c00cc937e064946ee42776cfe80754d7
Hash
- MD5: c00cc937e064946ee42776cfe80754d7
- SHA1: 8feefc32a39bf6867378c2b25d68dd79e73f1e52
- SHA256: dd9de77c6e17093b0b2150b3f0c66e8526369ba68fb7b9a5758ff9274d85342e
- First Seen: 2026-06-02
- Last Seen: 2026-06-02
-
2
Related Reports
-
0
Related IOCs
Additional Information
VirusTotal
{
"data": {
"id": "dd9de77c6e17093b0b2150b3f0c66e8526369ba68fb7b9a5758ff9274d85342e",
"type": "file",
"links": {
"self": "https://www.virustotal.com/api/v3/files/dd9de77c6e17093b0b2150b3f0c66e8526369ba68fb7b9a5758ff9274d85342e"
},
"attributes": {
"sandbox_verdicts": {
"VMRay": {
"category": "malicious",
"malware_classification": [
"RANSOM"
],
"sandbox_name": "VMRay"
},
"Dr.Web vxCube": {
"category": "malicious",
"malware_classification": [
"MALWARE",
"RANSOM"
],
"sandbox_name": "Dr.Web vxCube"
},
"CAPE Sandbox": {
"category": "malicious",
"malware_classification": [
"MALWARE"
],
"sandbox_name": "CAPE Sandbox",
"malware_names": [
"Babuk"
]
},
"Zenbox": {
"category": "malicious",
"malware_classification": [
"MALWARE",
"RANSOM"
],
"sandbox_name": "Zenbox",
"malware_names": [
"Babuk"
],
"confidence": 84
}
},
"crowdsourced_ids_results": [
{
"rule_category": "successful-recon-limited",
"alert_severity": "medium",
"rule_msg": "PROTOCOL-ICMP Unusual PING detected",
"rule_id": "1:29456",
"rule_source": "Snort registered user ruleset",
"rule_url": "https://www.snort.org/downloads/#rule-downloads",
"rule_raw": "alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:\"PROTOCOL-ICMP Unusual PING detected\"; icode:0; itype:8; fragbits:!M; content:!\"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI\",depth 32; content:!\"0123456789abcdefghijklmnopqrstuv\",depth 32; content:!\"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE\",depth 36; content:!\"WANG2\"; content:!\"cacti-monitoring-system\",depth 65; content:!\"SolarWinds\",depth 72; metadata:policy max-detect-ips drop,ruleset community; reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; classtype:successful-recon-limited; sid:29456; rev:3; )",
"rule_references": [
"https://krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/",
"https://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/"
]
},
{
"rule_category": "misc-activity",
"alert_severity": "low",
"rule_msg": "PROTOCOL-ICMP PING Windows",
"rule_id": "1:382",
"rule_source": "Snort registered user ruleset",
"rule_url": "https://www.snort.org/downloads/#rule-downloads",
"rule_raw": "alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:\"PROTOCOL-ICMP PING Windows\"; itype:8; content:\"abcdefghijklmnop\",depth 16; metadata:ruleset community; classtype:misc-activity; sid:382; rev:11; )"
},
{
"rule_category": "misc-activity",
"alert_severity": "low",
"rule_msg": "PROTOCOL-ICMP PING",
"rule_id": "1:384",
"rule_source": "Snort registered user ruleset",
"rule_url": "https://www.snort.org/downloads/#rule-downloads",
"rule_raw": "alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:\"PROTOCOL-ICMP PING\"; icode:0; itype:8; metadata:ruleset community; classtype:misc-activity; sid:384; rev:8; )"
},
{
"rule_category": "misc-activity",
"alert_severity": "low",
"rule_msg": "PROTOCOL-ICMP Echo Reply",
"rule_id": "1:408",
"rule_source": "Snort registered user ruleset",
"rule_url": "https://www.snort.org/downloads/#rule-downloads",
"rule_raw": "alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:\"PROTOCOL-ICMP Echo Reply\"; icode:0; itype:0; metadata:ruleset community; classtype:misc-activity; sid:408; rev:8; )"
}
],
"authentihash": "4ae561efec53736d2ede7b60a94c0e5c121f68c2a7785424bc1bafc45606d69a",
"creation_date": 1729705926,
"sigma_analysis_stats": {
"critical": 0,
"high": 3,
"medium": 0,
"low": 1
},
"sha1": "8feefc32a39bf6867378c2b25d68dd79e73f1e52",
"sha256": "dd9de77c6e17093b0b2150b3f0c66e8526369ba68fb7b9a5758ff9274d85342e",
"magic": "PE32 executable (console) Intel 80386, for MS Windows",
"tlsh": "T148046A29B4D180B6D173053019F4D6756A3EBC310F255ABFA7984B6E0F381E26732AB7",
"md5": "c00cc937e064946ee42776cfe80754d7",
"trid": [
{
"file_type": "Win32 Dynamic Link Library (generic)",
"probability": 22.9
},
{
"file_type": "Win64 Executable (generic)",
"probability": 22.7
},
{
"file_type": "Win16 NE executable (generic)",
"probability": 17.5
},
{
"file_type": "Win32 Executable (generic)",
"probability": 15.7
},
{
"file_type": "OS/2 Executable (generic)",
"probability": 7.0
}
],
"type_tags": [
"executable",
"windows",
"win32",
"pe",
"peexe"
],
"names": [
"svchosts.exe"
],
"popular_threat_classification": {
"suggested_threat_label": "ransomware.babuk/babyk",
"popular_threat_name": [
{
"value": "babuk",
"count": 18
},
{
"value": "babyk",
"count": 3
},
{
"value": "midnight",
"count": 2
}
],
"popular_threat_category": [
{
"value": "ransomware",
"count": 23
},
{
"value": "trojan",
"count": 19
}
]
},
"filecondis": {
"dhash": "fc7c3c1c0e550800",
"raw_md5": "1e08d8995467fc5391fc9ff274cfc997"
},
"last_modification_date": 1776397504,
"first_submission_date": 1750988696,
"type_tag": "peexe",
"ssdeep": "3072:BBE5rOO3uteAiHbu8lWNOWXgDaYB6fgZokVsAZVPdNmVhYGES:7OKO3u4ljWXgDa8eshQYjS",
"size": 188928,
"tags": [
"peexe"
],
"last_analysis_results": {
"Bkav": {
"method": "blacklist",
"engine_name": "Bkav",
"engine_version": "2.0.0.1",
"engine_update": "20260416",
"category": "malicious",
"result": "W32.AIDetectMalware"
},
"Lionic": {
"method": "blacklist",
"engine_name": "Lionic",
"engine_version": "8.16",
"engine_update": "20260416",
"category": "malicious",
"result": "Trojan.Win32.Babuk.4!c"
},
"tehtris": {
"method": "blacklist",
"engine_name": "tehtris",
"engine_version": "v0.1.4",
"engine_update": "20260417",
"category": "undetected",
"result": null
},
"ClamAV": {
"method": "blacklist",
"engine_name": "ClamAV",
"engine_version": "1.5.2.0",
"engine_update": "20260416",
"category": "malicious",
"result": "Win.Ransomware.Babuk-9819006-0"
},
"CMC": {
"method": "blacklist",
"engine_name": "CMC",
"engine_version": "2.4.2022.1",
"engine_update": "20260416",
"category": "undetected",
"result": null
},
"CAT-QuickHeal": {
"method": "blacklist",
"engine_name": "CAT-QuickHeal",
"engine_version": "22.00",
"engine_update": "20260416",
"category": "undetected",
"result": null
},
"Skyhigh": {
"method": "blacklist",
"engine_name": "Skyhigh",
"engine_version": "v2021.2.0+4045",
"engine_update": "20260416",
"category": "malicious",
"result": "BehavesLike.Win32.NetLoader.ch"
},
"ALYac": {
"method": "blacklist",
"engine_name": "ALYac",
"engine_version": "2.0.0.10",
"engine_update": "20260416",
"category": "malicious",
"result": "Trojan.Ransom.Babuk"
},
"Cylance": {
"method": "blacklist",
"engine_name": "Cylance",
"engine_version": "3.0.0.0",
"engine_update": "20260416",
"category": "malicious",
"result": "Unsafe"
},
"VIPRE": {
"method": "blacklist",
"engine_name": "VIPRE",
"engine_version": "6.0.0.35",
"engine_update": "20260416",
"category": "malicious",
"result": "Generic.Ransom.Babuk.!s!.G.A7E938E3"
},
"Sangfor": {
"method": "blacklist",
"engine_name": "Sangfor",
"engine_version": "2.22.3.0",
"engine_update": "20260413",
"category": "malicious",
"result": "Trojan.Win32.Save.a"
},
"K7AntiVirus": {
"method": "blacklist",
"engine_name": "K7AntiVirus",
"engine_version": "14.47.59222",
"engine_update": "20260416",
"category": "malicious",
"result": "Ransomware ( 005d4db51 )"
},
"BitDefender": {
"method": "blacklist",
"engine_name": "BitDefender",
"engine_version": "7.2",
"engine_update": "20260417",
"category": "malicious",
"result": "Generic.Ransom.Babuk.!s!.G.A7E938E3"
},
"K7GW": {
"method": "blacklist",
"engine_name": "K7GW",
"engine_version": "14.47.59222",
"engine_update": "20260416",
"category": "malicious",
