Overview

overview

9

Static

static

b2a27c3b5c...e3.exe

windows7_x64

9

b2a27c3b5c...e3.exe

windows10_x64

9

Resubmissions

04/05/2020, 15:13

200504-6r5nmgfcka 10

21/04/2020, 05:49

200421-nvrsxxs6e6 9

Analysis

  • max time kernel
    141s
  • max time network
    130s
  • platform
    windows10_x64
  • resource
    win10v200410
  • submitted
    21/04/2020, 05:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe

  • Size

    12KB

  • MD5

    4a7378c7ef7a9b72aa2b38019aa6fcdc

  • SHA1

    7e19a75d8a91fa2e4e6e7519609eb8c300a8a030

  • SHA256

    b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3

  • SHA512

    8eb4cfcd03315f5984ee6909cd33b3086227e610d78d24dd32525a421a92b440fe012f2b5403dbc10be8db875fa5db83731786578395fef44dde8394ec219441

Score
9/10
ransomwareevasionpersistence

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Drops startup file 1 IoCs
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Drops desktop.ini file(s) 33 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops file in Program Files directory 22247 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
    "C:\Users\Admin\AppData\Local\Temp\b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Drops startup file
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of WriteProcessMemory
    • Drops file in Program Files directory
    PID:1872
    • C:\Windows\System32\vssadmin.exe
      delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:3596
    • C:\Windows\System32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
      2⤵
        PID:4092
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {current} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:3940
      • C:\Windows\System32\cmd.exe
        "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no
        2⤵
          PID:2264
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {current} recoveryenabled no
            3⤵
            • Modifies boot configuration data using bcdedit
            PID:3888
        • C:\Windows\System32\cmd.exe
          "C:\Windows\sysnative\cmd.exe" /c netsh advfirewall set allprofiles state off
          2⤵
            PID:2096
            • C:\Windows\system32\netsh.exe
              netsh advfirewall set allprofiles state off
              3⤵
                PID:3896
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe" >> NUL
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:492
              • C:\Windows\SysWOW64\timeout.exe
                timeout 1
                3⤵
                • Delays execution with timeout.exe
                PID:1168
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Modifies service
            • Suspicious use of AdjustPrivilegeToken
            PID:3144

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads