Analysis

  • max time kernel
    146s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 17:30

General

  • Target

    801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe

  • Size

    18KB

  • MD5

    f31d6529ff4ad98053f9a8a9832f95e3

  • SHA1

    abdd5ce48e2d11a4c82fc90d9e9beeb14b437cee

  • SHA256

    801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e

  • SHA512

    25e452098a46f3ddf3cc6e268a94fa998d7c0de907741f436d10caf7be8c038163dc3a0f51516f3b4072085951eb5e44053b2e9f84a532c152bbf813a518a755

  • SSDEEP

    384:imwIxiBDXgRUV7JCGgmxt8mvA4ILbfNGHEDPUw3rXTXLazK:i6UVl7twPbfg2Uw3HXAK

Malware Config

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (500) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 64 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe
    "C:\Users\Admin\AppData\Local\Temp\801505b222599fb1b73dcf02ae754566bbe0ba03cb253592bc585b639f65f04e.exe"
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:212
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:4496
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3076

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log

    Filesize

    16B

    MD5

    50fb4a95e1a546793f154429aa28212a

    SHA1

    f8550d4d19cb7e2802ccd26b79702b9316ef723e

    SHA256

    87cbd7310967b3e82728bd4a2b78fbd147f163297c79e32d9ee506820b9bf0c9

    SHA512

    296abc8d6afba5988dcc2b308591f8d7a7a4409acec7745b177f3c8b613ca93092b4d1ad8916ab78d5a55d912fe1d9993e41ce7ed2ff92d7c2498d6bd3c4d217

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

    Filesize

    332KB

    MD5

    5083deb8d3fbdbd4f29a0799fe72b783

    SHA1

    1cf7417a98c277a474147a237a491c16ab0c4edf

    SHA256

    3c1c607993c3d197264863fc833c5aa82479348fbd73ed9228fef835446731bd

    SHA512

    5d12cfec850e6d735ece89ed96ce0512a4c2ab362def5e3f7e383f6454177a0357f5b163c0e01f66dca95ced0b94badd0c00ccd392d9d28ed909bf946549fc93

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{e1c001d5-7f6e-46a6-b607-4c9736892f9d}\0.1.filtertrie.intermediate.txt

    Filesize

    16B

    MD5

    80a7a274d485517fd8ce03e72a8cd6c8

    SHA1

    d5fc7baa7d69d72cb4338ee6b1d17afc04cf0407

    SHA256

    211f41fafe50c800afa10e257331cf004dc36ad24c10a20180f41025d6a95b02

    SHA512

    d4b58cf06749c2c44ec84c146a321c0d30ae00badcfccb90e0167ee554937bcce95b2fcb9bceff00a9ce745a6e5ce81b637d9c3e0cfc72c7954e64201d7116cb

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{e1c001d5-7f6e-46a6-b607-4c9736892f9d}\0.2.filtertrie.intermediate.txt

    Filesize

    16B

    MD5

    18049b1ebaa8fa995fa32f8096e0d27f

    SHA1

    98ed9731f342fa798345b74d260829ff287acc70

    SHA256

    3af1905da45d0923d28577ce19c15eb19ae2dea54e8b4a4d68b925c9fc032d94

    SHA512

    dc5c599aa13c0a571532b413962cf8801511dc23a619c7605410db1a067685034162bd3f659b1b870bae2ad0a0a9090a3e412d94a7ce6e88868ff1b7ed355c50

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727661562574833.txt.Satyr

    Filesize

    76KB

    MD5

    0c8acdb65df9edee4709e222e3c78772

    SHA1

    8675767a7d156a14f1bc1b8b853bfcf03f1d23c9

    SHA256

    b9a53381ef8bb5fc5c0e464f9a54c1bbc8cbd7738a609140485d2bb03758bed6

    SHA512

    f7ee6076f8cb4dcda06de9d8fab251e9c09c664560e7dc88ba43d135402de5b87a013e27d155a0662d370c01fb3dfd5eaf08d76b0b83b5170c29145e9358955e