"result": "Ransomware ( 005d4db51 )"
},
"CrowdStrike": {
"method": "blacklist",
"engine_name": "CrowdStrike",
"engine_version": "1.0",
"engine_update": "20251219",
"category": "malicious",
"result": "win/malicious_confidence_100% (W)"
},
"Arcabit": {
"method": "blacklist",
"engine_name": "Arcabit",
"engine_version": "2025.0.0.23",
"engine_update": "20260416",
"category": "malicious",
"result": "Generic.Ransom.Babuk.!s!.G.A7E938E3"
},
"huorong": {
"method": "blacklist",
"engine_name": "huorong",
"engine_version": "8551ec9:8551ec9:9bef9f5:9bef9f5",
"engine_update": "20260416",
"category": "malicious",
"result": "Ransom/BTCware.h"
},
"Baidu": {
"method": "blacklist",
"engine_name": "Baidu",
"engine_version": "1.0.0.2",
"engine_update": "20190318",
"category": "undetected",
"result": null
},
"VirIT": {
"method": "blacklist",
"engine_name": "VirIT",
"engine_version": "9.5.1188",
"engine_update": "20260416",
"category": "undetected",
"result": null
},
"Symantec": {
"method": "blacklist",
"engine_name": "Symantec",
"engine_version": "1.22.0.0",
"engine_update": "20260416",
"category": "malicious",
"result": "Ransom.Beast"
},
"Elastic": {
"method": "blacklist",
"engine_name": "Elastic",
"engine_version": "4.0.256",
"engine_update": "20260416",
"category": "malicious",
"result": "malicious (high confidence)"
},
"ESET-NOD32": {
"method": "blacklist",
"engine_name": "ESET-NOD32",
"engine_version": "18.2.18.0",
"engine_update": "20260416",
"category": "malicious",
"result": "Win32/Filecoder.Babyk.A trojan"
},
"APEX": {
"method": "blacklist",
"engine_name": "APEX",
"engine_version": "6.770",
"engine_update": "20260416",
"category": "malicious",
"result": "Malicious"
},
"TrendMicro-HouseCall": {
"method": "blacklist",
"engine_name": "TrendMicro-HouseCall",
"engine_version": "24.550.0.1002",
"engine_update": "20260416",
"category": "malicious",
"result": "Ransom.Win32.MIDNIGHT.THKADBE"
},
"Paloalto": {
"method": "blacklist",
"engine_name": "Paloalto",
"engine_version": "0.9.0.1003",
"engine_update": "20260417",
"category": "malicious",
"result": "generic.ml"
},
"Cynet": {
"method": "blacklist",
"engine_name": "Cynet",
"engine_version": "4.0.3.4",
"engine_update": "20260416",
"category": "malicious",
"result": "Malicious (score: 99)"
},
"Kaspersky": {
"method": "blacklist",
"engine_name": "Kaspersky",
"engine_version": "22.0.1.28",
"engine_update": "20260416",
"category": "malicious",
"result": "HEUR:Trojan.Win32.Generic"
},
"Alibaba": {
"method": "blacklist",
"engine_name": "Alibaba",
"engine_version": "0.3.0.5",
"engine_update": "20190527",
"category": "malicious",
"result": "Ransom:Win32/Babuk.475363f2"
},
"NANO-Antivirus": {
"method": "blacklist",
"engine_name": "NANO-Antivirus",
"engine_version": "1.0.170.26895",
"engine_update": "20260416",
"category": "undetected",
"result": null
},
"SUPERAntiSpyware": {
"method": "blacklist",
"engine_name": "SUPERAntiSpyware",
"engine_version": "5.6.0.1032",
"engine_update": "20260416",
"category": "undetected",
"result": null
},
"MicroWorld-eScan": {
"method": "blacklist",
"engine_name": "MicroWorld-eScan",
"engine_version": "14.0.409.0",
"engine_update": "20260416",
"category": "malicious",
"result": "Generic.Ransom.Babuk.!s!.G.A7E938E3"
},
"Tencent": {
"method": "blacklist",
"engine_name": "Tencent",
"engine_version": "1.0.0.1",
"engine_update": "20260417",
"category": "malicious",
"result": "Trojan-Ransom.Win32.Babyk.16000578"
},
"Sophos": {
"method": "blacklist",
"engine_name": "Sophos",
"engine_version": "3.4.1.0",
"engine_update": "20260416",
"category": "malicious",
"result": "Troj/Babuk-Gen"
},
"F-Secure": {
"method": "blacklist",
"engine_name": "F-Secure",
"engine_version": "18.10.1547.307",
"engine_update": "20260416",
"category": "malicious",
"result": "Trojan.TR/AD.Nekark.svgvd"
},
"DrWeb": {
"method": "blacklist",
"engine_name": "DrWeb",
