Analysis
-
max time kernel
144s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
10-06-2024 11:22
General
-
Target
VirusShare_501d52bcc05636268a66a6e9f1c5c4ad.exe
-
Size
368KB
-
MD5
501d52bcc05636268a66a6e9f1c5c4ad
-
SHA1
2199071c4190b6aae6ec7dc65ced83301883d714
-
SHA256
7659872c938b820b351446509964ed4fcbc405b58e43694722f00bb42b277dd6
-
SHA512
d72db00dad74a6d15d59cd7dbb401f5f86706242b95a6c57dc12c9b33590fefe951b56043eae3f0125bd5240baad46edd919872820e40a8dac5109a3a7e222b8
-
SSDEEP
6144:GQNUdPR6oncUtPLJoJi8ju8FQNXsyR36GeHba2grj9F4SENppTUHtnvR3aF3J9PQ:jNUdc6wA8P2cyF6T7a2gH9F4dzhUl6rP
Malware Config
Extracted
C:\Program Files\7-Zip\Lang\Recovery+kjkuq.txt
http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/D361FA807B716C4
http://b4youfred5485jgsa3453f.italazudda.com/D361FA807B716C4
http://5rport45vcdef345adfkksawe.bematvocal.at/D361FA807B716C4
http://fwgrhsao3aoml7ej.onion/D361FA807B716C4
http://fwgrhsao3aoml7ej.ONION/D361FA807B716C4
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (865) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 47 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_501d52bcc05636268a66a6e9f1c5c4ad.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_501d52bcc05636268a66a6e9f1c5c4ad.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_501d52bcc05636268a66a6e9f1c5c4ad.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_501d52bcc05636268a66a6e9f1c5c4ad.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\cbfpxbsciafq.exeC:\Windows\cbfpxbsciafq.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\cbfpxbsciafq.exeC:\Windows\cbfpxbsciafq.exe4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff43946f8,0x7ffff4394708,0x7ffff43947186⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,10089110399314835581,3347980766259338946,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:26⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,10089110399314835581,3347980766259338946,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:36⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,10089110399314835581,3347980766259338946,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,10089110399314835581,3347980766259338946,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,10089110399314835581,3347980766259338946,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,10089110399314835581,3347980766259338946,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,10089110399314835581,3347980766259338946,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:86⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,10089110399314835581,3347980766259338946,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,10089110399314835581,3347980766259338946,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,10089110399314835581,3347980766259338946,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:16⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,10089110399314835581,3347980766259338946,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:16⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\CBFPXB~1.EXE5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE3⤵
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5dff77ae8755b88fd37bcd6fd8a0f8a44
SHA151c5cf6639cccf1b66e70ff113763c90fe89a15d
SHA2563443bc2bdfcef484049dd980985b19bcb508df3d068a88be02e1f7f5f96dcab9
