Overview
overview
10Static
static
10084c57449c...0e.exe
windows7-x64
1014b94844b9...c3.exe
windows7-x64
102daa514408...2e.exe
windows7-x64
102e6f094748...ec.exe
windows7-x64
2e96b55980...ea.exe
windows7-x64
134c392448f...ea.exe
windows7-x64
1037d8add251...4c.exe
windows7-x64
103a72653053...59.exe
windows7-x64
1049aca08f5b...24.exe
windows7-x64
104a2ad49c93...9f.exe
windows7-x64
35199b64b50...3c.exe
windows7-x64
55c30024ae...15.exe
windows7-x64
1056f7b48f38...59.exe
windows7-x64
105a96b92938...a4.exe
windows7-x64
10606b88fce1...c4.exe
windows7-x64
16bda9faf71...4b.exe
windows7-x64
1071b46e95fb...a8.exe
windows7-x64
107d98972d5c...9c.exe
windows7-x64
987b9b910d5...cb.exe
windows7-x64
108958d7b8c5...e2.exe
windows7-x64
10ab5be9e691...09.exe
windows7-x64
10b228a698ee...c0.exe
windows7-x64
c864a70f78...1d.exe
windows7-x64
cfd5d9a4e6...f0.exe
windows7-x64
da6f543313...2e.exe
windows7-x64
6e05323d9ca...62.exe
windows7-x64
1e48bd2f16b...14.exe
windows7-x64
10ecfb5c95d0...9d.exe
windows7-x64
10f08c1c26d3...3f.exe
windows7-x64
6f354148b5f...0f.exe
windows7-x64
6f7caf7d69c...6a.exe
windows7-x64
10fcb6844506...93.exe
windows7-x64
1Analysis
-
max time kernel
1565s -
max time network
1566s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
16-07-2024 08:54
Static task
static1
Behavioral task
behavioral1
Sample
084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
14b94844b99ac43c014ea73c3400097e3239a7307d1618e84159a741ab0e8ac3.exe
Resource
win7-20240704-en
Behavioral task
behavioral3
Sample
2daa5144081dd288c1dc936ec27b1c8bd709633450ceb73f235fccd1c3d3c62e.exe
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
2e6f094748124800d8cf6bdb28bb8aa4caa066923cf3e9778dae8bcb2b6e85ec.exe
Resource
win7-20240705-en
Behavioral task
behavioral5
Sample
2e96b55980a827011a7e0784ab95dcee53958a1bb19f5397080a434041bbeeea.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
34c392448fc0818278cd19bb0841adf573e967be8a0f73bb42bb367a5835b6ea.exe
Resource
win7-20240704-en
Behavioral task
behavioral7
Sample
37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
Resource
win7-20240704-en
Behavioral task
behavioral9
Sample
49aca08f5b259860364fc224601a944aa17161bb1da688e24621038457472d24.exe
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
4a2ad49c934f9ae6ca6b5d0c7cc34f5e12d349640012fa8cf8eb7e2d3acd6c9f.exe
Resource
win7-20240705-en
Behavioral task
behavioral11
Sample
5199b64b50f678d75f85cb0c3ac97d7df67f23471815e21236b1a790d008fe3c.exe
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
55c30024aed833336eb4720a1a4a40c78496efb27b3c4d5c3f1d1b5935c12715.exe
Resource
win7-20240705-en
Behavioral task
behavioral13
Sample
56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
5a96b929383817aa298eec8cca019bcd984fcd71dd8ee353541392c1082756a4.exe
Resource
win7-20240708-en
Behavioral task
behavioral15
Sample
606b88fce1441e6d83e1fb2ba1b511e4a9e68f7fc01c55b7c53e08fd28f9a0c4.exe
Resource
win7-20240705-en
Behavioral task
behavioral16
Sample
6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
Resource
win7-20240705-en
Behavioral task
behavioral17
Sample
71b46e95fba31267475537a338f49ce1cd0bc56c0f15346b05b673051cbe90a8.exe
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
7d98972d5c78e1d4969da76856d6818942b606c267efa67fd31d39ae77497e9c.exe
Resource
win7-20240705-en