"engine_version": "7.0.75.2070",
"engine_update": "20260417",
"category": "malicious",
"result": "Trojan.Encoder.42546"
},
"Zillya": {
"method": "blacklist",
"engine_name": "Zillya",
"engine_version": "2.0.0.5582",
"engine_update": "20260416",
"category": "malicious",
"result": "Trojan.Filecoder.Win32.42113"
},
"TrendMicro": {
"method": "blacklist",
"engine_name": "TrendMicro",
"engine_version": "24.550.0.1002",
"engine_update": "20260416",
"category": "malicious",
"result": "Ransom.Win32.MIDNIGHT.THKADBE"
},
"McAfeeD": {
"method": "blacklist",
"engine_name": "McAfeeD",
"engine_version": "1.2.0.14532",
"engine_update": "20260417",
"category": "malicious",
"result": "Trojan:Win/Babuk.EAA"
},
"Trapmine": {
"method": "blacklist",
"engine_name": "Trapmine",
"engine_version": "4.0.11.0",
"engine_update": "20260331",
"category": "malicious",
"result": "malicious.moderate.ml.score"
},
"CTX": {
"method": "blacklist",
"engine_name": "CTX",
"engine_version": "2024.8.29.1",
"engine_update": "20260417",
"category": "malicious",
"result": "exe.trojan.babuk"
},
"Emsisoft": {
"method": "blacklist",
"engine_name": "Emsisoft",
"engine_version": "2024.8.0.61147",
"engine_update": "20260417",
"category": "malicious",
"result": "Generic.Ransom.Babuk.!s!.G.A7E938E3 (B)"
},
"Ikarus": {
"method": "blacklist",
"engine_name": "Ikarus",
"engine_version": "6.4.16.0",
"engine_update": "20260416",
"category": "malicious",
"result": "Trojan.Win32.Rietspoof"
},
"Jiangmin": {
"method": "blacklist",
"engine_name": "Jiangmin",
"engine_version": "16.0.100",
"engine_update": "20260416",
"category": "undetected",
"result": null
},
"Webroot": {
"method": "blacklist",
"engine_name": "Webroot",
"engine_version": "1.9.0.8",
"engine_update": "20250227",
"category": "undetected",
"result": null
},
"Google": {
"method": "blacklist",
"engine_name": "Google",
"engine_version": "1776380454",
"engine_update": "20260417",
"category": "malicious",
"result": "Detected"
},
"Avira": {
"method": "blacklist",
"engine_name": "Avira",
"engine_version": "8.3.3.24",
"engine_update": "20260416",
"category": "malicious",
"result": "TR/AD.Nekark.svgvd"
},
"Antiy-AVL": {
"method": "blacklist",
"engine_name": "Antiy-AVL",
"engine_version": "3.0",
"engine_update": "20260417",
"category": "malicious",
"result": "Trojan[Ransom]/Win64.Filecoder.a"
},
"Kingsoft": {
"method": "blacklist",
"engine_name": "Kingsoft",
"engine_version": "None",
"engine_update": "20260416",
"category": "malicious",
"result": "Win32.Trojan.Generic.a"
},
"Gridinsoft": {
"method": "blacklist",
"engine_name": "Gridinsoft",
"engine_version": "1.0.243.174",
"engine_update": "20260416",
"category": "undetected",
"result": null
},
"Xcitium": {
"method": "blacklist",
"engine_name": "Xcitium",
"engine_version": "38573",
"engine_update": "20260416",
"category": "undetected",
"result": null
},
"Microsoft": {
"method": "blacklist",
"engine_name": "Microsoft",
"engine_version": "1.1.26030.3008",
"engine_update": "20260416",
"category": "malicious",
"result": "Ransom:Win32/Babuk.SIB!MTB"
},
"ViRobot": {
"method": "blacklist",
"engine_name": "ViRobot",
"engine_version": "2014.3.20.0",
"engine_update": "20260416",
"category": "undetected",
"result": null
},
"ZoneAlarm": {
"method": "blacklist",
"engine_name": "ZoneAlarm",
"engine_version": "6.24-114820304",
"engine_update": "20260416",
"category": "malicious",
"result": "Troj/Babuk-Gen"
},
"GData": {
"method": "blacklist",
"engine_name": "GData",
"engine_version": "GD:27.44218AVA:64.31049",
"engine_update": "20260417",
"category": "malicious",
"result": "Generic.Ransom.Babuk.!s!.G.A7E938E3"
},
"Varist": {
"method": "blacklist",
"engine_name": "Varist",
"engine_version": "6.6.1.3",
"engine_update": "20260416",
"category": "malicious",
"result": "W32/Filecoder.CNPB-5433"
},
"AhnLab-V3": {
"method": "blacklist",
"engine_name": "AhnLab-V3",
"engine_version": "3.29.3.10609",
"engine_update": "20260416",
"category": "malicious",
"result": "Trojan/Win.Generic.C5765109"
},
"Acronis": {
"method": "blacklist",
"engine_name": "Acronis",
"engine_version": "1.2.0.121",
"engine_update": "20240328",
"category": "undetected",
"result": null
},
"VBA32": {
"method": "blacklist",
"engine_name": "VBA32",
"engine_version": "5.5.1",
"engine_update": "20260416",
"category": "malicious",
"result": "BScope.Trojan.Hancitor"
},
"TACHYON": {
"method": "blacklist",
"engine_name": "TACHYON",
"engine_version": "2026-04-17.01",
"engine_update": "20260417",
"category": "undetected",
"result": null
},
"DeepInstinct": {
"method": "blacklist",
"engine_name": "DeepInstinct",
"engine_version": "5.0.0.8",
"engine_update": "20260407",
"category": "malicious",
"result": "MALICIOUS"
},
"Malwarebytes": {
"method": "blacklist",
"engine_name": "Malwarebytes",
"engine_version": "3.1.0.231",
"engine_update": "20260416",
"category": "malicious",
"result": "Ransom.Babuk"
},
"Panda": {
"method": "blacklist",
"engine_name": "Panda",
"engine_version": "4.6.4.2",
"engine_update": "20260416",
"category": "malicious",
"result": "Trj/Chgt.AD"
},
"Zoner": {
"method": "blacklist",
"engine_name": "Zoner",
"engine_version": "2.2.2.0",
"engine_update": "20260416",
"category": "undetected",
"result": null
},
"Rising": {
"method": "blacklist",
"engine_name": "Rising",
"engine_version": "25.0.0.28",
"engine_update": "20260416",
"category": "malicious",
"result": "Ransom.Babuk!1.12A2A (CLASSIC)"
},
"Yandex": {
"method": "blacklist",
"engine_name": "Yandex",
"engine_version": "5.5.2.24",
"engine_update": "20260417",
"category": "undetected",
"result": null
},
"TrellixENS": {
"method": "blacklist",
"engine_name": "TrellixENS",
"engine_version": "6.0.6.653",
"engine_update": "20260416",
"category": "malicious",
"result": "Ransomware-IAC!C00CC937E064"
},
"SentinelOne": {
"method": "blacklist",
"engine_name": "SentinelOne",
"engine_version": "7.6.2.19",
"engine_update": "20260324",
"category": "malicious",
"result": "Static AI - Suspicious PE"
},
"MaxSecure": {
"method": "blacklist",
"engine_name": "MaxSecure",
"engine_version": "1.0.0.1",
"engine_update": "20260416",
"category": "malicious",
"result": "Trojan.Malware.7164915.susgen"
},
"Fortinet": {
"method": "blacklist",
"engine_name": "Fortinet",
"engine_version": "7.0.30.0",
"engine_update": "20260416",
"category": "malicious",
"result": "W32/Babyk.A!tr.ransom"
},
"AVG": {
"method": "blacklist",
"engine_name": "AVG",
"engine_version": "23.9.8494.0",
"engine_update": "20260322",
"category": "malicious",
"result": "Win32:Evo-gen [Trj]"
},
"Avast": {
"method": "blacklist",
"engine_name": "Avast",
"engine_version": "23.9.8494.0",
"engine_update": "20260322",
"category": "malicious",
"result": "Win32:Evo-gen [Trj]"
},
"alibabacloud": {
"method": "blacklist",
"engine_name": "alibabacloud",
"engine_version": "2.2.0",
"engine_update": "20250321",
"category": "malicious",
"result": "Ransomware:Win/Babuk.MMJ2XJC"
},
"Trustlook": {
"method": "blacklist",
"engine_name": "Trustlook",
"engine_version": "1.0",
"engine_update": "20260417",
"category": "type-unsupported",
"result": null
},
"SymantecMobileInsight": {
"method": "blacklist",
"engine_name": "SymantecMobileInsight",
"engine_version": "2.0",
"engine_update": "20260123",
"category": "type-unsupported",
"result": null
},
"BitDefenderFalx": {
"method": "blacklist",
"engine_name": "BitDefenderFalx",
"engine_version": "2.0.936",
"engine_update": "20251216",
"category": "type-unsupported",
"result": null
},
"Avast-Mobile": {
"method": "blacklist",
"engine_name": "Avast-Mobile",
"engine_version": "260416-00",
"engine_update": "20260416",
"category": "type-unsupported",
"result": null
}
},
"vhash": "015076655d1d1515156078z7iz33z2fz",
