Analysis

  • max time kernel
    361s
  • max time network
    1596s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    18-05-2024 15:47

General

  • Target

    05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe

  • Size

    1.4MB

  • MD5

    0ada88218b67a313a4f5ab0062fbc4e6

  • SHA1

    15dfcef932d666fdc7501bcee357ec2aabfcfdee

  • SHA256

    05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f

  • SHA512

    0b217e5aa8b17d347dbb05507cb5cf179328aad593fb65a8083ca8c300de4901eb55e6c8e971ce3280f50ceefd327332cfafde0280e09044d8da1dc8e20a49ed

  • SSDEEP

    24576:J6w15zVAFj5WEx9+22sHFXVYmLmYy+vz236ZSV8BGxon3sgGhzl1KsIVy:QsV85WU9+ElYmyZMz23sSyBGdgelIsj

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (95) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Disables Task Manager via registry modification
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Drops desktop.ini file(s) 7 IoCs
  • Modifies WinLogon 2 TTPs 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • System policy modification 1 TTPs 1 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
    "C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Modifies WinLogon
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4904
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:4812
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1888
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files\Temp\AESRT\refresh.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:832
      • C:\Windows\SysWOW64\rundll32.exe
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
        3⤵
          PID:1552
        • C:\Windows\SysWOW64\rundll32.exe
          RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
          3⤵
            PID:1748
          • C:\Windows\SysWOW64\rundll32.exe
            RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
            3⤵
              PID:800
            • C:\Windows\SysWOW64\rundll32.exe
              RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
              3⤵
                PID:1356
              • C:\Windows\SysWOW64\rundll32.exe
                RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
                3⤵
                  PID:1320
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:5012

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files\Temp\AESRT\refresh.bat

              Filesize

              378B

              MD5

              0c7022bc17761ecace63d45343c9d2fd

              SHA1

              7fdf53bc92830e4e5935f61d745a055edd3fc9e3

              SHA256

              98ba9ab619027be3265fd7827270e1ec59fbe39b79f98c65c17712f667c7fe8a

              SHA512

              ea434972b6fbffdf6c59e083cc1ed55557b4aa9113413f387b20c5eaf212a86ce995d4c8a93251cc22b9fd8b7ae4fc4125bbc85f5caca2dad8d81f4bb05dba5a

            • memory/4904-0-0x00000000733AE000-0x00000000733AF000-memory.dmp

              Filesize

              4KB

            • memory/4904-1-0x00000000002E0000-0x0000000000448000-memory.dmp

              Filesize

              1.4MB

            • memory/4904-4-0x00000000052D0000-0x00000000057CE000-memory.dmp

              Filesize

              5.0MB

            • memory/4904-5-0x0000000004E70000-0x0000000004F02000-memory.dmp

              Filesize

              584KB

            • memory/4904-12-0x00000000733A0000-0x0000000073A8E000-memory.dmp

              Filesize

              6.9MB

            • memory/4904-197-0x0000000005F90000-0x0000000005F9A000-memory.dmp

              Filesize

              40KB

            • memory/4904-201-0x00000000733AE000-0x00000000733AF000-memory.dmp

              Filesize

              4KB

            • memory/4904-202-0x00000000733A0000-0x0000000073A8E000-memory.dmp

              Filesize

              6.9MB