Analysis
-
max time kernel
115s -
max time network
149s -
resource
win10v191014 -
submitted
04-02-2020 16:50
General
-
Target
report.exe
-
Sample
200204-akqmaz2wqx
-
SHA256
9821a9264d6d80673739f0a02ad46176f2eeab5e0fedddbafa5047ac10b21a94
Score
10/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5088 wrote to memory of 4576 5088 report.exe 77 PID 5088 wrote to memory of 3584 5088 report.exe 95 PID 5088 wrote to memory of 520 5088 report.exe 96 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 5088 report.exe -
Kills process with taskkill 1 IoCs
pid Process 752 taskkill.exe -
Modifies service 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp1CC5.bmp" report.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery
-
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 5088 report.exe Token: SeIncreaseQuotaPrivilege 3760 WMIC.exe Token: SeSecurityPrivilege 3760 WMIC.exe Token: SeTakeOwnershipPrivilege 3760 WMIC.exe Token: SeLoadDriverPrivilege 3760 WMIC.exe Token: SeSystemProfilePrivilege 3760 WMIC.exe Token: SeSystemtimePrivilege 3760 WMIC.exe Token: SeProfSingleProcessPrivilege 3760 WMIC.exe Token: SeIncBasePriorityPrivilege 3760 WMIC.exe Token: SeCreatePagefilePrivilege 3760 WMIC.exe Token: SeBackupPrivilege 3760 WMIC.exe Token: SeRestorePrivilege 3760 WMIC.exe Token: SeShutdownPrivilege 3760 WMIC.exe Token: SeDebugPrivilege 3760 WMIC.exe Token: SeSystemEnvironmentPrivilege 3760 WMIC.exe Token: SeRemoteShutdownPrivilege 3760 WMIC.exe Token: SeUndockPrivilege 3760 WMIC.exe Token: SeManageVolumePrivilege 3760 WMIC.exe Token: 33 3760 WMIC.exe Token: 34 3760 WMIC.exe Token: 35 3760 WMIC.exe Token: 36 3760 WMIC.exe Token: SeBackupPrivilege 4680 vssvc.exe Token: SeRestorePrivilege 4680 vssvc.exe Token: SeAuditPrivilege 4680 vssvc.exe Token: SeDebugPrivilege 752 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3584 mshta.exe -
Blacklisted process makes network request 5 IoCs
flow pid Process 1557 3584 mshta.exe 1559 3584 mshta.exe 1561 3584 mshta.exe 1563 3584 mshta.exe 1565 3584 mshta.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings report.exe -
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 940 PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\report.exe"C:\Users\Admin\AppData\Local\Temp\report.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Modifies registry class
PID:5088 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:4576
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3760
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- Suspicious use of SetWindowsHookEx
- Blacklisted process makes network request
PID:3584
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:520
-
C:\Windows\system32\taskkill.exetaskkill /f /im "report.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:752
-
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
PID:940
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:4680