"reputation": -136,
"crowdsourced_ids_stats": {
"high": 0,
"medium": 1,
"low": 3,
"info": 0
},
"sigma_analysis_results": [
{
"rule_level": "high",
"rule_id": "90a2634e64f0a02343bf17b797e3d249061fdee81d36e5dac2d8e3fe2a2df280",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious Volume Shadow Copy VSS_PS.dll Load",
"rule_description": "Detects the image load of vss_ps.dll by uncommon executables",
"rule_author": "Markus Neis, @markus_neis",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Hashes": "SHA1=8B243337BB6C20FFAE3FEC4E6BBB2BEE49667AF5,MD5=19E73678BF30BB1771DE56D974EBA3FF,SHA256=0DA15A00369E12A36339CEB790029E6511A7045E87C5BBF7CC534E7F24C85840,IMPHASH=0900679808D5259052C4CF8671A494F0",
"SignatureStatus": "Valid",
"ImageLoaded": "C:\\Windows\\System32\\vss_ps.dll",
"Description": "Microsoft\\xae Volume Shadow Copy Service proxy/stub",
"OriginalFileName": "VSS_PS.DLL",
"FileVersion": "10.0.22621.1 (WinBuild.160101.0800)",
"EventID": "7",
"Signature": "Microsoft Windows",
"Signed": "true",
"Image": "C:\\Windows\\System32\\vssadmin.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "high",
"rule_id": "ad5e4d4b939797a70a9aa742d979a4742c2cfedddd663fb1a43b2795c1e6054b",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Shadow Copies Deletion Using Operating Systems Utilities",
"rule_description": "Shadow Copies deletion using operating systems utilities",
"rule_author": "Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "VSSADMIN.EXE",
"Hashes": "MD5=B58073DB8892B67A672906C9358020EC,SHA256=8C1FABCC2196E4D096B7D155837C5F699AD7F55EDBF84571E4F8E03500B7A8B0,IMPHASH=C1EDC431CD345F0A0F32019895D13FCE",
"Description": "Command Line Interface for Microsoft\\xae Volume Shadow Copy Service ",
"FileVersion": "10.0.19041.1 (WinBuild.160101.0800)",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\" /c vssadmin.exe delete shadows /all /quiet",
"CommandLine": "vssadmin.exe delete shadows /all /quiet",
"EventID": "1",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\vssadmin.exe",
"Company": "Microsoft Corporation"
}
},
{
"values": {
"Hashes": "SHA1=0E6A2023666008403EF5718D2FF0B1AD621773D2,MD5=E4312AD49EBBB7C2BA3DC77FB76A8263,SHA256=39D1BCA6060207C9F8D9F3EEA060428F250F4AA542C6AAC6E66DA24464DFC10F,IMPHASH=D509661209CA0D9B45580702D62B63C0",
"CurrentDirectory": "C:\\Users\\Bruno\\Desktop\\",
"OriginalFileName": "VSSADMIN.EXE",
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Description": "Command Line Interface for Microsoft\\xae Volume Shadow Copy Service ",
"EventID": "1",
"ParentCommandLine": "\"C:\\Windows\\System32\\cmd.exe\" /c vssadmin.exe delete shadows /all /quiet",
"CommandLine": "vssadmin.exe delete shadows /all /quiet",
"FileVersion": "10.0.22621.1 (WinBuild.160101.0800)",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"IntegrityLevel": "High",
"Image": "C:\\Windows\\System32\\vssadmin.exe",
"Company": "Microsoft Corporation"
}
}
]
},
{
"rule_level": "high",
"rule_id": "f441bf0f20310d2f8fb4c38b047725cf9bafb59c2a7634f73d2d38745157b248",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Uncommon File Created In Office Startup Folder",
"rule_description": "Detects the creation of a file with an uncommon extension in an Office application startup folder",
"rule_author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"Image": "C:\\Users\\Bruno\\Desktop\\svchosts.exe",
"TargetFilename": "C:\\Users\\Bruno\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\How To Restore Your Files.txt",
"EventID": "11"
}
}
]
},
{
"rule_level": "low",
"rule_id": "7d0d3be8fa405f5e34c2e0cf9eaa345cacd60eb5244b50b23dc54c4785bc7512",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Load Of RstrtMgr.DLL By An Uncommon Process",
"rule_description": "Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process.\nThis library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.\nIt could also be used for anti-analysis purposes by shut downing specific processes.\n",