Behavioral task
behavioral19
Sample
87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
8958d7b8c51215d6a27444b2760f1ce843a414d380052e6e71c2af6e9ab69ce2.exe
Resource
win7-20240704-en
Behavioral task
behavioral21
Sample
ab5be9e6911b43f0974e01dabec772b968274d9b5ea39ba2ad7cd294056e5d09.exe
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
b228a698ee826b42e19307f2d34c2620819a67a0e98fd2af08aae570b8178cc0.exe
Resource
win7-20240704-en
Behavioral task
behavioral23
Sample
c864a70f78fb972f505ae5b13c0ad984e64c547194beb258926bb4c323fac31d.exe
Resource
win7-20240705-en
Behavioral task
behavioral24
Sample
cfd5d9a4e67799f2428c6071dcc13fcf726f49ec3e706f0302b4592a3a0a08f0.exe
Resource
win7-20240705-en
Behavioral task
behavioral25
Sample
da6f543313480695aab95a5e685741a8d185fba0600363f74063eb1cda0f672e.exe
Resource
win7-20240704-en
Behavioral task
behavioral26
Sample
e05323d9ca6df47d9add5b2f757ea2490ebd11dfe1b56b82a9e93ba9d814e162.exe
Resource
win7-20240705-en
Behavioral task
behavioral27
Sample
e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
Resource
win7-20240705-en
Behavioral task
behavioral29
Sample
f08c1c26d375f6881990756e39208017b02af75fca0ebddb72f5e5c14e20363f.exe
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
f354148b5f0eab5af22e8152438468ae8976db84c65415d3f4a469b35e31710f.exe
Resource
win7-20240705-en
Behavioral task
behavioral31
Sample
f7caf7d69cef15d5c3b9983513e4e40edc3a31c5ead4139bc41d1500442a966a.exe
Resource
win7-20240705-en
Behavioral task
behavioral32
Sample
fcb68445068ebf4cd526d316622f9aa3e8065f9a9f42e5330f66f5cb160be393.exe
Resource
win7-20240705-en
General
-
Target
084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e.exe
-
Size
49KB
-
MD5
50248697e19117027d4823c6a3be6db5
-
SHA1
fb81c35ffe11180c1d6269006db2fc775eec4741
-
SHA256
084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e
-
SHA512
abc04de0ee5dfc9ca1afccc6b46f9bb4b56d3d9e9ec11165dfc9d3630a597e865941c2c33f4284807f155f69d8255ac3279c418f3bdb2a7f6b4e8678ba7fd6ed
-
SSDEEP
768:acaQRffDB31aCytHLykiKPT3JATD2qBwV2ckjbnsb0Ah99De0YAD8hMWsddOC86t:acai318HxZATvnsblYO8hMWsdoC86+r
Malware Config
Extracted
C:\Users\Admin\Desktop\+README-WARNING+.txt
https://tox.chat/download.html
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 2772 wbadmin.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\E1E8.tmp.bmp" 084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2920 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e.exepid process 1652 084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
vssvc.exewbengine.exeWMIC.exedescription pid process Token: SeBackupPrivilege 2700 vssvc.exe Token: SeRestorePrivilege 2700 vssvc.exe Token: SeAuditPrivilege 2700 vssvc.exe Token: SeBackupPrivilege 2640 wbengine.exe Token: SeRestorePrivilege 2640 wbengine.exe Token: SeSecurityPrivilege 2640 wbengine.exe Token: SeIncreaseQuotaPrivilege 3000 WMIC.exe Token: SeSecurityPrivilege 3000 WMIC.exe Token: SeTakeOwnershipPrivilege 3000 WMIC.exe Token: SeLoadDriverPrivilege 3000 WMIC.exe Token: SeSystemProfilePrivilege 3000 WMIC.exe Token: SeSystemtimePrivilege 3000 WMIC.exe Token: SeProfSingleProcessPrivilege 3000 WMIC.exe Token: SeIncBasePriorityPrivilege 3000 WMIC.exe Token: SeCreatePagefilePrivilege 3000 WMIC.exe Token: SeBackupPrivilege 3000 WMIC.exe Token: SeRestorePrivilege 3000 WMIC.exe Token: SeShutdownPrivilege 3000 WMIC.exe Token: SeDebugPrivilege 3000 WMIC.exe Token: SeSystemEnvironmentPrivilege 3000 WMIC.exe Token: SeRemoteShutdownPrivilege 3000 WMIC.exe Token: SeUndockPrivilege 3000 WMIC.exe Token: SeManageVolumePrivilege 3000 WMIC.exe Token: 33 3000 WMIC.exe Token: 34 3000 WMIC.exe Token: 35 3000 WMIC.exe Token: SeIncreaseQuotaPrivilege 3000 WMIC.exe Token: SeSecurityPrivilege 3000 WMIC.exe Token: SeTakeOwnershipPrivilege 3000 WMIC.exe Token: SeLoadDriverPrivilege 3000 WMIC.exe Token: SeSystemProfilePrivilege 3000 WMIC.exe Token: SeSystemtimePrivilege 3000 WMIC.exe Token: SeProfSingleProcessPrivilege 3000 WMIC.exe Token: SeIncBasePriorityPrivilege 3000 WMIC.exe Token: SeCreatePagefilePrivilege 3000 WMIC.exe Token: SeBackupPrivilege 3000 WMIC.exe Token: SeRestorePrivilege 3000 WMIC.exe Token: SeShutdownPrivilege 3000 WMIC.exe Token: SeDebugPrivilege 3000 WMIC.exe Token: SeSystemEnvironmentPrivilege 3000 WMIC.exe Token: SeRemoteShutdownPrivilege 3000 WMIC.exe Token: SeUndockPrivilege 3000 WMIC.exe Token: SeManageVolumePrivilege 3000 WMIC.exe Token: 33 3000 WMIC.exe Token: 34 3000 WMIC.exe Token: 35 3000 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e.exeNOTEPAD.EXEpid process 1652 084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e.exe 1536 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e.execmd.exedescription pid process target process PID 1652 wrote to memory of 2372 1652 084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e.exe cmd.exe PID 1652 wrote to memory of 2372 1652 084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e.exe cmd.exe PID 1652 wrote to memory of 2372 1652 084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e.exe cmd.exe PID 1652 wrote to memory of 2372 1652 084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e.exe cmd.exe PID 2372 wrote to memory of 2920 2372 cmd.exe vssadmin.exe PID 2372 wrote to memory of 2920 2372 cmd.exe vssadmin.exe PID 2372 wrote to memory of 2920 2372 cmd.exe vssadmin.exe PID 2372 wrote to memory of 2772 2372 cmd.exe wbadmin.exe PID 2372 wrote to memory of 2772 2372 cmd.exe wbadmin.exe PID 2372 wrote to memory of 2772 2372 cmd.exe wbadmin.exe PID 2372 wrote to memory of 3000 2372 cmd.exe WMIC.exe PID 2372 wrote to memory of 3000 2372 cmd.exe WMIC.exe PID 2372 wrote to memory of 3000 2372 cmd.exe WMIC.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e.exe"C:\Users\Admin\AppData\Local\Temp\084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e.exe"1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2920 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:2772 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1740
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:1016
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:2976
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\+README-WARNING+.txt1⤵
- Suspicious use of FindShellTrayWindow
PID:1536
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD55d230c41f5f5f64ec6858756404c7a7e
SHA16e6ccd293641504eee97cb55d48566976f1bcf92
SHA2562225eb49c5a55704c141e965cee16592f303ab5112a5df49b6a102a8bd34bb02
SHA5121a058e1c77214546b5c978d77671f44a3d636c9ec69818da17064746a983aeeddd3068e2eef63bd54c2ad0a014ca943f50df588510107e8a02ef25f7d309c883