Overview
overview
10Static
static
100225a30270...24.exe
windows10-1703-x64
30225a30270...24.exe
windows7-x64
70225a30270...24.exe
windows10-2004-x64
30225a30270...24.exe
windows11-21h2-x64
305072a7ec4...7f.exe
windows10-1703-x64
1005072a7ec4...7f.exe
windows7-x64
1005072a7ec4...7f.exe
windows10-2004-x64
1005072a7ec4...7f.exe
windows11-21h2-x64
101fca1cd049...77.exe
windows10-1703-x64
11fca1cd049...77.exe
windows7-x64
11fca1cd049...77.exe
windows10-2004-x64
11fca1cd049...77.exe
windows11-21h2-x64
120bab94e6d...52.exe
windows10-1703-x64
120bab94e6d...52.exe
windows7-x64
120bab94e6d...52.exe
windows10-2004-x64
120bab94e6d...52.exe
windows11-21h2-x64
12704e269fb...66.exe
windows10-1703-x64
102704e269fb...66.exe
windows7-x64
102704e269fb...66.exe
windows10-2004-x64
102704e269fb...66.exe
windows11-21h2-x64
102cbb3497bf...2d.dll
windows10-1703-x64
102cbb3497bf...2d.dll
windows7-x64
102cbb3497bf...2d.dll
windows10-2004-x64
102cbb3497bf...2d.dll
windows11-21h2-x64
1037546b811e...f6.exe
windows10-1703-x64
1037546b811e...f6.exe
windows7-x64
1037546b811e...f6.exe
windows10-2004-x64
1037546b811e...f6.exe
windows11-21h2-x64
1049d828087c...2d.exe
windows10-1703-x64
149d828087c...2d.exe
windows7-x64
149d828087c...2d.exe
windows10-2004-x64
149d828087c...2d.exe
windows11-21h2-x64
1Analysis
-
max time kernel
1487s -
max time network
1499s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
18-05-2024 15:47
Behavioral task
behavioral1
Sample
0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe
Resource
win11-20240426-en
Behavioral task
behavioral5
Sample
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
Resource
win7-20240221-en
Behavioral task
behavioral7
Sample
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
Resource
win11-20240426-en
Behavioral task
behavioral9
Sample
1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577.exe
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577.exe
Resource
win7-20240215-en
Behavioral task
behavioral11
Sample
1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577.exe
Resource
win11-20240426-en
Behavioral task
behavioral13
Sample
20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352.exe
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352.exe
Resource
win7-20240221-en
Behavioral task
behavioral15
Sample
20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral16
Sample
20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352.exe
Resource
win11-20240508-en
Behavioral task
behavioral17
Sample
2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe
Resource
win10-20240404-en
Behavioral task
behavioral18
Sample
2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe
Resource
win7-20240508-en
Behavioral task
behavioral19
Sample
2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe
Resource
win11-20240508-en
Behavioral task
behavioral21
Sample
2cbb3497bfa28d9966c1feeae96d452d.dll
Resource
win10-20240404-en
Behavioral task
behavioral22
Sample
2cbb3497bfa28d9966c1feeae96d452d.dll
Resource
win7-20240508-en
Behavioral task
behavioral23
Sample
2cbb3497bfa28d9966c1feeae96d452d.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral24
Sample
2cbb3497bfa28d9966c1feeae96d452d.dll
Resource
win11-20240426-en
Behavioral task
behavioral25
Sample
37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe
Resource
win10-20240404-en
Behavioral task
behavioral26
Sample
37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe
Resource
win7-20240508-en
Behavioral task
behavioral27
Sample
37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral28
Sample
37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe
Resource
win11-20240426-en
Behavioral task
behavioral29
Sample
49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d.exe
Resource
win10-20240404-en
Behavioral task
behavioral30
Sample
49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d.exe
Resource
win7-20240508-en
Behavioral task
behavioral31
Sample
49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral32
Sample
49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d.exe
Resource
win11-20240426-en
General
-
Target
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
-
Size
1.4MB
-
MD5
0ada88218b67a313a4f5ab0062fbc4e6
-
SHA1
15dfcef932d666fdc7501bcee357ec2aabfcfdee
-
SHA256
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f
-
SHA512
0b217e5aa8b17d347dbb05507cb5cf179328aad593fb65a8083ca8c300de4901eb55e6c8e971ce3280f50ceefd327332cfafde0280e09044d8da1dc8e20a49ed
-
SSDEEP
24576:J6w15zVAFj5WEx9+22sHFXVYmLmYy+vz236ZSV8BGxon3sgGhzl1KsIVy:QsV85WU9+ElYmyZMz23sSyBGdgelIsj
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe," 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe -
Processes:
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (96) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Processes:
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe -
Drops desktop.ini file(s) 7 IoCs
Processes:
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exedescription ioc process File created C:\Users\Admin\Music\desktop.ini 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe File created C:\Users\Admin\Pictures\desktop.ini 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe File created C:\Users\Admin\Desktop\desktop.ini 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe File created C:\Users\Admin\Downloads\desktop.ini 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe File created C:\Users\Admin\Videos\desktop.ini 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe -
