db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa

Analysis

max time kernel
151s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_270b70bad151a515136f553e5bc880ac.exe
Size

344KB
MD5

270b70bad151a515136f553e5bc880ac
SHA1

77b7def336c7647c6faadaf7136d70ff1e9ba7fc
SHA256

db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa
SHA512

c198f9498d634ec4d05cf29a1bb6ade8c59a2904510464e3b292b11bcf5382d7fe603e46b6a72b14f3f996811f68101e46c467914b21ea6eccaf423df2d1a43f
SSDEEP

3072:v5sAzvcjE+lcO3zXgKRcP66BpwwB9RStc3Yfqr:v5jvc4+lcO3zQKSPfBJXv3YM

Score

9^/10

defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Signatures

Contacts a large (16399) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\\at.exe\""	at.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\\at.exe\""	VirusShare_270b70bad151a515136f553e5bc880ac.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	at.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\at.lnk	VirusShare_270b70bad151a515136f553e5bc880ac.exe

Executes dropped EXE 1 IoCs

pid	Process
1268	at.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\at = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\\at.exe\""	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\at = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\\at.exe\""	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\at = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\\at.exe\""	at.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\at = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\\at.exe\""	at.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2188	vssadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2620	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\\at.exe\""	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop	at.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\\at.exe\""	at.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3192	PING.EXE

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	4268	VirusShare_270b70bad151a515136f553e5bc880ac.exe
Token: SeDebugPrivilege	1268	at.exe
Token: SeDebugPrivilege	2620	taskkill.exe
Token: SeBackupPrivilege	2204	vssvc.exe
Token: SeRestorePrivilege	2204	vssvc.exe
Token: SeAuditPrivilege	2204	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1388	wmic.exe
Token: SeSecurityPrivilege	1388	wmic.exe
Token: SeTakeOwnershipPrivilege	1388	wmic.exe
Token: SeLoadDriverPrivilege	1388	wmic.exe
Token: SeSystemProfilePrivilege	1388	wmic.exe
Token: SeSystemtimePrivilege	1388	wmic.exe
Token: SeProfSingleProcessPrivilege	1388	wmic.exe
Token: SeIncBasePriorityPrivilege	1388	wmic.exe
Token: SeCreatePagefilePrivilege	1388	wmic.exe
Token: SeBackupPrivilege	1388	wmic.exe
Token: SeRestorePrivilege	1388	wmic.exe
Token: SeShutdownPrivilege	1388	wmic.exe
Token: SeDebugPrivilege	1388	wmic.exe
Token: SeSystemEnvironmentPrivilege	1388	wmic.exe
Token: SeRemoteShutdownPrivilege	1388	wmic.exe
Token: SeUndockPrivilege	1388	wmic.exe
Token: SeManageVolumePrivilege	1388	wmic.exe
Token: 33	1388	wmic.exe
Token: 34	1388	wmic.exe
Token: 35	1388	wmic.exe
Token: 36	1388	wmic.exe
Token: SeIncreaseQuotaPrivilege	1388	wmic.exe
Token: SeSecurityPrivilege	1388	wmic.exe
Token: SeTakeOwnershipPrivilege	1388	wmic.exe
Token: SeLoadDriverPrivilege	1388	wmic.exe
Token: SeSystemProfilePrivilege	1388	wmic.exe
Token: SeSystemtimePrivilege	1388	wmic.exe
Token: SeProfSingleProcessPrivilege	1388	wmic.exe
Token: SeIncBasePriorityPrivilege	1388	wmic.exe
Token: SeCreatePagefilePrivilege	1388	wmic.exe
Token: SeBackupPrivilege	1388	wmic.exe
Token: SeRestorePrivilege	1388	wmic.exe
Token: SeShutdownPrivilege	1388	wmic.exe
Token: SeDebugPrivilege	1388	wmic.exe
Token: SeSystemEnvironmentPrivilege	1388	wmic.exe
Token: SeRemoteShutdownPrivilege	1388	wmic.exe
Token: SeUndockPrivilege	1388	wmic.exe
Token: SeManageVolumePrivilege	1388	wmic.exe
Token: 33	1388	wmic.exe
Token: 34	1388	wmic.exe
Token: 35	1388	wmic.exe
Token: 36	1388	wmic.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 1268	4268	VirusShare_270b70bad151a515136f553e5bc880ac.exe	91
PID 4268 wrote to memory of 1268	4268	VirusShare_270b70bad151a515136f553e5bc880ac.exe	91
PID 4268 wrote to memory of 1268	4268	VirusShare_270b70bad151a515136f553e5bc880ac.exe	91
PID 4268 wrote to memory of 1444	4268	VirusShare_270b70bad151a515136f553e5bc880ac.exe	92
PID 4268 wrote to memory of 1444	4268	VirusShare_270b70bad151a515136f553e5bc880ac.exe	92
PID 4268 wrote to memory of 1444	4268	VirusShare_270b70bad151a515136f553e5bc880ac.exe	92
PID 1444 wrote to memory of 2620	1444	cmd.exe	94
PID 1444 wrote to memory of 2620	1444	cmd.exe	94
PID 1444 wrote to memory of 2620	1444	cmd.exe	94
PID 1444 wrote to memory of 3192	1444	cmd.exe	96
PID 1444 wrote to memory of 3192	1444	cmd.exe	96
PID 1444 wrote to memory of 3192	1444	cmd.exe	96
PID 1268 wrote to memory of 2188	1268	at.exe	97
PID 1268 wrote to memory of 2188	1268	at.exe	97
PID 1268 wrote to memory of 1388	1268	at.exe	101
PID 1268 wrote to memory of 1388	1268	at.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VirusShare_270b70bad151a515136f553e5bc880ac.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_270b70bad151a515136f553e5bc880ac.exe"
1⤵
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\at.exe
  "C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\at.exe"
  2⤵
  - Adds policy Run key to start application
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Control Panel
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\system32\vssadmin.exe
    "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2188
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  /d /c taskkill /t /f /im "VirusShare_270b70bad151a515136f553e5bc880ac.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_270b70bad151a515136f553e5bc880ac.exe" > NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /t /f /im "VirusShare_270b70bad151a515136f553e5bc880ac.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3192

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3636 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\at.lnk

Filesize
1KB

MD5
a3df7db05835f1243e29ff52920a9741

SHA1
7bb840e6a54e55284e7f403183f834f5d55c500d

SHA256
e40ede7ead3d940ff97ce3960606e50a9bd572a1f9eb3e74d3e057cfbc787665

SHA512
87547560295ae7f9b2c136ce279f35a4e997f5410d726abba2fa7651ac8517cc8e3703d73708d979f06ec480bac6b643276c5b43232c76bd3df99d5a8cd726a7

Download Submit
C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\at.exe

Filesize
344KB

MD5
270b70bad151a515136f553e5bc880ac

SHA1
77b7def336c7647c6faadaf7136d70ff1e9ba7fc

SHA256
db2f389b5566822f8cecb27b989920f16137e82b54b446868d01f73af23f5bfa

SHA512
c198f9498d634ec4d05cf29a1bb6ade8c59a2904510464e3b292b11bcf5382d7fe603e46b6a72b14f3f996811f68101e46c467914b21ea6eccaf423df2d1a43f

Download Submit
memory/1268-11-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1268-12-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1268-10-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1268-22-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1268-21-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4268-0-0x0000000000D30000-0x0000000000D4E000-memory.dmp

Filesize
120KB

Download
memory/4268-1-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4268-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4268-13-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads