Analysis
-
max time kernel
1562s -
max time network
1563s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
11/11/2024, 07:17
General
-
Target
2017-04-07-1st-run-EITest-HoeflerText-payload-Spora-ransomware.exe
-
Size
77KB
-
MD5
1b96a20d2b8a062f538eb40aef3e8ec8
-
SHA1
3ba495326b2a6e59e91814a8f5e713a5fa327ee7
-
SHA256
1809aa1e4d1ed14722417ee284cea229fac1c09b8c14434f7e1b2ea8547c5aeb
-
SHA512
81560a82fc2a0df21274adfcd126193b939f3323e29498b109a698f1a3626e860cc323e36385ab3db43b8760d822acfe098e1dde62cbfc71def26e5e1379bb71
-
SSDEEP
1536:5JJIPV0EfELXWcEJXYMxJ06pifrpE/Aw1w:53IZhVphpif611w
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Suspicious use of AdjustPrivilegeToken 43 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2017-04-07-1st-run-EITest-HoeflerText-payload-Spora-ransomware.exe"C:\Users\Admin\AppData\Local\Temp\2017-04-07-1st-run-EITest-HoeflerText-payload-Spora-ransomware.exe"1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /quiet /all"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\US170-0CXOT-OTHTX-HTOHT-RYYYY.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2188 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\cmd.execmd.exe /c vssadmin.exe delete shadows /quiet /all1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /quiet /all2⤵
- Interacts with shadow copies
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5ba4506ec2053849438faf740ae6d1dc5
SHA1bbf32c763558b4165f0bac7109dacdea863e8089
SHA2569d93f5f2841c71cc90f62437129fc36a403a79f26f0d1b88b663aed1c51c9d0b
SHA512a17ccd101f6bf777999c4669c237d14ce1a07cacac3d1b3e41dd96806ca203c8198eae74880fcdca469fb6612482815c226a1df97fcb917bf4302f270c33cf78
-
Filesize
342B
MD5bf8fa72a3faa74b5b7310df2d667aee7
SHA1944729d0ca2a432601c90ee8b29e2e182a24c43c
SHA256f7e80c0c44bd9090c0d24e2efb7a7cc27d207b5cd168e4b313d9731c40ac7a46
SHA512760f72be922fa050fc091896b49f891236e19a29a7138e9aa1bd20c8d917817c3ed28985236a385ca3991b85bd46c535ca822cf0bdebc2d4b493e98167949829
-
Filesize
342B
MD5d4184e46ee088b18d9e2831e4f8c60d2
SHA192e7f70fa38c3d0a296d75f68d8ce7faf70f04b4
SHA25611d5acba4c900737af6d525b22a4033f109d3cc4a7fefd05c63261455291b0ac
SHA512d9f3bc98adda9377e39aef847c4f9c5fc90cb1c8bffcff6cfbe7464387c06cfcccf4c3367e7bc1847e7d20d54b15f0a660a9491d8495b67026fd1e451b1f2c70
-
Filesize
342B
MD5afb41117cc14cace3a282e8712b135c3
SHA1e2fc8fe735178e5d4da2f04cd9df5efde31f307e
SHA2567b50fb4535f21de9606b555ee96f0e58780a190006db201f4af6ae97385ddda4
SHA5121398d6129c024da122fdb560fce6544e02c6f7b17ebdd4c4cadf9b6e88a92b8cf35ec39a675323e99c956cabb52124c71126075115d2dc1b84c5ed6074400f24
-
Filesize
342B
MD5940d76ad8a740afe933de32b4d06740b
SHA16a9d0dec3d86a82e4c5052f0ece7a7a44ba7e766
SHA256b826bd91d5ae9ffec5a6a458b5f4dab47320138d7a2ac5f2914e6d6a485276c0
SHA5127ec7e2306285fa0d9c420a8626057356a63c058393ea3d2a88e2f7a6e732e1af1d1c894dc7b6b2d3c13c40f6caf9e66cb2f04761845120b4b50ab5a71856a2eb
-
Filesize
342B
MD5330071c7b5490c8e6e820dfcbd027489
SHA14b88a9cb1b90fd45a7b67d2e4f6f2fbf054f8bd6
SHA25621c5885d6b7a7281d518809894aaf1bcc9a11f662ed0b8d6394ed878c65be313
SHA5127bf1779b9fbe2457e84fd4da90ed3751f57691df7f8fc810bc5cf1ad3559fc92cbc048f2edea30409924f2971bfaa81d877918f4b1f991edd604babf838eac41
-
Filesize
342B
MD5e7d4caec1b3fa4c79c3f7534c05b1e44
SHA117971e0ad39b92f6d7da8a24eb78c4ff202b0a0b
SHA25693a63a3ddefddf0d0a1fa1819e5b8a015716c30f69e8063961d8d6be6842c8d4
SHA5120676737fdc08695d0e87c8f31e3bae117693db1820ccba0039463920ab92394e54a065c99bca43bb44022fd3691edf66f1ad615ddedddc4e716d58c89cd1141b
-
Filesize
342B
MD50d598fe4dd5cc2e4681669753e0672e1
SHA123d554a85a32c896c752857b61e2cd18a62dc1f7
SHA2568a799fe327d7ace0274f8f64c5e2fb7c26be699df2bd881bc9662b65ab450af3