Modifies WinLogon 2 TTPs 1 IoCs
Processes:
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ShellExperience = "\"ShellExperience.exe\"" 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Control Panel\Desktop\Wallpaper = "C:\\Program Files\\Temp\\AESRT\\AESRTback.png" 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe -
Drops file in Program Files directory 2 IoCs
Processes:
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exedescription ioc process File opened for modification C:\Program Files\Temp\AESRT\refresh.bat 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe File opened for modification C:\Program Files\Temp\AESRT\AESRTback.png 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
WMIC.exevssvc.exe05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exedescription pid process Token: SeIncreaseQuotaPrivilege 1120 WMIC.exe Token: SeSecurityPrivilege 1120 WMIC.exe Token: SeTakeOwnershipPrivilege 1120 WMIC.exe Token: SeLoadDriverPrivilege 1120 WMIC.exe Token: SeSystemProfilePrivilege 1120 WMIC.exe Token: SeSystemtimePrivilege 1120 WMIC.exe Token: SeProfSingleProcessPrivilege 1120 WMIC.exe Token: SeIncBasePriorityPrivilege 1120 WMIC.exe Token: SeCreatePagefilePrivilege 1120 WMIC.exe Token: SeBackupPrivilege 1120 WMIC.exe Token: SeRestorePrivilege 1120 WMIC.exe Token: SeShutdownPrivilege 1120 WMIC.exe Token: SeDebugPrivilege 1120 WMIC.exe Token: SeSystemEnvironmentPrivilege 1120 WMIC.exe Token: SeRemoteShutdownPrivilege 1120 WMIC.exe Token: SeUndockPrivilege 1120 WMIC.exe Token: SeManageVolumePrivilege 1120 WMIC.exe Token: 33 1120 WMIC.exe Token: 34 1120 WMIC.exe Token: 35 1120 WMIC.exe Token: 36 1120 WMIC.exe Token: SeIncreaseQuotaPrivilege 1120 WMIC.exe Token: SeSecurityPrivilege 1120 WMIC.exe Token: SeTakeOwnershipPrivilege 1120 WMIC.exe Token: SeLoadDriverPrivilege 1120 WMIC.exe Token: SeSystemProfilePrivilege 1120 WMIC.exe Token: SeSystemtimePrivilege 1120 WMIC.exe Token: SeProfSingleProcessPrivilege 1120 WMIC.exe Token: SeIncBasePriorityPrivilege 1120 WMIC.exe Token: SeCreatePagefilePrivilege 1120 WMIC.exe Token: SeBackupPrivilege 1120 WMIC.exe Token: SeRestorePrivilege 1120 WMIC.exe Token: SeShutdownPrivilege 1120 WMIC.exe Token: SeDebugPrivilege 1120 WMIC.exe Token: SeSystemEnvironmentPrivilege 1120 WMIC.exe Token: SeRemoteShutdownPrivilege 1120 WMIC.exe Token: SeUndockPrivilege 1120 WMIC.exe Token: SeManageVolumePrivilege 1120 WMIC.exe Token: 33 1120 WMIC.exe Token: 34 1120 WMIC.exe Token: 35 1120 WMIC.exe Token: 36 1120 WMIC.exe Token: SeBackupPrivilege 3592 vssvc.exe Token: SeRestorePrivilege 3592 vssvc.exe Token: SeAuditPrivilege 3592 vssvc.exe Token: SeDebugPrivilege 3628 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.execmd.execmd.exedescription pid process target process PID 3628 wrote to memory of 4576 3628 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe cmd.exe PID 3628 wrote to memory of 4576 3628 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe cmd.exe PID 3628 wrote to memory of 4576 3628 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe cmd.exe PID 4576 wrote to memory of 1120 4576 cmd.exe WMIC.exe PID 4576 wrote to memory of 1120 4576 cmd.exe WMIC.exe PID 4576 wrote to memory of 1120 4576 cmd.exe WMIC.exe PID 3628 wrote to memory of 4236 3628 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe cmd.exe PID 3628 wrote to memory of 4236 3628 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe cmd.exe PID 3628 wrote to memory of 4236 3628 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe cmd.exe PID 4236 wrote to memory of 1648 4236 cmd.exe rundll32.exe PID 4236 wrote to memory of 1648 4236 cmd.exe rundll32.exe PID 4236 wrote to memory of 1648 4236 cmd.exe rundll32.exe PID 4236 wrote to memory of 440 4236 cmd.exe rundll32.exe PID 4236 wrote to memory of 440 4236 cmd.exe rundll32.exe PID 4236 wrote to memory of 440 4236 cmd.exe rundll32.exe PID 4236 wrote to memory of 2944 4236 cmd.exe rundll32.exe PID 4236 wrote to memory of 2944 4236 cmd.exe rundll32.exe PID 4236 wrote to memory of 2944 4236 cmd.exe rundll32.exe PID 4236 wrote to memory of 1744 4236 cmd.exe rundll32.exe PID 4236 wrote to memory of 1744 4236 cmd.exe rundll32.exe PID 4236 wrote to memory of 1744 4236 cmd.exe rundll32.exe PID 4236 wrote to memory of 4948 4236 cmd.exe rundll32.exe PID 4236 wrote to memory of 4948 4236 cmd.exe rundll32.exe PID 4236 wrote to memory of 4948 4236 cmd.exe rundll32.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe"C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1120 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\Temp\AESRT\refresh.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True3⤵PID:1648
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True3⤵PID:440
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True3⤵PID:2944
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True3⤵PID:1744
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True3⤵PID:4948
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3592
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
378B
MD50c7022bc17761ecace63d45343c9d2fd
SHA17fdf53bc92830e4e5935f61d745a055edd3fc9e3
SHA25698ba9ab619027be3265fd7827270e1ec59fbe39b79f98c65c17712f667c7fe8a
SHA512ea434972b6fbffdf6c59e083cc1ed55557b4aa9113413f387b20c5eaf212a86ce995d4c8a93251cc22b9fd8b7ae4fc4125bbc85f5caca2dad8d81f4bb05dba5a