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727663191189319.txt

    Filesize

    47KB

    MD5

    40d0b02755d080ac4570623a050d18f5

    SHA1

    d40f59e1de6d31bf95a49a4e6d72948134fcbc7e

    SHA256

    750c7294906ae1ffde271dfe27055f9d5f00ae01c429d0472fb5fcc4fbdba848

    SHA512

    4d091bbe0ac133e191d3a37d2b4a2240981d4e845849e377dcf9f44eb98b8a6aa408e78063cbea7c5d795d6e79e38f80d9da23cc024f93efba676369025486a8

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727670188807600.txt

    Filesize

    63KB

    MD5

    668e26aa449ab77b0de053c12561a851

    SHA1

    820827a295f64bec57ff9f81c791542a76a98e44

    SHA256

    bc42663470f9da0577cc5e9768e256ebf2367ebf97a7f4d1458b53e479d22969

    SHA512

    ac7e57f9cf68964188e832dee375f4a1be71be2bf4d1d50d35f4166ecc3f357e9522d57661b4159d818ff7540fbaf078aa28f628e7320885b28d97610e077b32

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727672984949051.txt

    Filesize

    74KB

    MD5

    09784c4bc12500c20463d95f9c1d1154

    SHA1

    a830b610246b0fb4453e9fb77215c018919c0453

    SHA256

    30b8bd8d2e0f43cffcd59d966cd394ccae89624a199019d05658c16136dba9ed

    SHA512

    1bdf1236a8f8f678b0cb132c17d7240bb927e9cdb967b550f591ea275464c40f6c8c6a4eeff88b8fc4bd4dd5042f96494f3711cea2abaeb3d1b522df027c5566

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\places.sqlite-shm

    Filesize

    32KB

    MD5

    867d546f7c4a37af1e4ab4f41c98197a

    SHA1

    ee92d0a0bdf9704d9d95af6deb1b3e12e05f5222

    SHA256

    f0dff6fbc24555ea4bbd231e9ee4fffdaceb9f4ca6a78bdb98a2a570195c6e90

    SHA512

    4c7854a73c796d309d5e7a4723b02ebb51701178928945c8d35e02969f7129ba0fdaaf2b74367130e3bdc5c7bbaf44e4f32a1bb11363e979d3dad9e9de42573a

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite

    Filesize

    48KB

    MD5

    5aa23ede9b99a8dd3dc17a665ca2db52

    SHA1

    376dda12d3a3d2ee4b8f9486ba36a04eb21b6663

    SHA256

    368b495fac6c0e09009b67032e71c17cc7bea35da460119f5c784e93398416ea

    SHA512

    493bbc11be89daf2840cb5444846a4d7bd541dad6efeb3f91579b25c83d9b63d023b224278239966341c9b6c82c6fc08931809cc3058c24049d68188154e86b1

  • C:\vcredist2010_x86.log.html

    Filesize

    81KB

    MD5

    cb790d9c4b08bd616a73236c41650597

    SHA1

    6b9e4f0f2ade5b8584785d62d93e0ba320647cb4

    SHA256

    94b69d1a0b83a99a4eed5422dcba2b1556fb43a550166d02bb2a0129ee37a170

    SHA512

    6a6710fbb2d5d589f12729d760adba73d9de2356618d7599daf0e5989d86bbaacf5bf7e94c7d910039d37c02b5be7d7d103cb2961065213565683c91db501040

  • memory/1968-0-0x00007FF8AC373000-0x00007FF8AC375000-memory.dmp

    Filesize

    8KB

  • memory/1968-1-0x0000000000320000-0x000000000032A000-memory.dmp

    Filesize

    40KB

  • memory/1968-792-0x00007FF8AC373000-0x00007FF8AC375000-memory.dmp

    Filesize

    8KB

  • memory/1968-1005-0x00007FF8AC370000-0x00007FF8ACE31000-memory.dmp

    Filesize

    10.8MB

  • memory/1968-1009-0x00007FF8AC370000-0x00007FF8ACE31000-memory.dmp

    Filesize

    10.8MB