IRSdeclaration‮cod.exe

General
Target

IRSdeclaration‮cod.exe

Filesize

282KB

Completed

13-03-2020 03:34

Score
9/10
MD5

fe3fd53ddc7c229b1150d970a05947c0

SHA1

3abeddbbbd29310290955cc7c1a895550c92ab96

SHA256

c414bbb789af8e3fb93b33344b31f1991582ec0f06558b29a3178d2b02465c72

Malware Config
Signatures 9

Filter: none

Defense Evasion
Impact
Persistence
  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Interacts with shadow copies
    vssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    1868vssadmin.exe
  • Drops file in Program Files directory
    IRSdeclaration‮cod.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jarIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jarIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\ACCWIZ\ACWZTOOL.ACCDEIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\EmptyDatabase.zipIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gifIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0200163.WMFIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Europe\MoscowIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0281243.WMFIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00603_.WMFIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00037_.GIFIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\PUBWIZ\DGBARBLL.XMLIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\BL00130_.WMFIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\Argentina\SaltaIRSdeclaration‮cod.exe
    File createdC:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\4010F4-Readme.txtIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_zh_CN.jarIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR48B.GIFIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXTIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_zh_CN.jarIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00656_.WMFIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gifIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0090779.WMFIRSdeclaration‮cod.exe
    File createdC:\Program Files\Java\jre7\lib\images\cursors\4010F4-Readme.txtIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\TR00178_.WMFIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0105232.WMFIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\PAGESIZE\PGLBL011.XMLIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\SitkaIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\ZurichIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0153514.WMFIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic 2.xmlIRSdeclaration‮cod.exe
    File createdC:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\4010F4-Readme.txtIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\AN04196_.WMFIRSdeclaration‮cod.exe
    File createdC:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\4010F4-Readme.txtIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\SystemV\YST9IRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\PUBWIZ\HEADINGBB.DPVIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\SPACE_01.MIDIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\1033\GROOVE_COL.HXTIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xmlIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Asia\YakutskIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA02444_.WMFIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE00531_.WMFIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jarIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\Swift_CurrentIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jarIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jarIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\RiyadhIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0187881.WMFIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0197983.WMFIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplateRTL.htmlIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0283209.GIFIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_ja.jarIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\ACCWIZ\UTILITY.ACCDAIRSdeclaration‮cod.exe
    File createdC:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\4010F4-Readme.txtIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\FORMS\1033\SECURE.CFGIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ja_5.5.0.165303.jarIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Asia\BaghdadIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME51.CSSIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Sybase.xslIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\Office14\Library\Analysis\FUNCRES.XLAMIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\BL00098_.WMFIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0285792.WMFIRSdeclaration‮cod.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\4010F4-Readme.txtIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\CaseyIRSdeclaration‮cod.exe
    File opened for modificationC:\Program Files\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02074_.GIFIRSdeclaration‮cod.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\jre\bin\server\4010F4-Readme.txtIRSdeclaration‮cod.exe
  • Modifies service
    vssvc.exe

    Tags

    TTPs

    Modify RegistryModify Existing Service

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}vssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writervssvc.exe
  • Kills process with taskkill
    taskkill.exe

    Tags

    Reported IOCs

    pidprocess
    692taskkill.exe
  • Suspicious use of AdjustPrivilegeToken
    IRSdeclaration‮cod.exevssvc.exetaskkill.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1844IRSdeclaration‮cod.exe
    Token: SeImpersonatePrivilege1844IRSdeclaration‮cod.exe
    Token: SeBackupPrivilege5768vssvc.exe
    Token: SeRestorePrivilege5768vssvc.exe
    Token: SeAuditPrivilege5768vssvc.exe
    Token: SeDebugPrivilege692taskkill.exe
  • Suspicious behavior: EnumeratesProcesses
    IRSdeclaration‮cod.exe

    Reported IOCs

    pidprocess
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
    1844IRSdeclaration‮cod.exe
  • Suspicious use of WriteProcessMemory
    IRSdeclaration‮cod.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1844 wrote to memory of 18681844IRSdeclaration‮cod.exevssadmin.exe
    PID 1844 wrote to memory of 18681844IRSdeclaration‮cod.exevssadmin.exe
    PID 1844 wrote to memory of 18681844IRSdeclaration‮cod.exevssadmin.exe
    PID 1844 wrote to memory of 18681844IRSdeclaration‮cod.exevssadmin.exe
    PID 1844 wrote to memory of 2161844IRSdeclaration‮cod.exenotepad.exe
    PID 1844 wrote to memory of 2161844IRSdeclaration‮cod.exenotepad.exe
    PID 1844 wrote to memory of 2161844IRSdeclaration‮cod.exenotepad.exe
    PID 1844 wrote to memory of 2161844IRSdeclaration‮cod.exenotepad.exe
    PID 1844 wrote to memory of 29241844IRSdeclaration‮cod.execmd.exe
    PID 1844 wrote to memory of 29241844IRSdeclaration‮cod.execmd.exe
    PID 1844 wrote to memory of 29241844IRSdeclaration‮cod.execmd.exe
    PID 1844 wrote to memory of 29241844IRSdeclaration‮cod.execmd.exe
    PID 2924 wrote to memory of 6922924cmd.exetaskkill.exe
    PID 2924 wrote to memory of 6922924cmd.exetaskkill.exe
    PID 2924 wrote to memory of 6922924cmd.exetaskkill.exe
    PID 2924 wrote to memory of 6922924cmd.exetaskkill.exe
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    2924cmd.exe
Processes 6
  • C:\Users\Admin\AppData\Local\Temp\IRSdeclaration‮cod.exe
    "C:\Users\Admin\AppData\Local\Temp\IRSdeclaration‮cod.exe"
    Drops file in Program Files directory
    Suspicious use of AdjustPrivilegeToken
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:1844
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
      Interacts with shadow copies
      PID:1868
    • C:\Windows\SysWOW64\notepad.exe
      C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\4010F4-Readme.txt"
      PID:216
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\A41B.tmp.bat"
      Suspicious use of WriteProcessMemory
      Deletes itself
      PID:2924
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /PID 1844
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        PID:692
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Modifies service
    Suspicious use of AdjustPrivilegeToken
    PID:5768
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
              Initial Access
                Lateral Movement
                  Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads