Analysis

  • max time kernel
    60s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    09/09/2024, 14:26

General

  • Target

    a345d470738a428a10bf15194748beaa5627c75692d66d1016a01d30bc1cd5c0.exe

  • Size

    371KB

  • MD5

    87d5535c6d94bef127f82f5fff6497bd

  • SHA1

    a83ec32dfb1c590ebfd6e3233d81a0f3cbac0994

  • SHA256

    a345d470738a428a10bf15194748beaa5627c75692d66d1016a01d30bc1cd5c0

  • SHA512

    f37502876aaeaeb7b3e2e842485e7e00c6fcf5206824548970ec011a40f7303d8e48898069f36376dc92165f0652d4d890cc55cf46200af6191dc9598323bf65

  • SSDEEP

    768:CU41Hv11ZX47nelShWFhdEod+QZnpLtx+:81HBoClShWFhdl+QdjQ

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (8065) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 46 IoCs
  • Enumerates connected drives 3 TTPs 14 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Interacts with shadow copies 3 TTPs 12 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\a345d470738a428a10bf15194748beaa5627c75692d66d1016a01d30bc1cd5c0.exe
    "C:\Users\Admin\AppData\Local\Temp\a345d470738a428a10bf15194748beaa5627c75692d66d1016a01d30bc1cd5c0.exe"
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=1MB
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=1MB
        3⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:1644
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
        3⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:2300
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=1MB
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=1MB
        3⤵
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:2728
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
        3⤵
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:2444
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=1MB
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=1MB
        3⤵
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:2628
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
        3⤵
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:1616
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=1MB
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=1MB
        3⤵
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:2668
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
        3⤵
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:3024
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=1MB
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2224
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=1MB
        3⤵
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:2620
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1976
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
        3⤵
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:2576
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=1MB
      2⤵
      • System Location Discovery: System Language Discovery
      PID:268
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin resize shadowstorage /for=h: /on=h: /maxsize=1MB
        3⤵
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:1984
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin Delete Shadows /all /quiet
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2308
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:1624
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2188

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\CONTI.txt

    Filesize

    155B

    MD5

    306995d320c5ecaac50548a5ecea7e93

    SHA1

    8e07180d87e8241ccc0a256c09c18a5268742664

    SHA256

    5f048a86adfb08eb5edded7c8592cdc3aad8e50cdf3fe11d3790b5ab1311afee

    SHA512

    f5055877ccda5e0f8dd6e58f39e3ad9aaff4555cab788d72e483e87324bee2985f3defb24fd8e1be8dbd9747be8792f2d8172e946755123b03a270e8d4ea028d