Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 05:00
Static task
static1
Behavioral task
behavioral1
Sample
b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe
Resource
win10-20240404-en
General
-
Target
b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe
-
Size
5.8MB
-
MD5
e7d5201947829fd265a0356771fbeb63
-
SHA1
6c90b89aad04f38c584fcee1d47fed9cd79f8ef1
-
SHA256
b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9
-
SHA512
e3442ecebdb29ea722142f9a1a533b8fe6297b9e6923cf290cc3850287a864059bb17709ee03ce134f36d5e333a36a9c37345507a7f9fbd007ca8fbf89abce31
-
SSDEEP
98304:yfUTMfcltw7HaqKN2A2lO8azKowdWr6z3h4q1KIqoS4aMTlcMmbFLOAkGkzdnEVk:2UiEsGE/r1R4q8IqoSP4cMmbFLOyomFI
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Skype b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2916 vssadmin.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1o5x619pc\DefaultIcon b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1o5x619pc b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.1o5x619pc\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico" b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1940 b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2836 vssvc.exe Token: SeRestorePrivilege 2836 vssvc.exe Token: SeAuditPrivilege 2836 vssvc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1940 b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1940 wrote to memory of 356 1940 b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe 28 PID 1940 wrote to memory of 356 1940 b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe 28 PID 1940 wrote to memory of 356 1940 b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe 28 PID 1940 wrote to memory of 356 1940 b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe 28 PID 356 wrote to memory of 2916 356 cmd.exe 30 PID 356 wrote to memory of 2916 356 cmd.exe 30 PID 356 wrote to memory of 2916 356 cmd.exe 30 PID 356 wrote to memory of 2916 356 cmd.exe 30 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe"C:\Users\Admin\AppData\Local\Temp\b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9.exe"1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:356 -
C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2916
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2836