"rule_author": "Luc G\u00e9naux",
"match_context": [
{
"values": {
"Product": "Microsoft\\xae Windows\\xae Operating System",
"Hashes": "SHA1=595C70252F245AF1A88F0BD646A2F5F41D32897E,MD5=013994A9137A9092351C0DEA9234EEA9,SHA256=A86D265ED0E9038A86ECEE66E13F65F79D56249A05B71D8ECDBD1C5E6225D296,IMPHASH=CC9A2A88461993DF8B57CF17B8D8D696",
"SignatureStatus": "Valid",
"ImageLoaded": "C:\\Windows\\SysWOW64\\RstrtMgr.dll",
"Description": "Restart Manager",
"OriginalFileName": "RstrtMgr.dll",
"EventID": "7",
"FileVersion": "10.0.22621.1 (WinBuild.160101.0800)",
"Signature": "Microsoft Windows",
"Signed": "true",
"Image": "C:\\Users\\Bruno\\Desktop\\svchosts.exe",
"Company": "Microsoft Corporation"
}
}
]
}
],
"last_analysis_stats": {
"malicious": 56,
"suspicious": 0,
"undetected": 16,
"harmless": 0,
"timeout": 0,
"confirmed-timeout": 0,
"failure": 0,
"type-unsupported": 4
},
"last_analysis_date": 1776390288,
"magika": "PEBIN",
"detectiteasy": {
"filetype": "PE32",
"values": [
{
"info": "EXE32",
"version": "2013-2017",
"type": "Compiler",
"name": "EP:Microsoft Visual C/C++"
},
{
"info": "LTCG/C++",
"version": "19.00.23506",
"type": "Compiler",
"name": "Microsoft Visual C/C++"
},
{
"version": "14.00.23506",
"type": "Linker",
"name": "Microsoft Linker"
},
{
"version": "2015",
"type": "Tool",
"name": "Visual Studio"
}
]
},
"unique_sources": 2,
"times_submitted": 2,
"crowdsourced_yara_results": [
{
"ruleset_id": "00c3b8eb5d",
"ruleset_version": "00c3b8eb5d|e76c93dcdedff04076380ffc60ea54e45b313635",
"ruleset_name": "indicator_suspicious",
"rule_name": "INDICATOR_SUSPICIOUS_GENRansomware",
"match_date": 1776394027,
"description": "Detects command variations typically used by ransomware",
"author": "ditekSHen",
"source": "https://github.com/ditekshen/detection"
},
{
"ruleset_id": "00c3b8eb5d",
"ruleset_version": "00c3b8eb5d|e76c93dcdedff04076380ffc60ea54e45b313635",
"ruleset_name": "indicator_suspicious",
"rule_name": "INDICATOR_SUSPICOUS_EXE_References_VEEAM",
"match_date": 1776394027,
"description": "Detects executables containing many references to VEEAM. Observed in ransomware",
"author": "ditekSHen",
"source": "https://github.com/ditekshen/detection"
}
],
"meaningful_name": "svchosts.exe",
"total_votes": {
"harmless": 0,
"malicious": 4
},
"pe_info": {
"timestamp": 1729705926,
"imphash": "96272ca8281bc1f950eb461a23ea5021",
"machine_type": 332,
"entry_point": 28197,
"resource_details": [
{
"lang": "ENGLISH US",
"chi2": 5126.04,
"filetype": "unknown",
"entropy": 5.043781757354736,
"sha256": "59ba97d56a01766792386c3b379946bb613c8921e3daf8a878855a268ad5e4aa",
"type": "RT_MANIFEST"
}
],
"resource_langs": {
"ENGLISH US": 1
},
"resource_types": {
"RT_MANIFEST": 1
},
"sections": [
{
"name": ".text",
"chi2": 630765.75,
"virtual_address": 4096,
"flags": "rx",
"raw_size": 121344,
"entropy": 6.64,
"virtual_size": 121217,
"md5": "bc349e91d88f4c60128859e7af87e8bd"
},
{
"name": ".rdata",
"chi2": 2203179.75,
"virtual_address": 126976,
"flags": "r",
"raw_size": 47104,
"entropy": 4.89,
"virtual_size": 46920,
"md5": "517ec86ed2bd9ef15cbb21b208bbf3aa"
},
{
"name": ".data",
"chi2": 1176396.88,
"virtual_address": 176128,
"flags": "rw",
"raw_size": 7680,
"entropy": 2.13,
"virtual_size": 12776,
"md5": "3269b5e3fe2f2d56da07e6ee080095ca"
},
{
"name": ".tls",
"chi2": 130049.0,
"virtual_address": 192512,
"flags": "rw",
"raw_size": 512,
"entropy": 0.02,
"virtual_size": 9,
"md5": "1f354d76203061bfdd5a53dae48d5435"
},
{
"name": ".gfids",
"chi2": 110182.5,
"virtual_address": 196608,
"flags": "r",
"raw_size": 1024,
"entropy": 2.97,
"virtual_size": 752,
"md5": "b56cd96ea90471d8b6dee6ce977d86f6"
},
{
"name": ".rsrc",
"chi2": 54693.0,
"virtual_address": 200704,
"flags": "r",
"raw_size": 1024,
