

ae2b65de86e012e926c22d0f81c7d4e495d8cbcae8aa34c298c267477d2d3ec0
SHA512

3e0da7617b4f699d551dee400dea9d2c5ddccb99057ab48ef81ad8d1b7b182dc38e04aaa8248368e1f668022cf73f45190acc8a82eb114cd0d13b1c44489fdaa
SSDEEP

1536:yQ4Bh+fyPhBAxC66ksrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2S8bj/:2h+fyPECLksrQLOJgY8Zp8LHD4XWaNHj

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2488 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

f.exe

pid process

2088 f.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2812 vssvc.exe
Token: SeRestorePrivilege 2812 vssvc.exe
Token: SeAuditPrivilege 2812 vssvc.exe

pid	process
2488	vssadmin.exe

pid	process
2088	f.exe

description	pid	process
Token: SeBackupPrivilege	2812	vssvc.exe
Token: SeRestorePrivilege	2812	vssvc.exe
Token: SeAuditPrivilege	2812	vssvc.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

f.execmd.exe

description	pid	process	target process
PID 2088 wrote to memory of 2964	2088	f.exe	cmd.exe
PID 2088 wrote to memory of 2964	2088	f.exe	cmd.exe
PID 2088 wrote to memory of 2964	2088	f.exe	cmd.exe
PID 2088 wrote to memory of 2964	2088	f.exe	cmd.exe
PID 2964 wrote to memory of 2488	2964	cmd.exe	vssadmin.exe
PID 2964 wrote to memory of 2488	2964	cmd.exe	vssadmin.exe
PID 2964 wrote to memory of 2488	2964	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f.exe
"C:\Users\Admin\AppData\Local\Temp\f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2488

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads