Overview

overview

9

task1

 

9

task2

 

9

Resubmissions

30-10-2019 18:36

191030-4jjvvmbgys 0

30-10-2019 17:06

191030-cdxr5hrvmn 0

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • resource
    win10v191014

Sharing

Copy URL
Twitter E-mail

General

  • Target

    iis_agent32.exe

  • Sample

    191030-cdxr5hrvmn

  • SHA256

    9730e03ca9d052875895b4ad7ba7914f69009fd5fb58d324ee35d3e45f90d768

Score
N/A

Malware Config

Signatures

  • Drops file in system dir 64 IoCs
  • Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Uses Volume Shadow Copy Service COM API 14 IoCs
    ransomware
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Deletes shadow copies 2 TTPs 2 IoCs
    ransomware
  • Modifies Boot Configuration Data 1 TTPs 2 IoCs
    ransomwareevasion
  • Clears Windows event logs 1 TTPs 3 IoCs
    evasionransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\iis_agent32.exe
    "C:\Users\Admin\AppData\Local\Temp\iis_agent32.exe"
    1⤵
    • Drops file in system dir
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4852
  • C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /Quiet
    1⤵
      PID:4956
    • C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /Quiet
      1⤵
      • Uses Volume Shadow Copy Service COM API
      • Deletes shadow copies
      PID:4996
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Uses Volume Shadow Copy Service COM API
      • Suspicious use of AdjustPrivilegeToken
      PID:5024
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k swprv
      1⤵
        PID:5064
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C WMIC.exe shadowcopy delete
        1⤵
          PID:5108
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC.exe shadowcopy delete
          1⤵
          • Deletes shadow copies
          • Suspicious use of AdjustPrivilegeToken
          PID:1940
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C Bcdedit.exe /set {default} recoveryenabled no
          1⤵
            PID:4232
          • C:\Windows\system32\bcdedit.exe
            Bcdedit.exe /set {default} recoveryenabled no
            1⤵
            • Modifies Boot Configuration Data
            PID:4436
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C Bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
            1⤵
              PID:3104
            • C:\Windows\system32\bcdedit.exe
              Bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
              1⤵
              • Modifies Boot Configuration Data
              PID:4452
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C wevtutil.exe cl Application
              1⤵
                PID:3636
              • C:\Windows\system32\wevtutil.exe
                wevtutil.exe cl Application
                1⤵
                • Clears Windows event logs
                • Suspicious use of AdjustPrivilegeToken
                PID:4492
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C wevtutil.exe cl Security
                1⤵
                  PID:4560
                • C:\Windows\system32\wevtutil.exe
                  wevtutil.exe cl Security
                  1⤵
                  • Clears Windows event logs
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4532
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C wevtutil.exe cl System
                  1⤵
                    PID:4500
                  • C:\Windows\system32\wevtutil.exe
                    wevtutil.exe cl System
                    1⤵
                    • Clears Windows event logs
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4604
                  • C:\Windows\system32\SppExtComObj.exe
                    C:\Windows\system32\SppExtComObj.exe -Embedding
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4596
                  • C:\Windows\System32\SLUI.exe
                    "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
                    1⤵
                      PID:3836
                    • \??\c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s BITS
                      1⤵
                        PID:2272
                      • \??\c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
                        1⤵
                          PID:2976
                        • \??\c:\windows\system32\svchost.exe
                          c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
                          1⤵
                          • Checks system information in the registry (likely anti-VM)
                          PID:4812
                        • \??\c:\windows\system32\svchost.exe
                          c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
                          1⤵
                          • Windows security modification
                          PID:2004
                        • \??\c:\windows\system32\svchost.exe
                          c:\windows\system32\svchost.exe -k unistacksvcgroup
                          1⤵
                            PID:2064

                          Network

                          MITRE ATT&CK Enterprise v15

                          MITRE ATT&CK Additional techniques

                          • T1089
                          • T1107

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads