Overview
overview
10Static
static
10084c57449c...0e.exe
windows7-x64
1014b94844b9...c3.exe
windows7-x64
102daa514408...2e.exe
windows7-x64
102e6f094748...ec.exe
windows7-x64
2e96b55980...ea.exe
windows7-x64
134c392448f...ea.exe
windows7-x64
1037d8add251...4c.exe
windows7-x64
103a72653053...59.exe
windows7-x64
1049aca08f5b...24.exe
windows7-x64
104a2ad49c93...9f.exe
windows7-x64
35199b64b50...3c.exe
windows7-x64
55c30024ae...15.exe
windows7-x64
1056f7b48f38...59.exe
windows7-x64
105a96b92938...a4.exe
windows7-x64
10606b88fce1...c4.exe
windows7-x64
16bda9faf71...4b.exe
windows7-x64
1071b46e95fb...a8.exe
windows7-x64
107d98972d5c...9c.exe
windows7-x64
987b9b910d5...cb.exe
windows7-x64
108958d7b8c5...e2.exe
windows7-x64
10ab5be9e691...09.exe
windows7-x64
10b228a698ee...c0.exe
windows7-x64
c864a70f78...1d.exe
windows7-x64
cfd5d9a4e6...f0.exe
windows7-x64
da6f543313...2e.exe
windows7-x64
6e05323d9ca...62.exe
windows7-x64
1e48bd2f16b...14.exe
windows7-x64
10ecfb5c95d0...9d.exe
windows7-x64
10f08c1c26d3...3f.exe
windows7-x64
6f354148b5f...0f.exe
windows7-x64
6f7caf7d69c...6a.exe
windows7-x64
10fcb6844506...93.exe
windows7-x64
1Analysis
-
max time kernel
1561s -
max time network
1563s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
16-07-2024 08:54
Static task
static1
Behavioral task
behavioral1
Sample
084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
14b94844b99ac43c014ea73c3400097e3239a7307d1618e84159a741ab0e8ac3.exe
Resource
win7-20240704-en
Behavioral task
behavioral3
Sample
2daa5144081dd288c1dc936ec27b1c8bd709633450ceb73f235fccd1c3d3c62e.exe
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
2e6f094748124800d8cf6bdb28bb8aa4caa066923cf3e9778dae8bcb2b6e85ec.exe
Resource
win7-20240705-en
Behavioral task
behavioral5
Sample
2e96b55980a827011a7e0784ab95dcee53958a1bb19f5397080a434041bbeeea.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
34c392448fc0818278cd19bb0841adf573e967be8a0f73bb42bb367a5835b6ea.exe
Resource
win7-20240704-en
Behavioral task
behavioral7
Sample
37d8add251cb4179224ebbc0e28f8d9e26b5e64bbaec37f26a996bf51556f04c.exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
3a7265305386f955adbeb6bd7c711f03395963ac36be82e5bb6b1d7b2034c859.exe
Resource
win7-20240704-en
Behavioral task
behavioral9
Sample
49aca08f5b259860364fc224601a944aa17161bb1da688e24621038457472d24.exe
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
4a2ad49c934f9ae6ca6b5d0c7cc34f5e12d349640012fa8cf8eb7e2d3acd6c9f.exe
Resource
win7-20240705-en
Behavioral task
behavioral11
Sample
5199b64b50f678d75f85cb0c3ac97d7df67f23471815e21236b1a790d008fe3c.exe
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
55c30024aed833336eb4720a1a4a40c78496efb27b3c4d5c3f1d1b5935c12715.exe
Resource
win7-20240705-en
Behavioral task
behavioral13
Sample
56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
5a96b929383817aa298eec8cca019bcd984fcd71dd8ee353541392c1082756a4.exe
Resource
win7-20240708-en
Behavioral task
behavioral15
Sample
606b88fce1441e6d83e1fb2ba1b511e4a9e68f7fc01c55b7c53e08fd28f9a0c4.exe
Resource
win7-20240705-en
Behavioral task
behavioral16
Sample
6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
Resource
win7-20240705-en
Behavioral task
behavioral17
Sample
71b46e95fba31267475537a338f49ce1cd0bc56c0f15346b05b673051cbe90a8.exe
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
7d98972d5c78e1d4969da76856d6818942b606c267efa67fd31d39ae77497e9c.exe
Resource
win7-20240705-en
Behavioral task
behavioral19
Sample
87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
8958d7b8c51215d6a27444b2760f1ce843a414d380052e6e71c2af6e9ab69ce2.exe
Resource
win7-20240704-en
Behavioral task
behavioral21
Sample
ab5be9e6911b43f0974e01dabec772b968274d9b5ea39ba2ad7cd294056e5d09.exe
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
b228a698ee826b42e19307f2d34c2620819a67a0e98fd2af08aae570b8178cc0.exe
Resource
win7-20240704-en
Behavioral task
behavioral23
Sample
c864a70f78fb972f505ae5b13c0ad984e64c547194beb258926bb4c323fac31d.exe
Resource
win7-20240705-en
Behavioral task
behavioral24
Sample
cfd5d9a4e67799f2428c6071dcc13fcf726f49ec3e706f0302b4592a3a0a08f0.exe
Resource
win7-20240705-en
Behavioral task
behavioral25
Sample
da6f543313480695aab95a5e685741a8d185fba0600363f74063eb1cda0f672e.exe
Resource
win7-20240704-en
Behavioral task
behavioral26
Sample
e05323d9ca6df47d9add5b2f757ea2490ebd11dfe1b56b82a9e93ba9d814e162.exe
Resource
win7-20240705-en
Behavioral task
behavioral27
Sample
e48bd2f16b53a3630f3fca69d0d236d15bc23b08754d980bd29b15841b0fdf14.exe
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
Resource
win7-20240705-en
Behavioral task
behavioral29
Sample
f08c1c26d375f6881990756e39208017b02af75fca0ebddb72f5e5c14e20363f.exe
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
f354148b5f0eab5af22e8152438468ae8976db84c65415d3f4a469b35e31710f.exe
Resource
win7-20240705-en
Behavioral task
behavioral31
Sample
f7caf7d69cef15d5c3b9983513e4e40edc3a31c5ead4139bc41d1500442a966a.exe
Resource
win7-20240705-en
Behavioral task