"entropy": 3.85,
"virtual_size": 648,
"md5": "3215e94c89aa245a207318ee873baaf1"
},
{
"name": ".reloc",
"chi2": 37345.25,
"virtual_address": 204800,
"flags": "r",
"raw_size": 9216,
"entropy": 6.59,
"virtual_size": 9172,
"md5": "e349dc4f20888f46b582b9be06784923"
}
],
"compiler_product_versions": [
"[---] Unmarked objects count=161",
"[LT+] VS2015 UPD1 build 23506 count=11",
"[RES] VS2015 UPD1 build 23506 count=1",
"[LNK] VS2015 UPD1 build 23506 count=1",
"id: 0xf1, version: 40116 count=11",
"id: 0xf3, version: 40116 count=144",
"id: 0xf2, version: 40116 count=27",
"id: 0xcb, version: 65501 count=17",
"id: 0x103, version: 23406 count=22",
"id: 0x105, version: 23406 count=59",
"id: 0x104, version: 23406 count=65"
],
"rich_pe_header_hash": "b307fe63a37b66ea39fb798986863dfc",
"import_list": [
{
"library_name": "USER32.dll",
"imported_functions": [
"ShowWindow",
"wsprintfA"
]
},
{
"library_name": "SHELL32.dll",
"imported_functions": [
"CommandLineToArgvW",
"ShellExecuteW",
"SHEmptyRecycleBinA"
]
},
{
"library_name": "RstrtMgr.DLL",
"imported_functions": [
"RmEndSession",
"RmGetList",
"RmRegisterResources",
"RmStartSession"
]
},
{
"library_name": "MPR.dll",
"imported_functions": [
"WNetCloseEnum",
"WNetEnumResourceW",
"WNetGetConnectionW",
"WNetOpenEnumW"
]
},
{
"library_name": "KERNEL32.dll",
"imported_functions": [
"CloseHandle",
"CompareStringW",
"CreateEventW",
"CreateFileW",
"CreateMutexA",
"CreateSemaphoreA",
"CreateThread",
"CreateToolhelp32Snapshot",
"DecodePointer",
"DeleteCriticalSection",
"EncodePointer",
"EnterCriticalSection",
"EnumSystemLocalesW",
"ExitProcess",
"ExitThread",
"FindClose",
"FindFirstFileExA",
"FindFirstFileW",
"FindNextFileA",
"FindNextFileW",
"FlushFileBuffers",
"FreeEnvironmentStringsW",
"FreeLibrary",
"GetACP",
"GetCommandLineA",
"GetCommandLineW",
"GetConsoleCP",
"GetConsoleMode",
"GetConsoleWindow",
"GetCPInfo",
"GetCurrentProcess",
"GetCurrentProcessId",
"GetCurrentThreadId",
"GetDriveTypeW",
"GetEnvironmentStringsW",
"GetFileSizeEx",
"GetFileType",
"GetLastError",
"GetLocaleInfoW",
"GetLogicalDrives",
"GetModuleFileNameA",
"GetModuleFileNameW",
"GetModuleHandleA",
"GetModuleHandleExW",
"GetModuleHandleW",
"GetOEMCP",
"GetProcAddress",
"GetProcessHeap",
"GetStartupInfoW",
"GetStdHandle",
"GetStringTypeW",
"GetSystemInfo",
"GetSystemTimeAsFileTime",
"GetTickCount",
"GetUserDefaultLCID",
"GlobalAlloc",
"GlobalFree",
"HeapAlloc",
"HeapFree",
"HeapReAlloc",
"HeapSize",
"InitializeCriticalSection",
"InitializeCriticalSectionAndSpinCount",
"InitializeSListHead",
"IsDebuggerPresent",
"IsProcessorFeaturePresent",
"IsValidCodePage",
"IsValidLocale",
"LCMapStringW",
"LeaveCriticalSection",
"LoadLibraryA",
"LoadLibraryExW",
"lstrcatW",
"lstrcmpiW",
"lstrcmpW",
"lstrcpyW",
"lstrlenA",
"lstrlenW",
"MoveFileExW",
"MultiByteToWideChar",
"OpenMutexA",
"OpenProcess",
"Process32FirstW",
"Process32NextW",
"QueryPerformanceCounter",
"RaiseException",
"ReadConsoleW",
"ReadFile",
"ReleaseSemaphore",
"ResetEvent",
"RtlUnwind",
"SetEnvironmentVariableA",
"SetEvent",
"SetFileAttributesW",
"SetFilePointerEx",
"SetLastError",
"SetProcessShutdownParameters",
"SetStdHandle",
"SetUnhandledExceptionFilter",
"Sleep",
"TerminateProcess",
"TlsAlloc",
"TlsFree",
"TlsGetValue",
"TlsSetValue",
"UnhandledExceptionFilter",
"WaitForMultipleObjects",
"WaitForSingleObject",
"WaitForSingleObjectEx",
"WideCharToMultiByte",
"WriteConsoleW",
"WriteFile"
]
},
{
"library_name": "ADVAPI32.dll",
"imported_functions": [
"CloseServiceHandle",
"ControlService",
"EnumDependentServicesA",
"OpenSCManagerA",
"OpenServiceA",
"QueryServiceStatusEx",
"SystemFunction036"
]
}
]
},
"type_description": "Win32 EXE",
"type_extension": "exe",
"last_submission_date": 1751388020,
"sigma_analysis_summary": {
"Sigma Integrated Rule Set (GitHub)": {
"critical": 0,
"high": 3,
"medium": 0,
"low": 1
}
}
}
}
}