5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/01/2025, 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
Size

487KB
MD5

8040a1a66e9b6cffba01d78b642140ea
SHA1

acac5dc3f6140c093e1ebace12f1c8579f8fb3bf
SHA256

5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d
SHA512

62a188e40a988e65dfff91e0d0ea88e5f925eb794f66d71073d4d4913298283b7e736abed83b0fc384db5e0ae5a061786bbca7ab97ddec455684604ef89c6138
SSDEEP

6144:1MkLeY49LF6PAd+eDQbS0VeWVa1Kj/5hd2SXvT+r8feNNvy6kLu+1bq7YNZ:1M5XQrVeWVa1Kj/57nmNNeVU76

Score

9^/10

defense_evasion execution impact ransomware

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (302) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe

Modifies boot configuration data using bcdedit 4 IoCs

pid	Process
1316	bcdedit.exe
1016	bcdedit.exe
1304	bcdedit.exe
1460	bcdedit.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\readme.bmp"	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1804	vssadmin.exe
776	vssadmin.exe

Modifies Control Panel 2 IoCs

defense_evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\WallpaperStyle = "0"	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\TileWallpaper = "0"	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2176	WMIC.exe
Token: SeSecurityPrivilege	2176	WMIC.exe
Token: SeTakeOwnershipPrivilege	2176	WMIC.exe
Token: SeLoadDriverPrivilege	2176	WMIC.exe
Token: SeSystemProfilePrivilege	2176	WMIC.exe
Token: SeSystemtimePrivilege	2176	WMIC.exe
Token: SeProfSingleProcessPrivilege	2176	WMIC.exe
Token: SeIncBasePriorityPrivilege	2176	WMIC.exe
Token: SeCreatePagefilePrivilege	2176	WMIC.exe
Token: SeBackupPrivilege	2176	WMIC.exe
Token: SeRestorePrivilege	2176	WMIC.exe
Token: SeShutdownPrivilege	2176	WMIC.exe
Token: SeDebugPrivilege	2176	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2176	WMIC.exe
Token: SeRemoteShutdownPrivilege	2176	WMIC.exe
Token: SeUndockPrivilege	2176	WMIC.exe
Token: SeManageVolumePrivilege	2176	WMIC.exe
Token: 33	2176	WMIC.exe
Token: 34	2176	WMIC.exe
Token: 35	2176	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2176	WMIC.exe
Token: SeSecurityPrivilege	2176	WMIC.exe
Token: SeTakeOwnershipPrivilege	2176	WMIC.exe
Token: SeLoadDriverPrivilege	2176	WMIC.exe
Token: SeSystemProfilePrivilege	2176	WMIC.exe
Token: SeSystemtimePrivilege	2176	WMIC.exe
Token: SeProfSingleProcessPrivilege	2176	WMIC.exe
Token: SeIncBasePriorityPrivilege	2176	WMIC.exe
Token: SeCreatePagefilePrivilege	2176	WMIC.exe
Token: SeBackupPrivilege	2176	WMIC.exe
Token: SeRestorePrivilege	2176	WMIC.exe
Token: SeShutdownPrivilege	2176	WMIC.exe
Token: SeDebugPrivilege	2176	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2176	WMIC.exe
Token: SeRemoteShutdownPrivilege	2176	WMIC.exe
Token: SeUndockPrivilege	2176	WMIC.exe
Token: SeManageVolumePrivilege	2176	WMIC.exe
Token: 33	2176	WMIC.exe
Token: 34	2176	WMIC.exe
Token: 35	2176	WMIC.exe
Token: SeBackupPrivilege	1244	vssvc.exe
Token: SeRestorePrivilege	1244	vssvc.exe
Token: SeAuditPrivilege	1244	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1712	WMIC.exe
Token: SeSecurityPrivilege	1712	WMIC.exe
Token: SeTakeOwnershipPrivilege	1712	WMIC.exe
Token: SeLoadDriverPrivilege	1712	WMIC.exe
Token: SeSystemProfilePrivilege	1712	WMIC.exe
Token: SeSystemtimePrivilege	1712	WMIC.exe
Token: SeProfSingleProcessPrivilege	1712	WMIC.exe
Token: SeIncBasePriorityPrivilege	1712	WMIC.exe
Token: SeCreatePagefilePrivilege	1712	WMIC.exe
Token: SeBackupPrivilege	1712	WMIC.exe
Token: SeRestorePrivilege	1712	WMIC.exe
Token: SeShutdownPrivilege	1712	WMIC.exe
Token: SeDebugPrivilege	1712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1712	WMIC.exe
Token: SeRemoteShutdownPrivilege	1712	WMIC.exe
Token: SeUndockPrivilege	1712	WMIC.exe
Token: SeManageVolumePrivilege	1712	WMIC.exe
Token: 33	1712	WMIC.exe
Token: 34	1712	WMIC.exe
Token: 35	1712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1712	WMIC.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 2696	1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	31
PID 1060 wrote to memory of 2696	1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	31
PID 1060 wrote to memory of 2696	1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	31
PID 1060 wrote to memory of 3060	1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	32
PID 1060 wrote to memory of 3060	1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	32
PID 1060 wrote to memory of 3060	1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	32
PID 1060 wrote to memory of 2236	1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	33