behavioral32
Sample
fcb68445068ebf4cd526d316622f9aa3e8065f9a9f42e5330f66f5cb160be393.exe
Resource
win7-20240705-en
General
-
Target
87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
-
Size
79KB
-
MD5
c8579ccb6690e1f2102f9ba887c12f9e
-
SHA1
e8e46e3f88011aa43c90cde3c9945e3508986a25
-
SHA256
87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb
-
SHA512
f579e9b39400a0b3879dc8a1c41bd829d8f6b399d9d0a97302f7157a76f036ede5e4391eeb12bd2285a7f523969d572a92f482cf415ed2fb023d96d745f82244
-
SSDEEP
1536:hxpkWBeG/vEbKsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2Xsf8:/BeQsKsrQLOJgY8Zp8LHD4XWaNH71dLH
Malware Config
Extracted
C:\Users\Admin\Contacts\How To Restore Your Files.txt
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (219) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exedescription ioc process File opened (read-only) \??\B: 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe File opened (read-only) \??\E: 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe File opened (read-only) \??\U: 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe File opened (read-only) \??\I: 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe File opened (read-only) \??\A: 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe File opened (read-only) \??\Z: 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe File opened (read-only) \??\X: 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe File opened (read-only) \??\R: 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe File opened (read-only) \??\P: 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe File opened (read-only) \??\S: 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe File opened (read-only) \??\V: 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe File opened (read-only) \??\T: 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe File opened (read-only) \??\O: 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe File opened (read-only) \??\H: 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe File opened (read-only) \??\L: 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe File opened (read-only) \??\K: 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe File opened (read-only) \??\N: 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe File opened (read-only) \??\F: 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe File opened (read-only) \??\Q: 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe File opened (read-only) \??\W: 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe File opened (read-only) \??\Y: 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe File opened (read-only) \??\G: 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe File opened (read-only) \??\J: 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe File opened (read-only) \??\M: 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 2616 vssadmin.exe 2860 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exepid process 2076 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1432 vssvc.exe Token: SeRestorePrivilege 1432 vssvc.exe Token: SeAuditPrivilege 1432 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.execmd.execmd.exedescription pid process target process PID 2076 wrote to memory of 924 2076 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe cmd.exe PID 2076 wrote to memory of 924 2076 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe cmd.exe PID 2076 wrote to memory of 924 2076 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe cmd.exe PID 2076 wrote to memory of 924 2076 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe cmd.exe PID 924 wrote to memory of 2616 924 cmd.exe vssadmin.exe PID 924 wrote to memory of 2616 924 cmd.exe vssadmin.exe PID 924 wrote to memory of 2616 924 cmd.exe vssadmin.exe PID 2076 wrote to memory of 2872 2076 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe cmd.exe PID 2076 wrote to memory of 2872 2076 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe cmd.exe PID 2076 wrote to memory of 2872 2076 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe cmd.exe PID 2076 wrote to memory of 2872 2076 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe cmd.exe PID 2872 wrote to memory of 2860 2872 cmd.exe vssadmin.exe PID 2872 wrote to memory of 2860 2872 cmd.exe vssadmin.exe PID 2872 wrote to memory of 2860 2872 cmd.exe vssadmin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe"C:\Users\Admin\AppData\Local\Temp\87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2616 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2860
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1432
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ebfe047c67a2417117d61c8842520c31
SHA1f58cf8c05f16d62e93b9907ff7d50a7a3d607224
SHA25666d838f930938b43b51e90e4066ec28b3099337b4504b6884696d3029a1cbc3b
SHA512e35b5f7e5cf3a64150826c3addee3435120942419ed0aa2cf95ef41850f1238bb300f58a67668102cfc211e116fafec871bbc02364189e25c658384cf3c49565