Analysis
-
max time kernel
290s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 05:00
Static task
static1
Behavioral task
behavioral1
Sample
e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe
Resource
win10-20240404-en
General
-
Target
e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe
-
Size
681KB
-
MD5
59db7bd22d4ec503b768ece646205c27
-
SHA1
ff57cda4829978d8b6f7f1f31356f291b37acaa6
-
SHA256
e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757
-
SHA512
d35708f7d53998917fc66a74f5ec158cc3726fa9f3035c3e13fca4fa38c66a18839b156281f21ad80e92537e7ba052fb64ce6a6bda62f0d6e955db78191e522c
-
SSDEEP
12288:lMJYSP5VV3VG7rYyPT+p/VYXMJ8oD536bGIqs7GBvw0QygfmHp:lMVj3IXYETQV1XD5VIZ7GOg1J
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2720 2420 WerFault.exe 27 -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2548 vssadmin.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tcw9lnz6q\DefaultIcon e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tcw9lnz6q e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tcw9lnz6q\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkdjsadasd.ico" e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1556 vssvc.exe Token: SeRestorePrivilege 1556 vssvc.exe Token: SeAuditPrivilege 1556 vssvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2420 wrote to memory of 1244 2420 e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe 28 PID 2420 wrote to memory of 1244 2420 e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe 28 PID 2420 wrote to memory of 1244 2420 e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe 28 PID 2420 wrote to memory of 1244 2420 e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe 28 PID 1244 wrote to memory of 2548 1244 cmd.exe 30 PID 1244 wrote to memory of 2548 1244 cmd.exe 30 PID 1244 wrote to memory of 2548 1244 cmd.exe 30 PID 1244 wrote to memory of 2548 1244 cmd.exe 30 PID 2420 wrote to memory of 2720 2420 e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe 33 PID 2420 wrote to memory of 2720 2420 e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe 33 PID 2420 wrote to memory of 2720 2420 e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe 33 PID 2420 wrote to memory of 2720 2420 e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe 33 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe"C:\Users\Admin\AppData\Local\Temp\e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2548
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 3282⤵
- Program crash
PID:2720
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556