Analysis
-
max time kernel
132s -
max time network
128s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
07-05-2020 12:10
Static task
static1
Behavioral task
behavioral1
Sample
report.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
report.exe
Resource
win10v200430
General
-
Target
report.exe
-
Size
359KB
-
MD5
2b6e4fef6c9a6a11b8d841bcf8c3b378
-
SHA1
14c13bc7d0ec2f9d71e235493bf3857b792628c0
-
SHA256
9821a9264d6d80673739f0a02ad46176f2eeab5e0fedddbafa5047ac10b21a94
-
SHA512
1faa40aa84ba1f5b64d67a292c85da562ae16fc464c1b29883593eb4f7c98f8abe42a300e169747b3aba524708d9e686b711ea1fc1748bb970136d24902bb178
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeDebugPrivilege 2916 report.exe Token: SeIncreaseQuotaPrivilege 904 WMIC.exe Token: SeSecurityPrivilege 904 WMIC.exe Token: SeTakeOwnershipPrivilege 904 WMIC.exe Token: SeLoadDriverPrivilege 904 WMIC.exe Token: SeSystemProfilePrivilege 904 WMIC.exe Token: SeSystemtimePrivilege 904 WMIC.exe Token: SeProfSingleProcessPrivilege 904 WMIC.exe Token: SeIncBasePriorityPrivilege 904 WMIC.exe Token: SeCreatePagefilePrivilege 904 WMIC.exe Token: SeBackupPrivilege 904 WMIC.exe Token: SeRestorePrivilege 904 WMIC.exe Token: SeShutdownPrivilege 904 WMIC.exe Token: SeDebugPrivilege 904 WMIC.exe Token: SeSystemEnvironmentPrivilege 904 WMIC.exe Token: SeRemoteShutdownPrivilege 904 WMIC.exe Token: SeUndockPrivilege 904 WMIC.exe Token: SeManageVolumePrivilege 904 WMIC.exe Token: 33 904 WMIC.exe Token: 34 904 WMIC.exe Token: 35 904 WMIC.exe Token: 36 904 WMIC.exe Token: SeIncreaseQuotaPrivilege 904 WMIC.exe Token: SeSecurityPrivilege 904 WMIC.exe Token: SeTakeOwnershipPrivilege 904 WMIC.exe Token: SeLoadDriverPrivilege 904 WMIC.exe Token: SeSystemProfilePrivilege 904 WMIC.exe Token: SeSystemtimePrivilege 904 WMIC.exe Token: SeProfSingleProcessPrivilege 904 WMIC.exe Token: SeIncBasePriorityPrivilege 904 WMIC.exe Token: SeCreatePagefilePrivilege 904 WMIC.exe Token: SeBackupPrivilege 904 WMIC.exe Token: SeRestorePrivilege 904 WMIC.exe Token: SeShutdownPrivilege 904 WMIC.exe Token: SeDebugPrivilege 904 WMIC.exe Token: SeSystemEnvironmentPrivilege 904 WMIC.exe Token: SeRemoteShutdownPrivilege 904 WMIC.exe Token: SeUndockPrivilege 904 WMIC.exe Token: SeManageVolumePrivilege 904 WMIC.exe Token: 33 904 WMIC.exe Token: 34 904 WMIC.exe Token: 35 904 WMIC.exe Token: 36 904 WMIC.exe Token: SeBackupPrivilege 1140 vssvc.exe Token: SeRestorePrivilege 1140 vssvc.exe Token: SeAuditPrivilege 1140 vssvc.exe Token: SeDebugPrivilege 4044 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings report.exe -
Kills process with taskkill 1 IoCs
pid Process 4044 taskkill.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpC876.bmp" report.exe -
Blacklisted process makes network request 5 IoCs
flow pid Process 1546 800 mshta.exe 1548 800 mshta.exe 1550 800 mshta.exe 1552 800 mshta.exe 1554 800 mshta.exe -
Makes http(s) request 5 IoCs
Contacts server via http/https, possibly for C2 communication.
description flow ioc HTTP URL 1546 http://api.blockcypher.com/v1/btc/main/addrs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1588860737309 HTTP URL 1550 http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d79a3580b01e1bdf HTTP URL 1552 http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D HTTP URL 1552 http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQrBBNpPfHTPX6Jy6BVzyBPnBWMnQQUPnQtH89FdQR%2BP8Cihz5MQ4NRE8YCEAZ%2FJIGKSEebzF%2FToS9iYaY%3D HTTP URL 1552 http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQrBBNpPfHTPX6Jy6BVzyBPnBWMnQQUPnQtH89FdQR%2BP8Cihz5MQ4NRE8YCEAPcJEltpOb%2Fb8VsKZIyB%2B8%3D -
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2916 wrote to memory of 556 2916 report.exe 66 PID 2916 wrote to memory of 556 2916 report.exe 66 PID 2916 wrote to memory of 800 2916 report.exe 81 PID 2916 wrote to memory of 800 2916 report.exe 81 PID 2916 wrote to memory of 800 2916 report.exe 81 PID 2916 wrote to memory of 3796 2916 report.exe 82 PID 2916 wrote to memory of 3796 2916 report.exe 82 -
Suspicious behavior: EnumeratesProcesses 366 IoCs
pid Process 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe 2916 report.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 800 mshta.exe 800 mshta.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1880 PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\report.exe"C:\Users\Admin\AppData\Local\Temp\report.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies registry class
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:2916 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:556
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:904
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\README.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- Blacklisted process makes network request
- Suspicious use of SetWindowsHookEx
PID:800
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:3796
-
C:\Windows\system32\taskkill.exetaskkill /f /im "report.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
PID:4044
-
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
PID:1880
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1140