Analysis
-
max time kernel
1562s -
max time network
1568s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
11-11-2024 07:17
General
-
Target
2017-04-07-2nd-run-EITest-HoeflerText-payload-Spora-ransomware.exe
-
Size
64KB
-
MD5
366aad320bb8a36a88491ad1d164cf09
-
SHA1
32e3c8c00cb87db06f8e65b2fbc7f04e08a14105
-
SHA256
fc950f34ce2005659e7b76fed9a740511688e83f84d9d7d225c0e632750518eb
-
SHA512
921b4d02d2944ea159d2d4623c5b3233bbbf574278e6f8f8f4b023c9b853c6d002f642beb78e316d643df3ab9043b0973cacb5a18a1776ba52d18fabaeff16d7
-
SSDEEP
768:jykKUSkyDjBSNBvSMIhK7VHQLvGdwFtg2dY6edSYQrq3RWD3Ghc5tTZ92th5Tk9x:SJEN8I5zGXgF6eIdq3Yym5l+tnP
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Suspicious use of AdjustPrivilegeToken 43 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2017-04-07-2nd-run-EITest-HoeflerText-payload-Spora-ransomware.exe"C:\Users\Admin\AppData\Local\Temp\2017-04-07-2nd-run-EITest-HoeflerText-payload-Spora-ransomware.exe"1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /quiet /all"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\USE4F-92XZT-OTHTX-HTOET-OYYYY.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\cmd.execmd.exe /c vssadmin.exe delete shadows /quiet /all1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /quiet /all2⤵
- Interacts with shadow copies
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5034ec2feac949c6c41f24f306d6d527c
SHA1789db64de49f62b567f2049af9977a768726a10e
SHA25699a4785bea2ac98bbf9f71984749e588d5a09e885d23984fb63df2c7ee9e0842
SHA512fe294f1f6607d39dca37ceeb6fc486276fb1425ce48d0d78e33c56f33f1b96f98276b34b82f3ccd0ef69a2c30c7de2e01444381e3d2fa50223bdd2fdec40f7d8
-
Filesize
342B
MD526e85a18c0888914dcaa8870e2ec01b8
SHA1f77c2ad5ec2e983cb4e1b9c4eb7e4f81e1fc3509
SHA256a5df971dab14deb6f92da60ee4fa31a2eaa60d736ebb4a80728c325d8a42a35e
SHA512bfe2a6af5f22103e20203959d8fe91e48447cb13c3c04a85f9e7a5828d3d36d32750ed22a5cdbcbeee67371e1672fbbbd8e18b9ddc4379a6dc0fef4e20bf46ef
-
Filesize
342B
MD5d80c89fef7999eb391fa4bf920c664c7
SHA105394a82d42609ca88ec2efac2f1ddd3b4015a50
SHA25694d6c0ee7d4d96f1364afc85abd180d426d532f71949a424f656545c545d22b5
SHA512ccd8ee8822f6748cf3abe7104056fc566fe728110b9bad70082ac7d78efd72e2cb8fad8655a790e61aa8a164c59dde55f5d8915c88c83ad930854d8dd5a40ebf
-
Filesize
342B
MD541a92a527192513c649cb3cccb546faa
SHA1eaa9a689da6cfbab023fb1fa19d2c92951013962
SHA256441b3ee0d007ded1e001bfcc55c7fdf89e0df7dc57db53c0e9809b370b7b454e
SHA51273f20d422f3f3e1786bc4d8b157ee429ce30c8cf94e165d602b10dcd66ba751943761713d09f2340c11698c6f229a1c9ed871e25f21e1ee90fa6e5a1e6a19a28
-
Filesize
342B
MD5ed069a5667a17c268925b1b7449ccdf2
SHA147145f1afc28111d38f88523bc8eaa0529cec727
SHA256842c66ed1b9c950113dc681e3c51faa914f8286a7257b19d6689c5b2f7d87613
SHA512cdfef669858a0aa0ed04c862511dd3fb10c7590618f46e37ac4de2300efb1190e8bb9aa12d23405d3c427097498f7b4d8176a2626fc3aac516e39bfc960cc0f2
-
Filesize
342B
MD50045636bb0f93fd9cec49ddd0009c98d
SHA1120abf8ee178118227f8bd87c0c06e6ff1af9093
SHA256271ecdb9abff31566f7136908986589873775b1974d25be4d08444899c573d39
SHA512e833666dfca6cdf0ad95510092ccb20b870d897901289b0b0812015f95f6f0409ede63d3e7282f612fd4a84f63050fa2c82d39cfa503adc80f1a44dcb00c3aad
-
Filesize
342B
MD534287c4f268e577cc1eae9879c505bf9
SHA1b3fd4c9c0add69ce55ec38f6cef300f8580ff22b
SHA256c9f7f6497c286d0c874dbd02c73beb038f6cce80aedffe33e4eddcfa7035d8a2
SHA5127a2374a6836708360d7b8f020bcbf3b4ce0f3d76330eb3f21259496828eb558fe8f37319c02f895b202b049f27e8ee937840e9891bc603972454dec7886af0ae
-
Filesize
342B
MD52bd5f1ed07bab180cedc31da13d65844
SHA1e29497d4a6f97ded7536c952e6e2eade2dd91614
SHA256dc0ea8dd4bbc138fbcb666695c6c1e68e9bb869d90ffafd0ed7666c027f753de
SHA512d591e55961b17790d2821b085f26358aa71e1e264d6de7ac4a20c8c66fadc030802d69827f782dd47484534273f8fc16f8da17532cedf49696bc81a308a8e35d
-
Filesize
342B
MD59bc43bbfdc58cd343ded0570aaafcf20
SHA117a3604cf6f15db99d13224be20f82edf04fe345
SHA256364866c5111f440ff51079984bd22287455687e779dab1946f19dbb6717fe0d3
SHA51207e31132d67dfc5761de3d3e6479d32632c8c9066df1648a4648244bb4aa0c9317c4bc90752e3e0fd198ec6b32bc52b9e804bfe7af0a1000b1d73831d720ab1c
-
Filesize
342B
MD518eaa799dfb7a56ba0de3f04a854a6d7
SHA183e46e564563602fae55a6c7762dc7ba2ff92378
SHA2566004c83cf40ae13798faf4b7227ace9455c968aab4a51ccf6cff49519cf755b4
SHA512585dfd55da2c82c7fd0bf6e9edf463ab11b4c4c3501c7c04c88200fd90bbf36245b90f0dfbab8e7c15d40bbc709d499afc3f73e35cc30451d0ea21e29ad95c2f
-
Filesize
342B
MD51ed217a51c97dc02e1b9ad463abec305
SHA178086d9049a9d948b37b1be236aacaf6e948d31c
SHA25680c0dfc3ceb9fed469d439dfabf448b7efa2b8d6f5ffd401c2664ff46cb41167
SHA512241a086e79cc4fc9ccd2f435c078edd4c66200c7f7b08c35eca14ed9fa9db16fd31ad02727d8aab246cec5c3de108dcbbb6c8169f217a8238272cfa5f1d23a45
-
Filesize
342B
MD59703b8ac83a6d7db2029a2d1c710e0d5
SHA1aecfd6a690781e334a86e30aef4cae1339c18a6f
SHA256ac3dde6c6d38a8623b29ccf16e2ce24e4e414f8fdbed77c249e9845954123cd9
SHA5126599e4bc819f6c6bad5f431c479e131de6ec71c6b3d1a11a9f84dde045177b818d8abd27ae1dbe3107642742d2cea7e8edf7ad0961ca1f02ed34a6051bc5e1df
-
Filesize
342B
MD5e82e3fbbf79737a93329e64106fc7660
SHA13ee5694764f1cb7b0c92c08df831964fa22ecaf3
SHA25606eb833fbdc52a89a7caa839ee5b38afe39fab6170c5057d47eb909926515732
SHA512ceebd78f08b32d6f20abdc7b6c802a529b9bbb952291ff62df77bdf014f7d7c3d0461cb3c13fa3cdbfbabc3d7f632cb1777eb98a7674be5dbb4604a939a1793f
-
Filesize
342B
MD53f95b3edad2d8584ab72aa727e385e91
SHA1c1820c30a9a62b12a566e86dde5e7fdd5b1d909f
SHA2562adcc8a2790417b1477dc97531e04baa20914bc69a1ae12247395df5383e09c0
SHA512fa80d7b0cb9b8dd5c46c205903d5549efbb4af4413a3a70415d602a3ffce6a3bd779da804176e5988dca819ba8aae97090aa493346433825954a16114712a88f
-
Filesize
342B
MD56151da5a12ab0401de09f4a804911022
SHA15615e48709dfc1dadee09e145d982f225e5e5e2f
SHA25666254db20e13b32b7109287b7ddb7599e524c997de85a2ee90e64af901b2ba94
SHA5128d19dca7676c6057a245064989abe59fcb6d3642787f9040308fc327814dfc7debde8355da0bda52233bc6a6d340bd3efbf4a14f094c04a90325c8b8e2501416
-
Filesize
342B
MD56377490e9f036ea13f485e89d96a4e53
SHA1c3facaba9223799e974b519d9eb78c057b18d6a8
SHA256b916324d51929c96d2e4d081b19967f390e346e78e906e3382f83d44f28b80ec
SHA51243c729a3cea0464a0638bbdf87ccbc2654abda0c6387e94b1e488db54faee56e1e659c1ee9845bdc4781e921259fffc2a04b96dfd6551ca65ac14369adcf293d
-
Filesize
342B
MD50f5576c840451819d86dad9a7d9fda46
SHA174e58c1ecf1249b6d041188a8f8eb47d23d32825
SHA256608f4cfb0147e56fe0a15271849bd6fc87a77c0480b26a79e1a8030b5ad760d5
SHA512892ad70feb64977f7d74decc9bc8829ce900d5c661c1d344ffca568ca915dc63d487ca0313ef3dc8b75a0f34a493aeca7e1c4f6abc323a36b2ab6b56e7fb169e
-
Filesize
342B
MD5fd7428946f39b752052b02352354721d
SHA12056730955a365bb52a1308fe36a5c91f34c80a9
SHA256f41f51b9b171e9ad1c26ddbd71ff799ee5139ac72d8df5ce566643688e914aed
SHA5129b32d7493edec49c49fa8dffa79a04366eeae3607fc9e2c387dc5bddf9f30556775701dc51ad4eda5c88864c599baef738c54e0a6c14f4acd4d067adbb58fc63
-
Filesize
342B
MD5b720cbbb4f1aa3e4c1af55a74a7d63d8
SHA16469011f703f1c3d190db7776c3b8c791bed1c05
SHA256f964c9b6b0ab0758ac8d964f0457ddc5e5a0b9e2961696da3c4464d23b459381
SHA512465f1180e567b886c38f60a31ad59b569dfb60c075418d302b6eb062f39aa83a81e9adde8639308be13ac6b4b557eec6e4fe6c8957eee6005fbae6362d22ab3e
-
Filesize
342B
MD51150ffa7ecf5ad32f3c5c6d2d796209f
SHA181bc624091f2d3f9ed8e394fef70e90efc1952f7
SHA2567d8a19f36dfce46867bc0b28b0c3a1a9aab04f817b8610f961ed92fa1e01fd07
SHA51214a49a1204eae6068135e16f31cfea79e9ba6c3c483b6ee394f2a42b5b78ffe98ddb8d9ff10951edd2898b537a2d2cbefa66f0c5b2333c8ca680c9500d3aa316
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
16KB
MD51fc50f407ed5560863fc65fa7a9f3cea
SHA1a14d9eb9e361412f5ab38765b96d1667e1686ae8
SHA256b45d3a9c0a52c33e42ac0033d314bb15d3d4d5689dc86d2c92a6c21c9973447c
SHA512653800cad95dc510d1f58e95af8ae230d35827c05c61b665224b4d7ddf82d4b02b2a0b81aa85f2cff369e582c5cbcf014ec074ea1d6a917bfccdf2bbcf9686ef
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
76KB
-
Filesize
28KB
-
Filesize
76KB
-
Filesize
28KB
-
Filesize
76KB