Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
07/06/2024, 18:35
General
-
Target
Compenso.Pdf______________________________________________________________.exe
-
Size
446KB
-
MD5
93cbe4ed3d46abe732a124a41e7147a2
-
SHA1
94a24be60d90479ce27f7787a86678472aabdc6e
-
SHA256
89e71eb0a6403725d2f95cb9e6506b8b139a6948a61dc1c5cfedf18648241ec4
-
SHA512
8f46af90d8a2d78da003a8a395fd7f74cc235595238ee3a3e4d87fee2aa4c8abf6ece403bb3726122d3825437f5d079ea1f8d6b275153bb76b3b0d75c243ef09
-
SSDEEP
6144:XOOxeLzWoeNqagVRUvOWcTwlOcTeP8uENXIEQSdO8c/AVxYflxiW:txeHWoA/Wr0lfQ8BfLkIVxYfrd
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Compenso.Pdf______________________________________________________________.exe"C:\Users\Admin\AppData\Local\Temp\Compenso.Pdf______________________________________________________________.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Compenso.Pdf______________________________________________________________.exe"C:\Users\Admin\AppData\Local\Temp\Compenso.Pdf______________________________________________________________.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\system32\explorer.exe"3⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
446KB
MD59db79db6cb4edab84bd158bf26e50e12
SHA16661cc46a228ef880446ce4e19c07cc465d8091c
SHA25630b806f6572a13fb68c4a6112b2f16f90931fabdb4d7441b091ea4867e410061
SHA5125dd5c3a35fd1a50fd308f8cea6dc8a5278000bdefe75b1fc1ae39af07d75a3abb61a816cfc640a40fb42b40993f2aa1b1286bdce8768152f4a68820a6b657457
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
4KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
244KB
-
Filesize
244KB
-
Filesize
244KB
-
Filesize
244KB
-
Filesize
244KB
-
Filesize
244KB
-
Filesize
244KB