ae2b65de86e012e926c22d0f81c7d4e495d8cbcae8aa34c298c267477d2d3ec0

Analysis

max time kernel
140s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f.exe
Size

79KB
MD5

7b910a871a5bb36d8f47094f51eaac46
SHA1

61817e25b0cfae37a3f289fc308e67146f874342
SHA256

ae2b65de86e012e926c22d0f81c7d4e495d8cbcae8aa34c298c267477d2d3ec0
SHA512

3e0da7617b4f699d551dee400dea9d2c5ddccb99057ab48ef81ad8d1b7b182dc38e04aaa8248368e1f668022cf73f45190acc8a82eb114cd0d13b1c44489fdaa
SSDEEP

1536:yQ4Bh+fyPhBAxC66ksrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2S8bj/:2h+fyPECLksrQLOJgY8Zp8LHD4XWaNHj

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3728	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1404	f.exe
1404	f.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	3236	vssvc.exe
Token: SeRestorePrivilege	3236	vssvc.exe
Token: SeAuditPrivilege	3236	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 904	1404	f.exe	84
PID 1404 wrote to memory of 904	1404	f.exe	84
PID 904 wrote to memory of 3728	904	cmd.exe	86
PID 904 wrote to memory of 3728	904	cmd.exe	86

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f.exe
"C:\Users\Admin\AppData\Local\Temp\f.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads