Analysis
-
max time kernel
112s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12/09/2024, 13:02
Behavioral task
behavioral1
Sample
3edf17f985bf68be123edc894fd61190N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3edf17f985bf68be123edc894fd61190N.exe
Resource
win10v2004-20240802-en
General
-
Target
3edf17f985bf68be123edc894fd61190N.exe
-
Size
5.7MB
-
MD5
3edf17f985bf68be123edc894fd61190
-
SHA1
8e2cd7b91073c1d792972742b89974f3ccfec3c7
-
SHA256
2f348d6a86b7c5196f1e8e44de7e4f4716707af48367e3746e960bf0099c8fdf
-
SHA512
051a23653fbae90df49e28f8a059eee681e7c19ae33df3be865929332a84a14ed198979fbbcaa410cfa78900f8384bb8a0dbf40fc873ffe8c0f703c0738208e4
-
SSDEEP
98304:gCQUA1OjhJTlBR1AebLrfjBevMu9Rqxkgn6lnwOmQvcQunlmoixgeXueb1:gCPhh1RrbLrfjBYRFbnR1EQunlmokgeb
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
resource yara_rule behavioral2/memory/2612-0-0x00007FF734A00000-0x00007FF735510000-memory.dmp upx behavioral2/memory/3008-5-0x00007FF734A00000-0x00007FF735510000-memory.dmp upx behavioral2/memory/2612-7-0x00007FF734A00000-0x00007FF735510000-memory.dmp upx -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA svchost.exe File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR svchost.exe File opened for modification C:\Windows\system32\wbem\repository svchost.exe File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2612 set thread context of 3008 2612 3edf17f985bf68be123edc894fd61190N.exe 88 -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 3028 ipconfig.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3000 vssadmin.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3008 3edf17f985bf68be123edc894fd61190N.exe 3008 3edf17f985bf68be123edc894fd61190N.exe 3008 3edf17f985bf68be123edc894fd61190N.exe 3008 3edf17f985bf68be123edc894fd61190N.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3008 3edf17f985bf68be123edc894fd61190N.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeLoadDriverPrivilege 2612 3edf17f985bf68be123edc894fd61190N.exe Token: SeLoadDriverPrivilege 3008 3edf17f985bf68be123edc894fd61190N.exe Token: SeBackupPrivilege 4400 vssvc.exe Token: SeRestorePrivilege 4400 vssvc.exe Token: SeAuditPrivilege 4400 vssvc.exe Token: SeAssignPrimaryTokenPrivilege 5008 svchost.exe Token: SeIncreaseQuotaPrivilege 5008 svchost.exe Token: SeSecurityPrivilege 5008 svchost.exe Token: SeTakeOwnershipPrivilege 5008 svchost.exe Token: SeLoadDriverPrivilege 5008 svchost.exe Token: SeBackupPrivilege 5008 svchost.exe Token: SeRestorePrivilege 5008 svchost.exe Token: SeShutdownPrivilege 5008 svchost.exe Token: SeSystemEnvironmentPrivilege 5008 svchost.exe Token: SeManageVolumePrivilege 5008 svchost.exe Token: SeAssignPrimaryTokenPrivilege 5008 svchost.exe Token: SeIncreaseQuotaPrivilege 5008 svchost.exe Token: SeSecurityPrivilege 5008 svchost.exe Token: SeTakeOwnershipPrivilege 5008 svchost.exe Token: SeLoadDriverPrivilege 5008 svchost.exe Token: SeSystemtimePrivilege 5008 svchost.exe Token: SeBackupPrivilege 5008 svchost.exe Token: SeRestorePrivilege 5008 svchost.exe Token: SeShutdownPrivilege 5008 svchost.exe Token: SeSystemEnvironmentPrivilege 5008 svchost.exe Token: SeUndockPrivilege 5008 svchost.exe Token: SeManageVolumePrivilege 5008 svchost.exe Token: SeAssignPrimaryTokenPrivilege 5008 svchost.exe Token: SeIncreaseQuotaPrivilege 5008 svchost.exe Token: SeSecurityPrivilege 5008 svchost.exe Token: SeTakeOwnershipPrivilege 5008 svchost.exe Token: SeLoadDriverPrivilege 5008 svchost.exe Token: SeSystemtimePrivilege 5008 svchost.exe Token: SeBackupPrivilege 5008 svchost.exe Token: SeRestorePrivilege 5008 svchost.exe Token: SeShutdownPrivilege 5008 svchost.exe Token: SeSystemEnvironmentPrivilege 5008 svchost.exe Token: SeUndockPrivilege 5008 svchost.exe Token: SeManageVolumePrivilege 5008 svchost.exe Token: SeAssignPrimaryTokenPrivilege 5008 svchost.exe Token: SeIncreaseQuotaPrivilege 5008 svchost.exe Token: SeSecurityPrivilege 5008 svchost.exe Token: SeTakeOwnershipPrivilege 5008 svchost.exe Token: SeLoadDriverPrivilege 5008 svchost.exe Token: SeSystemtimePrivilege 5008 svchost.exe Token: SeBackupPrivilege 5008 svchost.exe Token: SeRestorePrivilege 5008 svchost.exe Token: SeShutdownPrivilege 5008 svchost.exe Token: SeSystemEnvironmentPrivilege 5008 svchost.exe Token: SeUndockPrivilege 5008 svchost.exe Token: SeManageVolumePrivilege 5008 svchost.exe Token: SeAssignPrimaryTokenPrivilege 5008 svchost.exe Token: SeIncreaseQuotaPrivilege 5008 svchost.exe Token: SeSecurityPrivilege 5008 svchost.exe Token: SeTakeOwnershipPrivilege 5008 svchost.exe Token: SeLoadDriverPrivilege 5008 svchost.exe Token: SeSystemtimePrivilege 5008 svchost.exe Token: SeBackupPrivilege 5008 svchost.exe Token: SeRestorePrivilege 5008 svchost.exe Token: SeShutdownPrivilege 5008 svchost.exe Token: SeSystemEnvironmentPrivilege 5008 svchost.exe Token: SeUndockPrivilege 5008 svchost.exe Token: SeManageVolumePrivilege 5008 svchost.exe Token: SeAssignPrimaryTokenPrivilege 5008 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3008 3edf17f985bf68be123edc894fd61190N.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2612 wrote to memory of 3008 2612 3edf17f985bf68be123edc894fd61190N.exe 88 PID 2612 wrote to memory of 3008 2612 3edf17f985bf68be123edc894fd61190N.exe 88 PID 2612 wrote to memory of 3008 2612 3edf17f985bf68be123edc894fd61190N.exe 88 PID 2612 wrote to memory of 3008 2612 3edf17f985bf68be123edc894fd61190N.exe 88 PID 2612 wrote to memory of 3008 2612 3edf17f985bf68be123edc894fd61190N.exe 88 PID 2612 wrote to memory of 3008 2612 3edf17f985bf68be123edc894fd61190N.exe 88 PID 2612 wrote to memory of 3008 2612 3edf17f985bf68be123edc894fd61190N.exe 88 PID 2612 wrote to memory of 3008 2612 3edf17f985bf68be123edc894fd61190N.exe 88 PID 2612 wrote to memory of 3008 2612 3edf17f985bf68be123edc894fd61190N.exe 88 PID 2612 wrote to memory of 3008 2612 3edf17f985bf68be123edc894fd61190N.exe 88 PID 2612 wrote to memory of 3008 2612 3edf17f985bf68be123edc894fd61190N.exe 88 PID 2612 wrote to memory of 3008 2612 3edf17f985bf68be123edc894fd61190N.exe 88 PID 3008 wrote to memory of 3028 3008 3edf17f985bf68be123edc894fd61190N.exe 89 PID 3008 wrote to memory of 3028 3008 3edf17f985bf68be123edc894fd61190N.exe 89 PID 3008 wrote to memory of 1740 3008 3edf17f985bf68be123edc894fd61190N.exe 90 PID 3008 wrote to memory of 1740 3008 3edf17f985bf68be123edc894fd61190N.exe 90 PID 3008 wrote to memory of 3000 3008 3edf17f985bf68be123edc894fd61190N.exe 91 PID 3008 wrote to memory of 3000 3008 3edf17f985bf68be123edc894fd61190N.exe 91 PID 1740 wrote to memory of 1876 1740 net.exe 95 PID 1740 wrote to memory of 1876 1740 net.exe 95 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3edf17f985bf68be123edc894fd61190N.exe"C:\Users\Admin\AppData\Local\Temp\3edf17f985bf68be123edc894fd61190N.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\3edf17f985bf68be123edc894fd61190N.exe"C:\Users\Admin\AppData\Local\Temp\3edf17f985bf68be123edc894fd61190N.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SYSTEM32\ipconfig.exeipconfig /flushdns3⤵
- Gathers network information
PID:3028
-
-
C:\Windows\SYSTEM32\net.exenet stop winmgmt /Y3⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop winmgmt /Y4⤵PID:1876
-
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:3000
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5008