Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
07-08-2024 01:45
General
-
Target
814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe
-
Size
1.0MB
-
MD5
69a45130e5e5aadaae4f023c6ea37725
-
SHA1
28e1f0d8e479597f4d7b20c43bc8044482ebbc74
-
SHA256
814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f
-
SHA512
357f9b5aca858c8a77b124674c4469a760cf7db340263217d02787eebeccef3c2e13676a8fbe44336cee6b3d3ff189b12ee197f4da6584be0ec6b9cedd7dc807
-
SSDEEP
24576:6QMc/LMx3+ZoXdEwZuS2+gYUdX4h3dHt:668uZoNEwBg3XSJ
Score
9/10
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Drops startup file 2 IoCs
-
Drops desktop.ini file(s) 36 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Control Panel 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe"C:\Users\Admin\AppData\Local\Temp\814efbd86c0d4e11bfeb5b4bc06c1b6f378455837789637ce581b22777b3a81f.exe"1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY /nointeractive2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{114FEB11-1D2C-4EBD-9FE3-460FEDCE7D1C}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{114FEB11-1D2C-4EBD-9FE3-460FEDCE7D1C}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DFB62530-39DF-4AF1-BA3F-5C49383B0D41}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DFB62530-39DF-4AF1-BA3F-5C49383B0D41}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F2BDEC03-18F3-4EA9-ABD4-D53CDBF9E0AC}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F2BDEC03-18F3-4EA9-ABD4-D53CDBF9E0AC}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6F47B8E0-A76F-42B8-80C5-2B902F5E5749}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6F47B8E0-A76F-42B8-80C5-2B902F5E5749}'" delete3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{021F038D-EF98-4277-807F-D9D2C31761FE}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{021F038D-EF98-4277-807F-D9D2C31761FE}'" delete3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{522CFB70-E966-4631-B951-39079840FC86}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{522CFB70-E966-4631-B951-39079840FC86}'" delete3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39A60542-2909-4674-A9B2-FCD89B71F373}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{39A60542-2909-4674-A9B2-FCD89B71F373}'" delete3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{09D614CE-B995-49B2-AD78-718627D30B0D}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{09D614CE-B995-49B2-AD78-718627D30B0D}'" delete3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9A213CE1-2A1D-4404-85E9-A877A57FF56E}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9A213CE1-2A1D-4404-85E9-A877A57FF56E}'" delete3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{07126393-5C20-4FEC-84EB-08FDE444B0C2}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{07126393-5C20-4FEC-84EB-08FDE444B0C2}'" delete3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{569F095D-1CBC-4EAB-A3CC-4EDACD8A6278}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{569F095D-1CBC-4EAB-A3CC-4EDACD8A6278}'" delete3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{25D60D36-2134-4703-B70F-C1E5670E2758}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{25D60D36-2134-4703-B70F-C1E5670E2758}'" delete3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E62387E8-4164-4550-873D-246FB783FDA4}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E62387E8-4164-4550-873D-246FB783FDA4}'" delete3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EBF372D1-ABDA-4550-BCFA-E589781243CB}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{EBF372D1-ABDA-4550-BCFA-E589781243CB}'" delete3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{223604F6-39C9-4351-83D1-90EEE67EC572}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{223604F6-39C9-4351-83D1-90EEE67EC572}'" delete3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E3902E7F-7A32-4261-A3EE-B17FE1936361}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E3902E7F-7A32-4261-A3EE-B17FE1936361}'" delete3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7CD00F17-C743-4154-B479-2E288FF81CB4}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7CD00F17-C743-4154-B479-2E288FF81CB4}'" delete3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{47BC8E53-5A59-4C7C-AEF0-C0F1C41CFCA7}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{47BC8E53-5A59-4C7C-AEF0-C0F1C41CFCA7}'" delete3⤵
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5153a1cdc8ad4ddcc04f51e316e880e2f
SHA1127eed32f73cdf3bafae7e04bd3573b64ccbe50a
SHA256306a329356400e59f097093cee1d2ffdfcf726f512f1e8f6d4c415c4659fedd6
SHA512561a3c6e753e1db94502239fa3c09f2f759b67f1d86f303d712948605e1cb34d9ef3736ad49d29801abd7e26f71cf92a2f0f5fa989329d6fbc58dd096793ffbf