Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25-04-2024 19:10
Static task
static1
Behavioral task
behavioral1
Sample
104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe
Resource
win10v2004-20240226-en
General
-
Target
104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe
-
Size
5.4MB
-
MD5
cfb2286b45544fdb23569f59c02e3d58
-
SHA1
82793d93d987abb357809f069420d17a25a59f26
-
SHA256
104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2
-
SHA512
f72316b083f92763fc58e7826f63072141b845c7319e85ce256ba21297fc035925e95d16193a44d2188912892b1b08828a97a896181566a61d5e472543560d7a
-
SSDEEP
49152:jM4us5cOkWus2MYrRgGxznum8Uf3lDiFXnKZ5ERDLKJ5YVpWKUYg/4+6Wfctm1AE:haOvZ4rm1UdLEUqB+
Malware Config
Extracted
F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\How_To_Restore_Your_Files.txt
http://vogjzince7niuj34d7wckrqbfgf7klcokzgt7b2hw42bzwwzzvdvdsqd.onion/6ef9cc13508ab2863bf708dd841e549afa2cb5a44bffe987b8580c7006b37b9aa7b416e9d6d23d4893c74b167e395a41/
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (162) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2504 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exepid process 4820 104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe 4820 104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe 4820 104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 4420 vssvc.exe Token: SeRestorePrivilege 4420 vssvc.exe Token: SeAuditPrivilege 4420 vssvc.exe Token: SeIncreaseQuotaPrivilege 3448 WMIC.exe Token: SeSecurityPrivilege 3448 WMIC.exe Token: SeTakeOwnershipPrivilege 3448 WMIC.exe Token: SeLoadDriverPrivilege 3448 WMIC.exe Token: SeSystemProfilePrivilege 3448 WMIC.exe Token: SeSystemtimePrivilege 3448 WMIC.exe Token: SeProfSingleProcessPrivilege 3448 WMIC.exe Token: SeIncBasePriorityPrivilege 3448 WMIC.exe Token: SeCreatePagefilePrivilege 3448 WMIC.exe Token: SeBackupPrivilege 3448 WMIC.exe Token: SeRestorePrivilege 3448 WMIC.exe Token: SeShutdownPrivilege 3448 WMIC.exe Token: SeDebugPrivilege 3448 WMIC.exe Token: SeSystemEnvironmentPrivilege 3448 WMIC.exe Token: SeRemoteShutdownPrivilege 3448 WMIC.exe Token: SeUndockPrivilege 3448 WMIC.exe Token: SeManageVolumePrivilege 3448 WMIC.exe Token: 33 3448 WMIC.exe Token: 34 3448 WMIC.exe Token: 35 3448 WMIC.exe Token: 36 3448 WMIC.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.execmd.execmd.exedescription pid process target process PID 4820 wrote to memory of 2036 4820 104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe cmd.exe PID 4820 wrote to memory of 2036 4820 104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe cmd.exe PID 2036 wrote to memory of 2504 2036 cmd.exe vssadmin.exe PID 2036 wrote to memory of 2504 2036 cmd.exe vssadmin.exe PID 4820 wrote to memory of 1428 4820 104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe cmd.exe PID 4820 wrote to memory of 1428 4820 104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe cmd.exe PID 1428 wrote to memory of 3448 1428 cmd.exe WMIC.exe PID 1428 wrote to memory of 3448 1428 cmd.exe WMIC.exe PID 4820 wrote to memory of 3992 4820 104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe cmd.exe PID 4820 wrote to memory of 3992 4820 104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe cmd.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe"C:\Users\Admin\AppData\Local\Temp\104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\system32\cmd.execmd /c vssadmin Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:2504
-
-
-
C:\Windows\system32\cmd.execmd /c wmic SHADOWCOPY /nointeractive2⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3448
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c del C:\Users\Admin\AppData\Local\Temp\104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe2⤵PID:3992
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4420
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1696 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:81⤵PID:928
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56cc604c8f095c4481ad80f3f1d9aa1bf
SHA192accd8797aba99b04cc523e22e6d07aca3464c2
SHA2562cb3b4a36b4aa80ae6850da590caab3b2caa74b1049a5c868a1e821feb036741
SHA5129acd74acd8973ac8ef443337899fabb54b8e0334408d7dc203256e6d43cd30a67be88bd68a3b373cee43237ea7e320aa5ef18c058f7dee39515c70f33965916c