Analysis

  • max time kernel
    1487s
  • max time network
    1499s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18-05-2024 15:47

General

  • Target

    05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe

  • Size

    1.4MB

  • MD5

    0ada88218b67a313a4f5ab0062fbc4e6

  • SHA1

    15dfcef932d666fdc7501bcee357ec2aabfcfdee

  • SHA256

    05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f

  • SHA512

    0b217e5aa8b17d347dbb05507cb5cf179328aad593fb65a8083ca8c300de4901eb55e6c8e971ce3280f50ceefd327332cfafde0280e09044d8da1dc8e20a49ed

  • SSDEEP

    24576:J6w15zVAFj5WEx9+22sHFXVYmLmYy+vz236ZSV8BGxon3sgGhzl1KsIVy:QsV85WU9+ElYmyZMz23sSyBGdgelIsj

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (96) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Disables Task Manager via registry modification
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Drops desktop.ini file(s) 7 IoCs
  • Modifies WinLogon 2 TTPs 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • System policy modification 1 TTPs 1 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
    "C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Modifies WinLogon
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3628
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4576
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1120
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files\Temp\AESRT\refresh.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4236
      • C:\Windows\SysWOW64\rundll32.exe
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
        3⤵
          PID:1648
        • C:\Windows\SysWOW64\rundll32.exe
          RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
          3⤵
            PID:440
          • C:\Windows\SysWOW64\rundll32.exe
            RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
            3⤵
              PID:2944
            • C:\Windows\SysWOW64\rundll32.exe
              RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
              3⤵
                PID:1744
              • C:\Windows\SysWOW64\rundll32.exe
                RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
                3⤵
                  PID:4948
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3592

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files\Temp\AESRT\refresh.bat

              Filesize

              378B

              MD5

              0c7022bc17761ecace63d45343c9d2fd

              SHA1

              7fdf53bc92830e4e5935f61d745a055edd3fc9e3

              SHA256

              98ba9ab619027be3265fd7827270e1ec59fbe39b79f98c65c17712f667c7fe8a

              SHA512

              ea434972b6fbffdf6c59e083cc1ed55557b4aa9113413f387b20c5eaf212a86ce995d4c8a93251cc22b9fd8b7ae4fc4125bbc85f5caca2dad8d81f4bb05dba5a

            • memory/3628-0-0x000000007450E000-0x000000007450F000-memory.dmp

              Filesize

              4KB

            • memory/3628-1-0x00000000007F0000-0x0000000000958000-memory.dmp

              Filesize

              1.4MB

            • memory/3628-4-0x00000000059B0000-0x0000000005F56000-memory.dmp

              Filesize

              5.6MB

            • memory/3628-5-0x00000000054A0000-0x0000000005532000-memory.dmp

              Filesize

              584KB

            • memory/3628-10-0x0000000074500000-0x0000000074CB1000-memory.dmp

              Filesize

              7.7MB

            • memory/3628-199-0x0000000004EA0000-0x0000000004EAA000-memory.dmp

              Filesize

              40KB

            • memory/3628-200-0x0000000074500000-0x0000000074CB1000-memory.dmp

              Filesize

              7.7MB

            • memory/3628-204-0x000000007450E000-0x000000007450F000-memory.dmp

              Filesize

              4KB

            • memory/3628-205-0x0000000074500000-0x0000000074CB1000-memory.dmp

              Filesize

              7.7MB

            • memory/3628-206-0x0000000074500000-0x0000000074CB1000-memory.dmp

              Filesize

              7.7MB