99cb0f92c60d88aadbb3e821f277ab51f6d8861c202cc1e16bb9ff0da10348a9

Analysis

max time kernel
1487s
max time network
1499s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
18-05-2024 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
Size

1.4MB
MD5

0ada88218b67a313a4f5ab0062fbc4e6
SHA1

15dfcef932d666fdc7501bcee357ec2aabfcfdee
SHA256

05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f
SHA512

0b217e5aa8b17d347dbb05507cb5cf179328aad593fb65a8083ca8c300de4901eb55e6c8e971ce3280f50ceefd327332cfafde0280e09044d8da1dc8e20a49ed
SSDEEP

24576:J6w15zVAFj5WEx9+22sHFXVYmLmYy+vz236ZSV8BGxon3sgGhzl1KsIVy:QsV85WU9+ElYmyZMz23sSyBGdgelIsj

Score

10^/10

defense_evasion evasion execution impact persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe,"	05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (96) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe

Drops desktop.ini file(s) 7 IoCs

Processes:

05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe

description	ioc	process
File created	C:\Users\Admin\Music\desktop.ini	05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
File created	C:\Users\Admin\Pictures\desktop.ini	05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
File created	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
File created	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
File created	C:\Users\Admin\Desktop\desktop.ini	05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
File created	C:\Users\Admin\Downloads\desktop.ini	05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
File created	C:\Users\Admin\Videos\desktop.ini	05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ShellExperience = "\"ShellExperience.exe\""	05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Control Panel\Desktop\Wallpaper = "C:\\Program Files\\Temp\\AESRT\\AESRTback.png"	05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe

Drops file in Program Files directory 2 IoCs

Processes:

05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe

description	ioc	process
File opened for modification	C:\Program Files\Temp\AESRT\refresh.bat	05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
File opened for modification	C:\Program Files\Temp\AESRT\AESRTback.png	05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

WMIC.exevssvc.exe05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1120	WMIC.exe
Token: SeSecurityPrivilege	1120	WMIC.exe
Token: SeTakeOwnershipPrivilege	1120	WMIC.exe
Token: SeLoadDriverPrivilege	1120	WMIC.exe
Token: SeSystemProfilePrivilege	1120	WMIC.exe
Token: SeSystemtimePrivilege	1120	WMIC.exe
Token: SeProfSingleProcessPrivilege	1120	WMIC.exe
Token: SeIncBasePriorityPrivilege	1120	WMIC.exe
Token: SeCreatePagefilePrivilege	1120	WMIC.exe
Token: SeBackupPrivilege	1120	WMIC.exe
Token: SeRestorePrivilege	1120	WMIC.exe
Token: SeShutdownPrivilege	1120	WMIC.exe
Token: SeDebugPrivilege	1120	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1120	WMIC.exe
Token: SeRemoteShutdownPrivilege	1120	WMIC.exe
Token: SeUndockPrivilege	1120	WMIC.exe
Token: SeManageVolumePrivilege	1120	WMIC.exe
Token: 33	1120	WMIC.exe
Token: 34	1120	WMIC.exe
Token: 35	1120	WMIC.exe
Token: 36	1120	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1120	WMIC.exe
Token: SeSecurityPrivilege	1120	WMIC.exe
Token: SeTakeOwnershipPrivilege	1120	WMIC.exe
Token: SeLoadDriverPrivilege	1120	WMIC.exe
Token: SeSystemProfilePrivilege	1120	WMIC.exe
Token: SeSystemtimePrivilege	1120	WMIC.exe
Token: SeProfSingleProcessPrivilege	1120	WMIC.exe
Token: SeIncBasePriorityPrivilege	1120	WMIC.exe
Token: SeCreatePagefilePrivilege	1120	WMIC.exe
Token: SeBackupPrivilege	1120	WMIC.exe
Token: SeRestorePrivilege	1120	WMIC.exe
Token: SeShutdownPrivilege	1120	WMIC.exe
Token: SeDebugPrivilege	1120	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1120	WMIC.exe
Token: SeRemoteShutdownPrivilege	1120	WMIC.exe
Token: SeUndockPrivilege	1120	WMIC.exe
Token: SeManageVolumePrivilege	1120	WMIC.exe
Token: 33	1120	WMIC.exe
Token: 34	1120	WMIC.exe
Token: 35	1120	WMIC.exe
Token: 36	1120	WMIC.exe
Token: SeBackupPrivilege	3592	vssvc.exe
Token: SeRestorePrivilege	3592	vssvc.exe
Token: SeAuditPrivilege	3592	vssvc.exe
Token: SeDebugPrivilege	3628	05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.execmd.execmd.exe

description	pid	process	target process
PID 3628 wrote to memory of 4576	3628	05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe	cmd.exe
PID 3628 wrote to memory of 4576	3628	05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe	cmd.exe
PID 3628 wrote to memory of 4576	3628	05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe	cmd.exe
PID 4576 wrote to memory of 1120	4576	cmd.exe	WMIC.exe
PID 4576 wrote to memory of 1120	4576	cmd.exe	WMIC.exe
PID 4576 wrote to memory of 1120	4576	cmd.exe	WMIC.exe
PID 3628 wrote to memory of 4236	3628	05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe	cmd.exe
PID 3628 wrote to memory of 4236	3628	05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe	cmd.exe
PID 3628 wrote to memory of 4236	3628	05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe	cmd.exe
PID 4236 wrote to memory of 1648	4236	cmd.exe	rundll32.exe
PID 4236 wrote to memory of 1648	4236	cmd.exe	rundll32.exe
PID 4236 wrote to memory of 1648	4236	cmd.exe	rundll32.exe
PID 4236 wrote to memory of 440	4236	cmd.exe	rundll32.exe
PID 4236 wrote to memory of 440	4236	cmd.exe	rundll32.exe
PID 4236 wrote to memory of 440	4236	cmd.exe	rundll32.exe
PID 4236 wrote to memory of 2944	4236	cmd.exe	rundll32.exe
PID 4236 wrote to memory of 2944	4236	cmd.exe	rundll32.exe
PID 4236 wrote to memory of 2944	4236	cmd.exe	rundll32.exe
PID 4236 wrote to memory of 1744	4236	cmd.exe	rundll32.exe
PID 4236 wrote to memory of 1744	4236	cmd.exe	rundll32.exe
PID 4236 wrote to memory of 1744	4236	cmd.exe	rundll32.exe
PID 4236 wrote to memory of 4948	4236	cmd.exe	rundll32.exe
PID 4236 wrote to memory of 4948	4236	cmd.exe	rundll32.exe
PID 4236 wrote to memory of 4948	4236	cmd.exe	rundll32.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
"C:\Users\Admin\AppData\Local\Temp\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\Temp\AESRT\refresh.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
3⤵
PID:1648

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
3⤵
PID:440

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
3⤵
PID:2944

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
3⤵
PID:1744

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters ,1 ,True
3⤵
PID:4948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3592

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Temp\AESRT\refresh.bat
Filesize
378B

MD5
0c7022bc17761ecace63d45343c9d2fd

SHA1
7fdf53bc92830e4e5935f61d745a055edd3fc9e3

SHA256
98ba9ab619027be3265fd7827270e1ec59fbe39b79f98c65c17712f667c7fe8a

SHA512
ea434972b6fbffdf6c59e083cc1ed55557b4aa9113413f387b20c5eaf212a86ce995d4c8a93251cc22b9fd8b7ae4fc4125bbc85f5caca2dad8d81f4bb05dba5a

Download Submit
memory/3628-0-0x000000007450E000-0x000000007450F000-memory.dmp

Filesize
4KB

Download
memory/3628-1-0x00000000007F0000-0x0000000000958000-memory.dmp

Filesize
1.4MB

Download
memory/3628-4-0x00000000059B0000-0x0000000005F56000-memory.dmp

Filesize
5.6MB

Download
memory/3628-5-0x00000000054A0000-0x0000000005532000-memory.dmp

Filesize
584KB

Download
memory/3628-10-0x0000000074500000-0x0000000074CB1000-memory.dmp

Filesize
7.7MB

Download
memory/3628-199-0x0000000004EA0000-0x0000000004EAA000-memory.dmp

Filesize
40KB

Download
memory/3628-200-0x0000000074500000-0x0000000074CB1000-memory.dmp

Filesize
7.7MB

Download
memory/3628-204-0x000000007450E000-0x000000007450F000-memory.dmp

Filesize
4KB

Download
memory/3628-205-0x0000000074500000-0x0000000074CB1000-memory.dmp

Filesize
7.7MB

Download
memory/3628-206-0x0000000074500000-0x0000000074CB1000-memory.dmp

Filesize
7.7MB

Download