c4e56e9f1a23448f15f6f81dfdf3b2343e94ca1f33ba1f11a96a4b4182358664

Analysis

max time kernel
133s
max time network
137s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
18-10-2024 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
Size

18KB
MD5

f31d6529ff4ad98053f9a8a9832f95e3
SHA1

abdd5ce48e2d11a4c82fc90d9e9beeb14b437cee
SHA256

801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e
SHA512

25e452098a46f3ddf3cc6e268a94fa998d7c0de907741f436d10caf7be8c038163dc3a0f51516f3b4072085951eb5e44053b2e9f84a532c152bbf813a518a755
SSDEEP

384:imwIxiBDXgRUV7JCGgmxt8mvA4ILbfNGHEDPUw3rXTXLazK:i6UVl7twPbfg2Uw3HXAK

Score

9^/10

defense_evasion execution impact ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (495) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu Places\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Public\Desktop\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Public\Libraries\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Admin\OneDrive\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Admin\Links\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	F:\$RECYCLE.BIN\S-1-5-21-1687926120-3022217735-1146543763-1000\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Admin\Contacts\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Public\AccountPictures\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Admin\Music\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Admin\Saved Games\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Admin\Pictures\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Public\Documents\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Public\Downloads\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Public\Pictures\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Admin\Favorites\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Public\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Admin\Searches\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Public\Videos\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Public\Music\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Admin\Desktop\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
File created	C:\Users\Admin\Downloads\desktop.ini	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1816	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	4580	vssvc.exe
Token: SeRestorePrivilege	4580	vssvc.exe
Token: SeAuditPrivilege	4580	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 4896	2828	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe	74
PID 2828 wrote to memory of 4896	2828	801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe	74
PID 4896 wrote to memory of 1816	4896	cmd.exe	76
PID 4896 wrote to memory of 1816	4896	cmd.exe	76

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
"C:\Users\Admin\AppData\Local\Temp\801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1816

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact