e9b99706a9b48b09974dd18c1af8a0e402ccddcaa0c91edf43fdd838128a7408

Analysis

max time kernel
181s
max time network
121s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe
Size

2.0MB
MD5

217c23371f1d91e81beac74a759be045
SHA1

7aa2abe3c6d2decee0bd741198a59db9c92d4cbd
SHA256

20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d
SHA512

5f8f0550b61bfeac6675c7c489cbf5e9d5d85ffe98798499e086d207a63a970aaae81bfb07eed841abff073df2505d6c2e271e01836658d940c6c3e1c62031f5
SSDEEP

49152:cbIZw+8h+93HIyboFW0eqqoD5PyyGBrmM/eZzUBSzPayRxcJ:zb3HlCW0eGIy6r//eZAIWyRxq

Score

9^/10

defense_evasion discovery evasion execution impact ransomware

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 1 IoCs

Processes:

svchost .exe

pid process

1736 svchost .exe

pid	process
1736	svchost .exe

Loads dropped DLL 4 IoCs

Processes:

20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe

pid	process
2372	20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe
2372	20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe
2372	20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe
2372	20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\des1.jpg"	reg.exe

Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2332 sc.exe
1844 sc.exe
1888 sc.exe
316 sc.exe
2100 sc.exe
664 sc.exe
2312 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2332	sc.exe
1844	sc.exe
1888	sc.exe
316	sc.exe
2100	sc.exe
664	sc.exe
2312	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exerundll32.exesc.exesvchost .exereg.exevssadmin.exesc.exesc.exereg.exesc.exesc.exevssadmin.execmd.exereg.exereg.exesc.exesc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exe

pid process

2720 vssadmin.exe
1756 vssadmin.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2688 vssvc.exe
Token: SeRestorePrivilege 2688 vssvc.exe
Token: SeAuditPrivilege 2688 vssvc.exe

pid	process
2720	vssadmin.exe
1756	vssadmin.exe

description	pid	process
Token: SeBackupPrivilege	2688	vssvc.exe
Token: SeRestorePrivilege	2688	vssvc.exe
Token: SeAuditPrivilege	2688	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exesvchost .execmd.exe

