Overview

overview

10

Static

static

3

2272954a2c...5a.exe

windows7-x64

10

2272954a2c...5a.exe

windows10-2004-x64

10

72716d15ea...21.exe

windows7-x64

7

72716d15ea...21.exe

windows10-2004-x64

7

Bit Paymer.exe

windows7-x64

10

Bit Paymer.exe

windows10-2004-x64

10

KeepCalm.exe

windows7-x64

1

KeepCalm.exe

windows10-2004-x64

1

LockedIn.exe

windows7-x64

9

LockedIn.exe

windows10-2004-x64

9

NotPetya.dll

windows7-x64

10

NotPetya.dll

windows10-2004-x64

10

Purge.exe

windows7-x64

1

Purge.exe

windows10-2004-x64

1

Scarab.exe

windows7-x64

10

Scarab.exe

windows10-2004-x64

10

a631ad1b1a...4b.exe

windows7-x64

6

a631ad1b1a...4b.exe

windows10-2004-x64

6

a9053a3a52...bc.exe

windows7-x64

7

a9053a3a52...bc.exe

windows10-2004-x64

7

b764629e1f...1c.exe

windows7-x64

10

b764629e1f...1c.exe

windows10-2004-x64

10

cf89f70633...5c.exe

windows7-x64

1

cf89f70633...5c.exe

windows10-2004-x64

3

e951e82867...50.exe

windows7-x64

1

e951e82867...50.exe

windows10-2004-x64

1

fa0c321e1a...d2.exe

windows7-x64

9

fa0c321e1a...d2.exe

windows10-2004-x64

8

fc184274ad...27.exe

windows7-x64

10

fc184274ad...27.exe

windows10-2004-x64

10

Resubmissions

18-07-2024 07:25

240718-h84wjs1hpb 10

18-07-2024 07:19

240718-h51pqa1gng 10

17-07-2024 20:55

240717-zqkhmaydmq 10

17-07-2024 19:21

240717-x2pwdaycjb 10

Analysis

  • max time kernel
    142s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    17-07-2024 20:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe

  • Size

    121KB

  • MD5

    eac0a08470ee67c63b14ae2ce7f6aa61

  • SHA1

    285c0163376d5d9a5806364411652fe73424d571

  • SHA256

    fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7

  • SHA512

    f3fd7eeae18843d049443f0d5e818302eb3b3f73ad85e26c01e1ddc0a102a0a22b065afe01879aafc95ff3a2d15b5c302394bd03d91e6c4401648cd4222bddc5

  • SSDEEP

    1536:3THoX8wNjiMsyPcjgbKx534oU6Llg/iLBkZhifkdol9LYuVF5yZbn:DjksYKx5o3Slg/itMg8+LYu9ubn

Score
9/10
defense_evasionevasionexecutionimpactpersistenceransomware

Malware Config

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops desktop.ini file(s) 26 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 7 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • NTFS ADS 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe
    "C:\Users\Admin\AppData\Local\Temp\fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Users\Admin\AppData\Local\Temp\fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe
      "C:\Users\Admin\AppData\Local\Temp\fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C sc stop VVS
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2720
        • C:\Windows\SysWOW64\sc.exe
          sc stop VVS
          4⤵
          • Launches sc.exe
          PID:2856
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C sc stop wscsvc
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2880
        • C:\Windows\SysWOW64\sc.exe
          sc stop wscsvc
          4⤵
          • Launches sc.exe
          PID:2620
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C sc stop WinDefend
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2896
        • C:\Windows\SysWOW64\sc.exe
          sc stop WinDefend
          4⤵
          • Launches sc.exe
          PID:624
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C sc stop wuauserv
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2604
        • C:\Windows\SysWOW64\sc.exe
          sc stop wuauserv
          4⤵
          • Launches sc.exe
          PID:1784
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C sc stop BITS
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Windows\SysWOW64\sc.exe
          sc stop BITS
          4⤵
          • Launches sc.exe
          PID:536
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C sc stop ERSvc
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:264
        • C:\Windows\SysWOW64\sc.exe
          sc stop ERSvc
          4⤵
          • Launches sc.exe
          PID:340
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C sc stop WerSvc
        3⤵
          PID:1608
          • C:\Windows\SysWOW64\sc.exe
            sc stop WerSvc
            4⤵
            • Launches sc.exe
            PID:2076
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet
          3⤵
            PID:2944
            • C:\Windows\SysWOW64\vssadmin.exe
              vssadmin.exe Delete Shadows /All /Quiet
              4⤵
              • Interacts with shadow copies
              PID:2072
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled No
            3⤵
              PID:1712
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
              3⤵
                PID:1776
              • C:\Users\Admin\AppData\Roaming\BC1C9B74EA.exe
                C:\Users\Admin\AppData\Roaming\BC1C9B74EA.exe
                3⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                PID:2768
                • C:\Users\Admin\AppData\Roaming\BC1C9B74EA.exe
                  C:\Users\Admin\AppData\Roaming\BC1C9B74EA.exe
                  4⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Drops desktop.ini file(s)
                  • Drops file in Program Files directory
                  • Drops file in Windows directory
                  PID:2284
                  • C:\Windows\SysWOW64\NOTEPAD.EXE
                    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_HELP_INSTRUCTION.TXT
                    5⤵
                    • Opens file in notepad (likely ransom note)
                    PID:2040
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2948

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          System Services

          1
          T1569

          Service Execution

          1
          T1569.002

          Windows Management Instrumentation

          1
          T1047

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Defense Evasion

          Direct Volume Access

          1
          T1006

          Impair Defenses

          1
          T1562

          Indicator Removal

          2
          T1070

          File Deletion

          2
          T1070.004

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Command and Control

          Exfiltration

          Impact

          Inhibit System Recovery

          2
          T1490

          Service Stop

          1
          T1489

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\MSOCache\All Users\_HELP_INSTRUCTION.TXT
            Filesize

            1KB

            MD5

            6e04bc8f308993e1e5f1f0531f564a75

            SHA1

            042f692829949c15e6df023c01511e9d4c6c5c10

            SHA256

            792c38d9c0c2a4f4b7aaef6ec331204e973f3f54b8b40233611c925c88e0e3f6

            SHA512

            357d6bb09397f42cc584851be7fd08bfb74f67e6aae632e5488a0531666907ef38401c4c05f8945ad80ff372a8c40708b4a3a9639cd7eaf5b3b3241279cb9c12

            Download Submit

          • \Users\Admin\AppData\Roaming\BC1C9B74EA.exe
            Filesize

            121KB

            MD5

            eac0a08470ee67c63b14ae2ce7f6aa61

            SHA1

            285c0163376d5d9a5806364411652fe73424d571

            SHA256

            fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7

            SHA512

            f3fd7eeae18843d049443f0d5e818302eb3b3f73ad85e26c01e1ddc0a102a0a22b065afe01879aafc95ff3a2d15b5c302394bd03d91e6c4401648cd4222bddc5

            Download Submit

          • memory/2284-38-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-78-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-164-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-24-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-83-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-29-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-33-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-88-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-43-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-93-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-53-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-58-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-63-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-68-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-73-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-158-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-27-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-162-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-48-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-98-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-103-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-108-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-113-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-118-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-124-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-160-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-134-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-140-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-147-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2284-153-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2736-4-0x00000000002F6000-0x0000000000302000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2796-3-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/2796-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2796-7-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download