471f3fb1a953fab38be3081eb835574694bc72b94f239edc400d1ce3d7a8ecb0

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe
Size

161KB
MD5

517d709b1b99fa87ddfe61950a93cf5c
SHA1

2b6da3641ad3c13be272c7e66c938afd5879d65f
SHA256

7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f
SHA512

e23c60821e71704ab77ed8031b025b6ec9065479b766ca9fce2d4e93f1e4e66f7ed821d161890dfd87306408917c82514aaf96506cfc335e2c0bd1166fd1809f
SSDEEP

3072:+dhOdhhyAbz6XdKWf4xEE1ODDl9oz4ilUEPllLBDlWz:+dhw1CZJEQXl9o05EDLBlWz

Score

9^/10

defense_evasion discovery execution impact persistence ransomware

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Drops startup file 1 IoCs

Processes:

explorer.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1fd0112.exe explorer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1fd0112.exe	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\1fd011 = "C:\\1fd0112\\1fd0112.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*fd011 = "C:\\1fd0112\\1fd0112.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\1fd0112 = "C:\\Users\\Admin\\AppData\\Roaming\\1fd0112.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*fd0112 = "C:\\Users\\Admin\\AppData\\Roaming\\1fd0112.exe"	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe

description	pid	process	target process
PID 2164 set thread context of 2952	2164	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vssadmin.exe7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exeexplorer.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

1740 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

explorer.exe

pid process

2864 explorer.exe
2864 explorer.exe
2864 explorer.exe
2864 explorer.exe
2864 explorer.exe
2864 explorer.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exeexplorer.exe

pid process

2952 7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe
2864 explorer.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2232 vssvc.exe
Token: SeRestorePrivilege 2232 vssvc.exe
Token: SeAuditPrivilege 2232 vssvc.exe

pid	process
1740	vssadmin.exe

pid	process
2864	explorer.exe
2864	explorer.exe
2864	explorer.exe
2864	explorer.exe
2864	explorer.exe
2864	explorer.exe

pid	process
2952	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe
2864	explorer.exe

description	pid	process
Token: SeBackupPrivilege	2232	vssvc.exe
Token: SeRestorePrivilege	2232	vssvc.exe
Token: SeAuditPrivilege	2232	vssvc.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exeexplorer.exe

description	pid	process	target process
PID 2164 wrote to memory of 2952	2164	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe
PID 2164 wrote to memory of 2952	2164	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe
PID 2164 wrote to memory of 2952	2164	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe
PID 2164 wrote to memory of 2952	2164	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe
PID 2164 wrote to memory of 2952	2164	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe
PID 2164 wrote to memory of 2952	2164	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe
PID 2164 wrote to memory of 2952	2164	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe
PID 2164 wrote to memory of 2952	2164	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe
PID 2164 wrote to memory of 2952	2164	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe
PID 2164 wrote to memory of 2952	2164	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe
PID 2952 wrote to memory of 2864	2952	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe	explorer.exe
PID 2952 wrote to memory of 2864	2952	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe	explorer.exe
PID 2952 wrote to memory of 2864	2952	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe	explorer.exe
PID 2952 wrote to memory of 2864	2952	7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe	explorer.exe
PID 2864 wrote to memory of 2760	2864	explorer.exe	svchost.exe
PID 2864 wrote to memory of 2760	2864	explorer.exe	svchost.exe
PID 2864 wrote to memory of 2760	2864	explorer.exe	svchost.exe
PID 2864 wrote to memory of 2760	2864	explorer.exe	svchost.exe
PID 2864 wrote to memory of 1740	2864	explorer.exe	vssadmin.exe
PID 2864 wrote to memory of 1740	2864	explorer.exe	vssadmin.exe
PID 2864 wrote to memory of 1740	2864	explorer.exe	vssadmin.exe
PID 2864 wrote to memory of 1740	2864	explorer.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe
"C:\Users\Admin\AppData\Local\Temp\7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Local\Temp\7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe
  "C:\Users\Admin\AppData\Local\Temp\7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\syswow64\explorer.exe
    "C:\Windows\syswow64\explorer.exe"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\syswow64\svchost.exe
      -k netsvcs
      4⤵
      System Location Discovery: System Language Discovery
      PID:2760
  - - C:\Windows\syswow64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1740

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2760-24-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/2760-21-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/2864-14-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/2864-23-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/2864-22-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2864-17-0x0000000000080000-0x00000000000A3000-memory.dmp

Filesize
140KB

Download
memory/2952-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2952-2-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2952-15-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2952-4-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2952-6-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2952-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2952-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2952-13-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2952-12-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download