SHA5120cfa48f7d460eb60bee7399c8b34d3718b0a5b2ceeb569bcd0cc889c320031643b0129a0e3211ae67ddd0e74216d67cf353d7d3849082804f0bdb15f0ddafdeb
-
Filesize
342B
MD57c17e488670f8c04d8f77771133e80b0
SHA1d54a8ad595a3f69ba7b46f5f40f5170f8541c77e
SHA2563a063b4eec69cd4d8e0b68e600005f08c057e4b6815972c1651f15e073a890b2
SHA51293bc3942d86ef53bb41bba16b0e8aaac67f848af4d1c6faefce5dc6f1d0fdbde266f1a103e601c061332c62ee9abef7f37412cee1b2231836fc30838a1ca7071
-
Filesize
342B
MD51bee12d9f0474e12ccd11a7ae71e91b0
SHA1bacbc8f92fcd786cea6d43abcc18f2c0717a81da
SHA25636dada612d6c57cc969f520b843e7aa3c1fe0d09551fdaf52d0deb840c66b738
SHA5120cca82d5d92ee101054fd8e8795d3be0386e4627b14daa691c4713920a1fb7526767daf29f99496f1aa8de56ff243f607bfe595f41bf2a22d2566d2ba43b2fe8
-
Filesize
342B
MD5accb56b8c996510f8d141969da78be82
SHA15b73d1419727581b4ffc390654505f23c5ba3cb0
SHA2562e8ec3157c279902b99ff874843a7ce8be4ed11512f50728555d5bae4c6c72a5
SHA512ccf633281cd94121e8e693cce2bfbbb71e73e9e2cc78fdb2a5cf45b859b292f627d5c7c447290e7e2738c9c2c5fad6d685917a29a45a8c584d1bb83d70ab779a
-
Filesize
342B
MD5300ccc801f8d1594b20002c66cdf6a61
SHA1f3c39b88aef36835523d511db60a392bc35f9a51
SHA256447e5430c46cc06d00d02fbc56d2be91df2a23cff4eeaf30782fcf131facbf06
SHA51221d526f0fa7edbaf85cfb16ad036d8676020c9bcebf9f959d98c5a8c40a0d796b6423640c8f3d1f78e5e8b00066922d11daaf5b31be18bd72b18fff40550e572
-
Filesize
342B
MD50b650b5090e75e2b9868b56a5f385e50
SHA1d6e1201c1200a31ba02753aca1815170f102c9b1
SHA256d4de836be364f577d603c9f5c45a6669fa565ef54edd8888083c943b419aac5f
SHA5124959151b1038e636f5ad94fff4d57a4a37a3563d017f3531de3e6fc85fd7f87dafa559de356a8e3a7dcb7639717885414501510b2601ce8fbefaec133ac9c6c9
-
Filesize
342B
MD5f79d1dc0a31d98a153a87357bfecd4e5
SHA126bc9f2740ccc71c972e5d9e99a1642b03b45e8f
SHA256352be5d8af4666fb3429f45300a3b7498dfccfe26fa930cbef5ae08942b2852c
SHA512f18bde1819c02f36dc338a0b862e48bcab2c7be514cdefbe7d6dcdf74c1b442f39882abdd06b491eb94918a346ebd42dbd6a38f676ac620d8994e63af9a566e4
-
Filesize
342B
MD570d44b9766e3011de6768f4a5fea0b02
SHA164ede5dc79f312ad398d9ab70939cd1a5880eba8
SHA2561c925ef83b2a8ee1aaa04aa06b90098c96123e937c2114ab0f646b93cd7cd63e
SHA512bf08640ed230cb1219ebd4b4f046b15c9a9ca4586120cbec05ddd4133276ba7debb601c362306b54b32bcf8e270b66d7ad81e46fb9cbebc9dec3320b30151b35
-
Filesize
342B
MD57f11ebdeb347e66fb44c46ebfd098fa7
SHA1164697af3274c3b6a73d9caf735739bf770194db
SHA2564c5db4ccadf795ee65bb9dfe9ed9d0ef7378357dd11b300556391266ed997110
SHA51212ef088038a5875c36742bb5e2b689034240be9b9af9006a2a25f10324da4c38f4cbf48463486fb15042e78578bce580f3232d9d3e3b22297e0a21a16ca10a24
-
Filesize
342B
MD5fbfd12138248d6617f675d77513e50f8
SHA19b0020724d74395c71c4ef20c47a972321dadacb
SHA256b5407e8950b073cc6117620600fecd98b9b64d599eb880ce3adc02dc341d1237
SHA512bd169a325955518d9975aed6e0e9fdf1acf288ad2a175145927cc70284fafb886549618ebce402ec2709301a647636586054d71f099cd0505fa553a869481ae8
-
Filesize
342B
MD594cd6c0db10ac35ef9dd83f958739833
SHA1add88e02420a0f4b421f241db0b28606fe86beb2
SHA25659680333a4811ecf3403dc02d9315f3a03e4494cfbdb26a21dbb7670588e1446
SHA512dff70cf402e16b992177eb111a1bd1138561ee535715d1f78ba7fda787fee31adca2127445ab99333525cd3f5aa226f1c0e6dbfa128bcc4377ce392a7b3517e8
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
16KB
MD5b92d18e48498c37f7c05327b021dcd5c
SHA1dbf63be4b2f9f9f2f43a1d18726e019d905787a6
SHA256974768b89237946651ef91bc9d89fe033f44c56408db87833abcc623035f861e
SHA5120428bc715068b6ecc30f94a6ec976d401196d3d5b4663a0468b8ad14960c90c52de76c2f383a70ce9e52bdf103bc5ef87d69d58fedaa3ed098ff8a95ddecc02e
-
Filesize
4KB
-
Filesize
92KB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
92KB
-
Filesize
28KB