SHA512d18f98c849d0c56762a236ad8763073f8d7cb26553beb8d762dec7f5ec6886d4c374df66a88a1851405fedc1baad671198d9c57418cab20354ab37d469085a37
-
Filesize
69KB
MD596e233697b4ed2401b8f8b239d385562
SHA1148ee908e1654142e5d1908dd57ecd61aa68cf03
SHA256089392dd9d4f3a449d18a7eb5598adcfd8300b942e11b647dddb990378c4d935
SHA512dbb6df78e7161c1e98415bbfea3610c01af3a4903890b38526e1e1a6a859c10fb94f5fdab1470e26c391ed90f1c2405e96945afb6a3c92ab77dd548b5298b343
-
Filesize
2KB
MD55c10a9a60e96602fc82a45280230aadb
SHA166c51fb8334b57baf5a65e1711f1fe878a80dd5d
SHA256b55e6d5c65b1466180954379e63175421ac3317bfbc0324b3f7e347609ea4cc7
SHA512ca01ef0974b52166ccd3de14ae55bcb3a1dd0a6e1e7c94008c0a62d344ab1f8937d3fd956b0d0e713d3addbc08e6aa90a830f9108e90ba6cd10b74bd280c14da
-
Filesize
560B
MD51654fc767d3a4981dbd81d978822399a
SHA1441c304c1f91accc6a5e72656955d7c536fd2f1d
SHA2566d8365ef1ad1ee6fc15271166d2df7a23e9f90eadeb3d597a9dcc099d69b73ab
SHA5121829ccd8005a0fb7901baf17ea2d5d89fde276c202817e45a9af6f0cfddb3393b6214941fde65e4a49b623aa7c992bb52d44751149758b0c7284a3970d2c376f
-
Filesize
560B
MD504094faae9d7e438cf73018bcfe4cfba
SHA120450426bdcd02a0763b30d684cd1084b4ea35ff
SHA256504a9915f4ef7d942d3b4bc5dcd653b028600de6d33ab85431c9126480fc9181
SHA5125a9cbb8eedf39ba9acb0a812b9f61479404b0e0bdec063a951713325df33595e6ba6a81d98244f83db7d3d7b7ea8be61bcda98852ef2d13e69d64085cf6f81c5
-
Filesize
416B
MD5b0f77e9971e29521b2baff96f806a533
SHA1a564ddbe108969132fdc429cc5b78bf1f4f15a1f
SHA256af760e27f4d431b4cbe38a806c83209400948a80c8a4a868de17e1a22aa8d5ab
SHA51229794676ba548ce7323fc1e1bd5c758be9484b984b61bcc9d696950cca028e76aa9eb4459607e310f4efe9907ecd709e7e65deab2d258bac8667b7beb08fb013
-
Filesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
Filesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
Filesize
5KB
MD5c4d2156fb99fd0df87044db16095226e
SHA1c08fe11f38bc16d0296e4fbe36176ba9d40e2f36
SHA25619a670a8c632e3de38b1e87151a4d091fd85a3293a35ee708ef45f28cb4cda0b
SHA512327aaedfa98a38b60555a01694c404e70af2fe4c93c4dc25ad94af68abe33ea381a3d6f01a39f3566f33ffedfa6389b59297f343322676c22d1f332addc2b241
-
Filesize
6KB
MD592229458f793a4e709a6d6f156a9083c
SHA159b2d799a3cb1af77ff9cdf9ad9f3ed0e24c84d7
SHA2565d5351acae81a098f608b87ac74794e88fd31c3972531fc76d40ef4f0afa5188
SHA5127d9612cff4709cfc3a9eecd1ad304d00aed79413b60bab505a225a5e2c058c6bbb1d85a2b433e3a3cfddaa13f7786f4e964ea4f406c84ff031c5a2590d124a42
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5dc9bdb57e9c04f0e4d6d0bb9d9b9ae84
SHA1be279dfc45a190d3758be34585217097aaec24e6
SHA2569816d72e9e780eb2b5cfed0abd46476c2208705d96567c4a92ee97f58f06b8da
SHA5125f9e80ee1024bf1aee906118249a67b012c7c254680a7e0b3f01b6c8fbeebfba6eb64a446060cd685ad1ff0e49e3391a3393feff770bf682aae87d3a6b7e31b0
-
Filesize
75KB
MD5d9420975efb02eb52abd9f55088244c2
SHA1e65ada2fbee328259da3e25789a2c00a19453598
SHA2569358a1773e3157fee8a1eb20fcee03e264174d8fda43658b3fca76365239009d
SHA5123491f492f843497a760306e5a9dbb5981177f2e74131854bf5b093b012381e49ef3b1a9dd0ccfcaf442b098a280693817affe6f3e6a44dbb1cf270788181be02
-
Filesize
368KB
MD5501d52bcc05636268a66a6e9f1c5c4ad
SHA12199071c4190b6aae6ec7dc65ced83301883d714
SHA2567659872c938b820b351446509964ed4fcbc405b58e43694722f00bb42b277dd6
SHA512d72db00dad74a6d15d59cd7dbb401f5f86706242b95a6c57dc12c9b33590fefe951b56043eae3f0125bd5240baad46edd919872820e40a8dac5109a3a7e222b8
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
