Analysis

  • max time kernel
    271s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 03:41

General

  • Target

    _003E0000.exe.vir.exe

  • Size

    116KB

  • MD5

    f57d188c4667fab46208396af20badd2

  • SHA1

    367ea268c494d17672ef371adebef0f505c1a804

  • SHA256

    878304de96556ed340f190a9d8b5650dc71512eed4210676560fc41e7ac4857c

  • SHA512

    157615951ccf90c69aaa4e4e1e1f664ffcb6c5817371143ac5bc2dfac04185e57981d50194ad4a1784c29f16211b6a18e9fa085721d05e29ba63377e40dc41a2

  • SSDEEP

    3072:SsB0ura/QOVLLkeyYP1RNDZyuubclhZUnr:Sef7wkey21flyu8+i

Malware Config

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\_003E0000.exe.vir.exe
    "C:\Users\Admin\AppData\Local\Temp\_003E0000.exe.vir.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2968
    • C:\Windows\syswow64\explorer.exe
      "C:\Windows\syswow64\explorer.exe"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Windows\syswow64\svchost.exe
        -k netsvcs
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2576
      • C:\Windows\syswow64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:2964
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2576-5-0x0000000000080000-0x00000000000A0000-memory.dmp

    Filesize

    128KB

  • memory/2576-8-0x0000000000080000-0x00000000000A0000-memory.dmp

    Filesize

    128KB

  • memory/2848-1-0x0000000000080000-0x00000000000A0000-memory.dmp

    Filesize

    128KB

  • memory/2848-0-0x0000000000080000-0x00000000000A0000-memory.dmp

    Filesize

    128KB

  • memory/2848-6-0x00000000002D0000-0x00000000002D1000-memory.dmp

    Filesize

    4KB

  • memory/2848-7-0x0000000000080000-0x00000000000A0000-memory.dmp

    Filesize

    128KB