description	pid	process	target process
PID 2372 wrote to memory of 1736	2372	20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe	svchost .exe
PID 2372 wrote to memory of 1736	2372	20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe	svchost .exe
PID 2372 wrote to memory of 1736	2372	20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe	svchost .exe
PID 2372 wrote to memory of 1736	2372	20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe	svchost .exe
PID 1736 wrote to memory of 2792	1736	svchost .exe	cmd.exe
PID 1736 wrote to memory of 2792	1736	svchost .exe	cmd.exe
PID 1736 wrote to memory of 2792	1736	svchost .exe	cmd.exe
PID 1736 wrote to memory of 2792	1736	svchost .exe	cmd.exe
PID 2792 wrote to memory of 2960	2792	cmd.exe	reg.exe
PID 2792 wrote to memory of 2960	2792	cmd.exe	reg.exe
PID 2792 wrote to memory of 2960	2792	cmd.exe	reg.exe
PID 2792 wrote to memory of 2960	2792	cmd.exe	reg.exe
PID 2792 wrote to memory of 2996	2792	cmd.exe	reg.exe
PID 2792 wrote to memory of 2996	2792	cmd.exe	reg.exe
PID 2792 wrote to memory of 2996	2792	cmd.exe	reg.exe
PID 2792 wrote to memory of 2996	2792	cmd.exe	reg.exe
PID 2792 wrote to memory of 2324	2792	cmd.exe	reg.exe
PID 2792 wrote to memory of 2324	2792	cmd.exe	reg.exe
PID 2792 wrote to memory of 2324	2792	cmd.exe	reg.exe
PID 2792 wrote to memory of 2324	2792	cmd.exe	reg.exe
PID 2792 wrote to memory of 2816	2792	cmd.exe	reg.exe
PID 2792 wrote to memory of 2816	2792	cmd.exe	reg.exe
PID 2792 wrote to memory of 2816	2792	cmd.exe	reg.exe
PID 2792 wrote to memory of 2816	2792	cmd.exe	reg.exe
PID 2792 wrote to memory of 2844	2792	cmd.exe	rundll32.exe
PID 2792 wrote to memory of 2844	2792	cmd.exe	rundll32.exe
PID 2792 wrote to memory of 2844	2792	cmd.exe	rundll32.exe
PID 2792 wrote to memory of 2844	2792	cmd.exe	rundll32.exe
PID 2792 wrote to memory of 2844	2792	cmd.exe	rundll32.exe
PID 2792 wrote to memory of 2844	2792	cmd.exe	rundll32.exe
PID 2792 wrote to memory of 2844	2792	cmd.exe	rundll32.exe
PID 2792 wrote to memory of 2720	2792	cmd.exe	vssadmin.exe
PID 2792 wrote to memory of 2720	2792	cmd.exe	vssadmin.exe
PID 2792 wrote to memory of 2720	2792	cmd.exe	vssadmin.exe
PID 2792 wrote to memory of 2720	2792	cmd.exe	vssadmin.exe
PID 2792 wrote to memory of 2100	2792	cmd.exe	sc.exe
PID 2792 wrote to memory of 2100	2792	cmd.exe	sc.exe
PID 2792 wrote to memory of 2100	2792	cmd.exe	sc.exe
PID 2792 wrote to memory of 2100	2792	cmd.exe	sc.exe
PID 2792 wrote to memory of 2332	2792	cmd.exe	sc.exe
PID 2792 wrote to memory of 2332	2792	cmd.exe	sc.exe
PID 2792 wrote to memory of 2332	2792	cmd.exe	sc.exe
PID 2792 wrote to memory of 2332	2792	cmd.exe	sc.exe
PID 2792 wrote to memory of 2312	2792	cmd.exe	sc.exe
PID 2792 wrote to memory of 2312	2792	cmd.exe	sc.exe
PID 2792 wrote to memory of 2312	2792	cmd.exe	sc.exe
PID 2792 wrote to memory of 2312	2792	cmd.exe	sc.exe
PID 2792 wrote to memory of 664	2792	cmd.exe	sc.exe
PID 2792 wrote to memory of 664	2792	cmd.exe	sc.exe
PID 2792 wrote to memory of 664	2792	cmd.exe	sc.exe
PID 2792 wrote to memory of 664	2792	cmd.exe	sc.exe
PID 2792 wrote to memory of 316	2792	cmd.exe	sc.exe
PID 2792 wrote to memory of 316	2792	cmd.exe	sc.exe
PID 2792 wrote to memory of 316	2792	cmd.exe	sc.exe
PID 2792 wrote to memory of 316	2792	cmd.exe	sc.exe
PID 2792 wrote to memory of 1844	2792	cmd.exe	sc.exe
PID 2792 wrote to memory of 1844	2792	cmd.exe	sc.exe
PID 2792 wrote to memory of 1844	2792	cmd.exe	sc.exe
PID 2792 wrote to memory of 1844	2792	cmd.exe	sc.exe
PID 2792 wrote to memory of 1888	2792	cmd.exe	sc.exe
PID 2792 wrote to memory of 1888	2792	cmd.exe	sc.exe
PID 2792 wrote to memory of 1888	2792	cmd.exe	sc.exe
PID 2792 wrote to memory of 1888	2792	cmd.exe	sc.exe
PID 2792 wrote to memory of 1756	2792	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe
"C:\Users\Admin\AppData\Local\Temp\20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Roaming\svchost .exe
  "C:\Users\Admin\AppData\Roaming\svchost .exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\desk.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
      4⤵
      Sets desktop wallpaper using registry
      System Location Discovery: System Language Discovery
      PID:2960
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\des1.jpg" /f
      4⤵
      Sets desktop wallpaper using registry
      System Location Discovery: System Language Discovery
      PID:2996
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2324
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2816
  - - C:\Windows\SysWOW64\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      System Location Discovery: System Language Discovery
      PID:2844
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2720
  - - C:\Windows\SysWOW64\sc.exe
      sc stop VVS
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2100
  - - C:\Windows\SysWOW64\sc.exe
      sc stop wscsvc
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2332
  - - C:\Windows\SysWOW64\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2312
  - - C:\Windows\SysWOW64\sc.exe
      sc stop wuauserv
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:664
  - - C:\Windows\SysWOW64\sc.exe
      sc stop BITS
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:316
  - - C:\Windows\SysWOW64\sc.exe
      sc stop ERSvc
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1844
  - - C:\Windows\SysWOW64\sc.exe
      sc stop WerSvc
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1888
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1756

