0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e

Analysis

max time kernel
181s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
14-05-2024 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e.exe
Size

849KB
MD5

403dee0dd3891459b22a8a37828b66b8
SHA1

919c33adb648ce13ee8bd7c11bffbfd836936c00
SHA256

0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e
SHA512

8cab8ca9ff17c404d6e41358804daf0915713ad3e8e690457e2f9aab4014c894fd73e406aad8837ed8409be32315a4a0f3ef41795828d7447fde68c6fe9226f2
SSDEEP

24576:TdxKSvB4i4sSnMIsBadfBZz4kIsPP3q7uL+gB+UtcMT:Jvei4sSEad5Zz4kIsPP34uL+gB++cW

Score

9^/10

defense_evasion execution impact ransomware

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2584	2792	WerFault.exe	27

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2072	vssadmin.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.taovhsr3u\DefaultIcon	0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.taovhsr3u	0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.taovhsr3u\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico"	0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2508	vssvc.exe
Token: SeRestorePrivilege	2508	vssvc.exe
Token: SeAuditPrivilege	2508	vssvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2852	2792	0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e.exe	28
PID 2792 wrote to memory of 2852	2792	0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e.exe	28
PID 2792 wrote to memory of 2852	2792	0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e.exe	28
PID 2792 wrote to memory of 2852	2792	0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e.exe	28
PID 2852 wrote to memory of 2072	2852	cmd.exe	30
PID 2852 wrote to memory of 2072	2852	cmd.exe	30
PID 2852 wrote to memory of 2072	2852	cmd.exe	30
PID 2852 wrote to memory of 2072	2852	cmd.exe	30
PID 2792 wrote to memory of 2584	2792	0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e.exe	34
PID 2792 wrote to memory of 2584	2792	0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e.exe	34
PID 2792 wrote to memory of 2584	2792	0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e.exe	34
PID 2792 wrote to memory of 2584	2792	0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e.exe	34

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e.exe
"C:\Users\Admin\AppData\Local\Temp\0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\system32\vssadmin.exe
    C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 324
  2⤵
  - Program crash
  PID:2584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads