e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757

Analysis

max time kernel
290s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14-05-2024 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe
Size

681KB
MD5

59db7bd22d4ec503b768ece646205c27
SHA1

ff57cda4829978d8b6f7f1f31356f291b37acaa6
SHA256

e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757
SHA512

d35708f7d53998917fc66a74f5ec158cc3726fa9f3035c3e13fca4fa38c66a18839b156281f21ad80e92537e7ba052fb64ce6a6bda62f0d6e955db78191e522c
SSDEEP

12288:lMJYSP5VV3VG7rYyPT+p/VYXMJ8oD536bGIqs7GBvw0QygfmHp:lMVj3IXYETQV1XD5VIZ7GOg1J

Score

9^/10

defense_evasion execution impact ransomware

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2720 2420 WerFault.exe e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2548 vssadmin.exe

pid	pid_target	process	target process
2720	2420	WerFault.exe	e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe

pid	process
2548	vssadmin.exe

Modifies registry class 3 IoCs

Processes:

e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tcw9lnz6q\DefaultIcon	e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tcw9lnz6q	e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tcw9lnz6q\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico"	e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1556 vssvc.exe
Token: SeRestorePrivilege 1556 vssvc.exe
Token: SeAuditPrivilege 1556 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	1556	vssvc.exe
Token: SeRestorePrivilege	1556	vssvc.exe
Token: SeAuditPrivilege	1556	vssvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.execmd.exe

description	pid	process	target process
PID 2420 wrote to memory of 1244	2420	e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe	cmd.exe
PID 2420 wrote to memory of 1244	2420	e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe	cmd.exe
PID 2420 wrote to memory of 1244	2420	e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe	cmd.exe
PID 2420 wrote to memory of 1244	2420	e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe	cmd.exe
PID 1244 wrote to memory of 2548	1244	cmd.exe	vssadmin.exe
PID 1244 wrote to memory of 2548	1244	cmd.exe	vssadmin.exe
PID 1244 wrote to memory of 2548	1244	cmd.exe	vssadmin.exe
PID 1244 wrote to memory of 2548	1244	cmd.exe	vssadmin.exe
PID 2420 wrote to memory of 2720	2420	e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe	WerFault.exe
PID 2420 wrote to memory of 2720	2420	e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe	WerFault.exe
PID 2420 wrote to memory of 2720	2420	e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe	WerFault.exe
PID 2420 wrote to memory of 2720	2420	e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe	WerFault.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe
"C:\Users\Admin\AppData\Local\Temp\e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\system32\vssadmin.exe
    C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 328
  2⤵
  - Program crash
  PID:2720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2420-0-0x00000000002A0000-0x0000000000332000-memory.dmp

Filesize
584KB

Download
memory/2420-1-0x0000000000A90000-0x0000000000B6A000-memory.dmp

Filesize
872KB

Download
memory/2420-3-0x0000000000A90000-0x0000000000B6A000-memory.dmp

Filesize
872KB

Download