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\des1

Filesize
424KB

MD5
2cecdd72325a24a468ef66037dab094e

SHA1
db98144940916c64cd37815c427134d0194ef832

SHA256
8331afb29af322ab4a5a450f1067facac8b95bc4260eb7b102b224ed3c219d25

SHA512
dab3fa4867e11687e8e3f99d1f7c67150a099efcde8aa17633a72780fb726d094fab0219fe1cefa41790388acfb6669685f469b23974b5958122be97077bfe4b

Download Submit
C:\Users\Admin\AppData\Roaming\desk.bat

Filesize
704B

MD5
f75fd3ea44c0022e1753ac797711f930

SHA1
6e71bc00fa7b8062ea547da705950c73a92788db

SHA256
e4872ff8700d90b1d721a9b30148d8a48510b5e63d25b5f0918024bd27ce7b22

SHA512
aa965f3e0ded2f0ffb53e2597a6d8deb9b6fc73ee2564cd238e81b7778e446c9432beac9891533dc3d3e92d925dff1a943837502bed464369b9fae367377fcfb

Download Submit
C:\Users\Admin\AppData\Roaming\svchost .exe

Filesize
5.0MB

MD5
3e7bd2126ad2d056b12a906ec74f4e75

SHA1
2147ec630ce348816fce2e9b7a36a14a0a7f56d0

SHA256
7f1d3ed805910aa90172d72e7923d129d2967bfe50398e863ec48b71c952b199

SHA512
7cf82908c203f6a9bab75ca60872dd0cd82f9d944395683bf36d3dd01611d8d95c00f4ca1e74ea397cae7da6afbd0bca6bbc1b5059e2751ed0f321b3b732a8fd

Download Submit
C:\Users\Admin\Desktop\EditSend.xlsx.ch4x0

Filesize
10KB

MD5
6bb28eca731de08fde8e0ee1ef70bf16

SHA1
93baa64fcfc23aa54775bf5bb9976567f2563ad2

SHA256
d416a04791a7b60b2091e7aeb013ab8fc9a376889197fdec41fd5c2259d75a28

SHA512
1af6dd6caebe4734001a44074cddf41fd1972f6a98bb73df04212a4cb08dc4cc18bb083493751a416de3c65f1a26899df4a93f01c481a9ea80472ec336277382

Download Submit
C:\vcredist2010_x86.log.html.ch4x0

Filesize
82KB

MD5
8affca1d19603744637dc8fa556628ef

SHA1
067a5d311e45fe5e6ac28ba3a78d2ee6dc482843

SHA256
2d3e4064f074318ee84f84a10ee99de97006e40af7bf022094a255e1515d025e

SHA512
c6e345ee519c23fd7d61fb5a95dd4b7484eb31794ebbfb1ccedb4b2d75d529d12bfaa5b747e372b9ec4987d250cb9db17a7904e39473eb824d340e490fe9ac92

Download Submit
memory/1736-284-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download