9c8ab7e25dc5b82b2844961f845071e22b7f2c53779725da17a6238db7eb4566

General

Target

daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
Size

160KB
MD5

ed6fa9757400a0de9596d59bd0262ebd
SHA1

0836c5ab9bed96b1d9618bc802792185c6ee21ca
SHA256

daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397
SHA512

37d93ce4b1796d205d090390645fa149181b99fa7a67c0afcfa548851644659dde27b169049f7f5bfc73e63bc448a59746236e1e6b47335d58a6b0eddd356412
SSDEEP

3072:bDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368a0y5zxm8yNB41ctER6ptQtR2:15d/zugZqll3bQzmB3tQt5L

Score

9^/10

defense_evasion discovery ransomware

Malware Config

Signatures

Renames multiple (105) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1062200478-553497403-3857448183-1000\desktop.ini	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1062200478-553497403-3857448183-1000\desktop.ini	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.8ORZ41NKC	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.8ORZ41NKC\ = "8ORZ41NKC"	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\8ORZ41NKC\DefaultIcon	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\8ORZ41NKC	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\8ORZ41NKC\DefaultIcon\ = "C:\\ProgramData\\8ORZ41NKC.ico"	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
Token: SeBackupPrivilege	5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
Token: SeDebugPrivilege	5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
Token: 36	5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
Token: SeImpersonatePrivilege	5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
Token: SeIncBasePriorityPrivilege	5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
Token: SeIncreaseQuotaPrivilege	5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
Token: 33	5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
Token: SeManageVolumePrivilege	5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
Token: SeProfSingleProcessPrivilege	5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
Token: SeRestorePrivilege	5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
Token: SeSecurityPrivilege	5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
Token: SeSystemProfilePrivilege	5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
Token: SeTakeOwnershipPrivilege	5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
Token: SeShutdownPrivilege	5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
Token: SeDebugPrivilege	5620	daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
Token: SeBackupPrivilege	5104	vssvc.exe
Token: SeRestorePrivilege	5104	vssvc.exe
Token: SeAuditPrivilege	5104	vssvc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
"C:\Users\Admin\AppData\Local\Temp\daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5620
- C:\ProgramData\7D7D.tmp
  "C:\ProgramData\7D7D.tmp"
  2⤵
  PID:5964
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\7D7D.tmp >> NUL
    3⤵
    PID:1412

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1062200478-553497403-3857448183-1000\XXXXXXXXXXX

Filesize
129B

MD5
638e645f42663174eb205e0d630558e8

SHA1
5340505c47919b5db79525271460fe6084dab45b

SHA256
8759487fda991e3ff5ef2d3b848edbecc018fd67c1521919fdef48bb7b1d6c48

SHA512
b2565c002667ca1c7ec1e89c3fd8f0cdddb48bbb7c5c89fc6adb28873381279b1be2683af2c4bba59042ccdb54ed046f92e43525a010d174485085a777ed4fe3

Download Submit
C:\8ORZ41NKC.README.txt

Filesize
6KB

MD5
89fd57e9e30f347f88d4c4c82d84e53a

SHA1
cb9640772425fd32fea89ad3896a377a3ac0a513

SHA256
0934b039eb9c786543aa3c6f6e6651ebab173b0d01ace8d36d77a77ff58468be

SHA512
8c2dde38714bbc8a9562b71c0e4248270bcee0b066cf7188231141aea79490fbf9892b2278ea7a5110d5dbf145bc3f9f035531206e3884fa4107cbd28f674c75

Download Submit
C:\ProgramData\7D7D.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
160KB

MD5
4032b50893d4bfecee1668373099b3cf

SHA1
e4c76ffc288e212fa742841bff0cfb6def571d01

SHA256
2dd41f7b95644f60071ebf1277275e9e0937dd8d918263cdefb9362206e2dc24

SHA512
b6f8feb42f66ba8d13afc49cc59d581cae928349fcbe39da0f5b1193c55dc61fc386ce06b328d12fa456c59ca040e3592d0e50a65065896ccf8697ec67d9676a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1062200478-553497403-3857448183-1000\DDDDDDDDDDD

Filesize
129B

MD5
fbbc7aea73d2c604c442f4ac764cfac4

SHA1
d243be10dc90740edcdfe79235db4a7c7a76867f

SHA256
ab9386b1aed4c63900adb2049d8e1e658b4d481a172ffb717b0c8d0b8c0313de

SHA512
5d6ca34cc02c39e63bf08630d89f8dd8cf36874e5ff4d1d2a66c6b1ead003aaf7bf7452695dc58fb2ca09cdafe616c92c489347e228025aa7150a86e7ca5b3b6

Download Submit
memory/5620-324-0x0000000000F70000-0x0000000000F80000-memory.dmp

Filesize
64KB

Download
memory/5620-0-0x0000000000F70000-0x0000000000F80000-memory.dmp

Filesize
64KB

Download
memory/5620-2-0x0000000000F70000-0x0000000000F80000-memory.dmp

Filesize
64KB

Download
memory/5620-327-0x0000000000F70000-0x0000000000F80000-memory.dmp

Filesize
64KB

Download
memory/5620-1-0x0000000000F70000-0x0000000000F80000-memory.dmp

Filesize
64KB

Download
memory/5964-328-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

Filesize
4KB

Download
memory/5964-326-0x000000007FE20000-0x000000007FE21000-memory.dmp

Filesize
4KB

Download
memory/5964-325-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/5964-323-0x000000007FE40000-0x000000007FE41000-memory.dmp

Filesize
4KB

Download
memory/5964-357-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/5964-361-0x000000007FE00000-0x000000007FE01000-memory.dmp

Filesize
4KB

Download
memory/5964-360-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing