17b4d01d32c64a62e36496829da323fe308437048ca87143de7365fabd4194fd

Analysis

max time kernel
361s
max time network
362s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

encrypter.exe
Size

40KB
MD5

3ab401abcc5394e06c5e81fb08a5a451
SHA1

ad4fd5e28586ce50d1db6647e2490145a9dbe172
SHA256

3251403ff9848ed520230a0fb8979ea4b5c8a4aa4e4a392da4c4458390f040db
SHA512

fdfb6d16e007bac6b8aa5e376fada1f155a261ca63d272c4e5ea0a2e1b7f7970371275a43b7f48aac186c718ea90f1a9115a6eb97dcbbeca4c2ea4ac7d7c1104
SSDEEP

384:WAqJTdAAZpZd269D26KNLL15FFWjeiBTwohMMIPqUQXjSQ5Yhy:1c7d269D26at2TwomMrRXWGYhy

Score

10^/10

defense_evasion discovery evasion execution impact ransomware spyware stealer

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2784 cmd.exe
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1584 bcdedit.exe
1704 bcdedit.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2784	cmd.exe

pid	process
1584	bcdedit.exe
1704	bcdedit.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

encrypter.exeWMIC.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	encrypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

2840 vssadmin.exe

pid	process
2840	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

WMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1832	WMIC.exe
Token: SeSecurityPrivilege	1832	WMIC.exe
Token: SeTakeOwnershipPrivilege	1832	WMIC.exe
Token: SeLoadDriverPrivilege	1832	WMIC.exe
Token: SeSystemProfilePrivilege	1832	WMIC.exe
Token: SeSystemtimePrivilege	1832	WMIC.exe
Token: SeProfSingleProcessPrivilege	1832	WMIC.exe
Token: SeIncBasePriorityPrivilege	1832	WMIC.exe
Token: SeCreatePagefilePrivilege	1832	WMIC.exe
Token: SeBackupPrivilege	1832	WMIC.exe
Token: SeRestorePrivilege	1832	WMIC.exe
Token: SeShutdownPrivilege	1832	WMIC.exe
Token: SeDebugPrivilege	1832	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1832	WMIC.exe
Token: SeRemoteShutdownPrivilege	1832	WMIC.exe
Token: SeUndockPrivilege	1832	WMIC.exe
Token: SeManageVolumePrivilege	1832	WMIC.exe
Token: 33	1832	WMIC.exe
Token: 34	1832	WMIC.exe
Token: 35	1832	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1832	WMIC.exe
Token: SeSecurityPrivilege	1832	WMIC.exe
Token: SeTakeOwnershipPrivilege	1832	WMIC.exe
Token: SeLoadDriverPrivilege	1832	WMIC.exe
Token: SeSystemProfilePrivilege	1832	WMIC.exe
Token: SeSystemtimePrivilege	1832	WMIC.exe
Token: SeProfSingleProcessPrivilege	1832	WMIC.exe
Token: SeIncBasePriorityPrivilege	1832	WMIC.exe
Token: SeCreatePagefilePrivilege	1832	WMIC.exe
Token: SeBackupPrivilege	1832	WMIC.exe
Token: SeRestorePrivilege	1832	WMIC.exe
Token: SeShutdownPrivilege	1832	WMIC.exe
Token: SeDebugPrivilege	1832	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1832	WMIC.exe
Token: SeRemoteShutdownPrivilege	1832	WMIC.exe
Token: SeUndockPrivilege	1832	WMIC.exe
Token: SeManageVolumePrivilege	1832	WMIC.exe
Token: 33	1832	WMIC.exe
Token: 34	1832	WMIC.exe
Token: 35	1832	WMIC.exe
Token: SeBackupPrivilege	2792	vssvc.exe
Token: SeRestorePrivilege	2792	vssvc.exe
Token: SeAuditPrivilege	2792	vssvc.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

encrypter.execmd.exe

description	pid	process	target process
PID 2352 wrote to memory of 1832	2352	encrypter.exe	WMIC.exe
PID 2352 wrote to memory of 1832	2352	encrypter.exe	WMIC.exe
PID 2352 wrote to memory of 1832	2352	encrypter.exe	WMIC.exe
PID 2352 wrote to memory of 1832	2352	encrypter.exe	WMIC.exe
PID 2856 wrote to memory of 2840	2856	cmd.exe	vssadmin.exe
PID 2856 wrote to memory of 2840	2856	cmd.exe	vssadmin.exe
PID 2856 wrote to memory of 2840	2856	cmd.exe	vssadmin.exe
PID 2856 wrote to memory of 1584	2856	cmd.exe	bcdedit.exe
PID 2856 wrote to memory of 1584	2856	cmd.exe	bcdedit.exe
PID 2856 wrote to memory of 1584	2856	cmd.exe	bcdedit.exe
PID 2856 wrote to memory of 1704	2856	cmd.exe	bcdedit.exe
PID 2856 wrote to memory of 1704	2856	cmd.exe	bcdedit.exe
PID 2856 wrote to memory of 1704	2856	cmd.exe	bcdedit.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\encrypter.exe
"C:\Users\Admin\AppData\Local\Temp\encrypter.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\SysWOW64\wbem\WMIC.exe
  "C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1832

C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2840
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1584
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2352-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2352-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download