PID 1060 wrote to memory of 2236	1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	33
PID 1060 wrote to memory of 2236	1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	33
PID 1060 wrote to memory of 2344	1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	34
PID 1060 wrote to memory of 2344	1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	34
PID 1060 wrote to memory of 2344	1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	34
PID 3060 wrote to memory of 2176	3060	cmd.exe	39
PID 3060 wrote to memory of 2176	3060	cmd.exe	39
PID 3060 wrote to memory of 2176	3060	cmd.exe	39
PID 2696 wrote to memory of 1804	2696	cmd.exe	40
PID 2696 wrote to memory of 1804	2696	cmd.exe	40
PID 2696 wrote to memory of 1804	2696	cmd.exe	40
PID 2236 wrote to memory of 1316	2236	cmd.exe	41
PID 2236 wrote to memory of 1316	2236	cmd.exe	41
PID 2236 wrote to memory of 1316	2236	cmd.exe	41
PID 2344 wrote to memory of 1016	2344	cmd.exe	42
PID 2344 wrote to memory of 1016	2344	cmd.exe	42
PID 2344 wrote to memory of 1016	2344	cmd.exe	42
PID 1060 wrote to memory of 2676	1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	48
PID 1060 wrote to memory of 2676	1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	48
PID 1060 wrote to memory of 2676	1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	48
PID 1060 wrote to memory of 2136	1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	49
PID 1060 wrote to memory of 2136	1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	49
PID 1060 wrote to memory of 2136	1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	49
PID 1060 wrote to memory of 1096	1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	51
PID 1060 wrote to memory of 1096	1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	51
PID 1060 wrote to memory of 1096	1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	51
PID 1060 wrote to memory of 1036	1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	52
PID 1060 wrote to memory of 1036	1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	52
PID 1060 wrote to memory of 1036	1060	5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe	52
PID 1096 wrote to memory of 1460	1096	cmd.exe	56
PID 1096 wrote to memory of 1460	1096	cmd.exe	56
PID 1096 wrote to memory of 1460	1096	cmd.exe	56
PID 2676 wrote to memory of 776	2676	cmd.exe	57
PID 2676 wrote to memory of 776	2676	cmd.exe	57
PID 2676 wrote to memory of 776	2676	cmd.exe	57
PID 1036 wrote to memory of 1304	1036	cmd.exe	58
PID 1036 wrote to memory of 1304	1036	cmd.exe	58
PID 1036 wrote to memory of 1304	1036	cmd.exe	58
PID 2136 wrote to memory of 1712	2136	cmd.exe	59
PID 2136 wrote to memory of 1712	2136	cmd.exe	59
PID 2136 wrote to memory of 1712	2136	cmd.exe	59

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe
"C:\Users\Admin\AppData\Local\Temp\5d2597a8a8b8d4d0dfafef02b41d3746bb9a3ccfcacac9a0a8eaec237aa90c1d.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1804
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY DELETE
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2176
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit / set{ default } recoveryenabled No
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\system32\bcdedit.exe
    bcdedit / set{ default } recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit / set{ default } bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\system32\bcdedit.exe
    bcdedit / set{ default } bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:776
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY DELETE
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit / set{ default } recoveryenabled No
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\system32\bcdedit.exe
    bcdedit / set{ default } recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1460
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit / set{ default } bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Windows\system32\bcdedit.exe
    bcdedit / set{ default } bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1304

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\read_me_to_access.txt

Filesize
2KB

MD5
05e96cfa12573c5dab367e6a11b939a9

SHA1
37822be386a3e2019996b2cd0a0e0fbd0e36d649

SHA256
70d1cad91bf037604433ec91d1ce13b701cdc15911578febd0be7c8798bc42eb

SHA512
1272a1bf02837be6fbf96f3f00e2f80ef69dc7432f29283f9bb9d2e245b1ed3e3e0de0641b81e981f0b53213c061dd33bcc7e1884f9ba27637fff218ddcd74e9

Download Submit