Analysis
-
max time kernel
113s -
max time network
121s -
resource
win7v191014 -
submitted
04-02-2020 16:50
General
-
Target
report.exe
-
Sample
200204-akqmaz2wqx
-
SHA256
9821a9264d6d80673739f0a02ad46176f2eeab5e0fedddbafa5047ac10b21a94
Score
10/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1428 wrote to memory of 1400 1428 report.exe 27 PID 1428 wrote to memory of 1708 1428 report.exe 35 PID 1428 wrote to memory of 972 1428 report.exe 36 -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1708 mshta.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File renamed C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE => C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\OiH4wkPmG1.8859 report.exe File opened for modification C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE report.exe File opened for modification C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE report.exe File renamed C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE => C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\uBVOwGgCE7.8859 report.exe File created C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\README.hta report.exe File opened for modification C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE report.exe File opened for modification C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE report.exe File renamed C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE => C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DLxesnf7vZ.8859 report.exe File renamed C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE => C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\iuwkcxEd-b.8859 report.exe File opened for modification C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE report.exe File renamed C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE => C:\Program Files\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\sh2ZUcYNcJ.8859 report.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp932A.bmp" report.exe -
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1924 PING.EXE -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 1428 report.exe Token: SeIncreaseQuotaPrivilege 1108 WMIC.exe Token: SeSecurityPrivilege 1108 WMIC.exe Token: SeTakeOwnershipPrivilege 1108 WMIC.exe Token: SeLoadDriverPrivilege 1108 WMIC.exe Token: SeSystemProfilePrivilege 1108 WMIC.exe Token: SeSystemtimePrivilege 1108 WMIC.exe Token: SeProfSingleProcessPrivilege 1108 WMIC.exe Token: SeIncBasePriorityPrivilege 1108 WMIC.exe Token: SeCreatePagefilePrivilege 1108 WMIC.exe Token: SeBackupPrivilege 1108 WMIC.exe Token: SeRestorePrivilege 1108 WMIC.exe Token: SeShutdownPrivilege 1108 WMIC.exe Token: SeDebugPrivilege 1108 WMIC.exe Token: SeSystemEnvironmentPrivilege 1108 WMIC.exe Token: SeRemoteShutdownPrivilege 1108 WMIC.exe Token: SeUndockPrivilege 1108 WMIC.exe Token: SeManageVolumePrivilege 1108 WMIC.exe Token: 33 1108 WMIC.exe Token: 34 1108 WMIC.exe Token: 35 1108 WMIC.exe Token: SeBackupPrivilege 1156 vssvc.exe Token: SeRestorePrivilege 1156 vssvc.exe Token: SeAuditPrivilege 1156 vssvc.exe Token: SeDebugPrivilege 1136 taskkill.exe -
Modifies service 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Deletes itself 1 IoCs
pid Process 972 cmd.exe -
Blacklisted process makes network request 3 IoCs
flow pid Process 1547 1708 mshta.exe 1549 1708 mshta.exe 1551 1708 mshta.exe -
Kills process with taskkill 1 IoCs
pid Process 1136 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1428 report.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1428 report.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery
Processes
-
C:\Users\Admin\AppData\Local\Temp\report.exe"C:\Users\Admin\AppData\Local\Temp\report.exe"1⤵
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious behavior: EnumeratesProcesses
PID:1428 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:1400
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\README.hta"2⤵
- Suspicious use of SetWindowsHookEx
- Blacklisted process makes network request
- Modifies Internet Explorer settings
PID:1708
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Deletes itself
PID:972 -
C:\Windows\system32\taskkill.exetaskkill /f /im "report.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:1136
-
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
PID:1924
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1156
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵PID:320