c41d1ff004b7e49d601b10e11e3591a99da6c95dcc1272fdcbeb8663e502e83b

Analysis

max time kernel
124s
max time network
147s
platform
windows10_x64
resource
win10v200430
submitted
23/05/2020, 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2020-05-22_17-36-19.bin.exe
Size

448KB
MD5

412568f078ec521bdba6ae14b9f36823
SHA1

3e5a80fe286834f6d5f0aaf014a420ec40ebad7d
SHA256

e2c2a80cb4ecc511f30d72b3487cb9023b40a25f6bbe07a92f47230fb76544f4
SHA512

9e979c3873778991bfd05b22370fbab32f7ec16dd78b8c3f2b0f54ccfd26fcdfc84f881bdf4414d24228ad2a19ef00ecb062dd5e9e2e243966f1276698f1ff85

Score

9^/10

persistence spyware ransomware

Malware Config

Signatures

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Program Files\Mozilla Firefox\precomplete.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Program Files\Mozilla Firefox\removed-files.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\master_preferences.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Program Files (x86)\Google\Chrome\Application\master_preferences.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.corona-lock	2020-05-22_17-36-19.bin.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeBackupPrivilege	2624	vssvc.exe
Token: SeRestorePrivilege	2624	vssvc.exe
Token: SeAuditPrivilege	2624	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1964	wmic.exe
Token: SeSecurityPrivilege	1964	wmic.exe
Token: SeTakeOwnershipPrivilege	1964	wmic.exe
Token: SeLoadDriverPrivilege	1964	wmic.exe
Token: SeSystemProfilePrivilege	1964	wmic.exe
Token: SeSystemtimePrivilege	1964	wmic.exe
Token: SeProfSingleProcessPrivilege	1964	wmic.exe
Token: SeIncBasePriorityPrivilege	1964	wmic.exe
Token: SeCreatePagefilePrivilege	1964	wmic.exe
Token: SeBackupPrivilege	1964	wmic.exe
Token: SeRestorePrivilege	1964	wmic.exe
Token: SeShutdownPrivilege	1964	wmic.exe
Token: SeDebugPrivilege	1964	wmic.exe
Token: SeSystemEnvironmentPrivilege	1964	wmic.exe
Token: SeRemoteShutdownPrivilege	1964	wmic.exe
Token: SeUndockPrivilege	1964	wmic.exe
Token: SeManageVolumePrivilege	1964	wmic.exe
Token: 33	1964	wmic.exe
Token: 34	1964	wmic.exe
Token: 35	1964	wmic.exe
Token: 36	1964	wmic.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	2020-05-22_17-36-19.bin.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run	2020-05-22_17-36-19.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2020-05-22_17-36-19.bin.exe\" e"	2020-05-22_17-36-19.bin.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2156	2040	2020-05-22_17-36-19.bin.exe	72
PID 2040 wrote to memory of 2156	2040	2020-05-22_17-36-19.bin.exe	72
PID 2040 wrote to memory of 2156	2040	2020-05-22_17-36-19.bin.exe	72
PID 2040 wrote to memory of 3472	2040	2020-05-22_17-36-19.bin.exe	75
PID 2040 wrote to memory of 3472	2040	2020-05-22_17-36-19.bin.exe	75
PID 2040 wrote to memory of 3472	2040	2020-05-22_17-36-19.bin.exe	75
PID 2040 wrote to memory of 4044	2040	2020-05-22_17-36-19.bin.exe	77
PID 2040 wrote to memory of 4044	2040	2020-05-22_17-36-19.bin.exe	77
PID 2040 wrote to memory of 4044	2040	2020-05-22_17-36-19.bin.exe	77
PID 2040 wrote to memory of 3880	2040	2020-05-22_17-36-19.bin.exe	79
PID 2040 wrote to memory of 3880	2040	2020-05-22_17-36-19.bin.exe	79
PID 2040 wrote to memory of 3880	2040	2020-05-22_17-36-19.bin.exe	79
PID 2040 wrote to memory of 3864	2040	2020-05-22_17-36-19.bin.exe	81
PID 2040 wrote to memory of 3864	2040	2020-05-22_17-36-19.bin.exe	81
PID 2040 wrote to memory of 3864	2040	2020-05-22_17-36-19.bin.exe	81
PID 2040 wrote to memory of 4004	2040	2020-05-22_17-36-19.bin.exe	83
PID 2040 wrote to memory of 4004	2040	2020-05-22_17-36-19.bin.exe	83
PID 2040 wrote to memory of 4004	2040	2020-05-22_17-36-19.bin.exe	83
PID 2040 wrote to memory of 3356	2040	2020-05-22_17-36-19.bin.exe	85
PID 2040 wrote to memory of 3356	2040	2020-05-22_17-36-19.bin.exe	85
PID 2040 wrote to memory of 3356	2040	2020-05-22_17-36-19.bin.exe	85
PID 2040 wrote to memory of 760	2040	2020-05-22_17-36-19.bin.exe	88
PID 2040 wrote to memory of 760	2040	2020-05-22_17-36-19.bin.exe	88
PID 2040 wrote to memory of 760	2040	2020-05-22_17-36-19.bin.exe	88
PID 2040 wrote to memory of 1852	2040	2020-05-22_17-36-19.bin.exe	90
PID 2040 wrote to memory of 1852	2040	2020-05-22_17-36-19.bin.exe	90
PID 2040 wrote to memory of 1852	2040	2020-05-22_17-36-19.bin.exe	90
PID 2040 wrote to memory of 864	2040	2020-05-22_17-36-19.bin.exe	92
PID 2040 wrote to memory of 864	2040	2020-05-22_17-36-19.bin.exe	92
PID 2040 wrote to memory of 864	2040	2020-05-22_17-36-19.bin.exe	92
PID 2040 wrote to memory of 2528	2040	2020-05-22_17-36-19.bin.exe	94
PID 2040 wrote to memory of 2528	2040	2020-05-22_17-36-19.bin.exe	94
PID 2040 wrote to memory of 2528	2040	2020-05-22_17-36-19.bin.exe	94
PID 2040 wrote to memory of 1248	2040	2020-05-22_17-36-19.bin.exe	96
PID 2040 wrote to memory of 1248	2040	2020-05-22_17-36-19.bin.exe	96
PID 2040 wrote to memory of 1248	2040	2020-05-22_17-36-19.bin.exe	96
PID 2040 wrote to memory of 2476	2040	2020-05-22_17-36-19.bin.exe	98
PID 2040 wrote to memory of 2476	2040	2020-05-22_17-36-19.bin.exe	98
PID 2040 wrote to memory of 2476	2040	2020-05-22_17-36-19.bin.exe	98
PID 2040 wrote to memory of 1964	2040	2020-05-22_17-36-19.bin.exe	100
PID 2040 wrote to memory of 1964	2040	2020-05-22_17-36-19.bin.exe	100
PID 2040 wrote to memory of 1964	2040	2020-05-22_17-36-19.bin.exe	100
PID 2040 wrote to memory of 2616	2040	2020-05-22_17-36-19.bin.exe	103
PID 2040 wrote to memory of 2616	2040	2020-05-22_17-36-19.bin.exe	103
PID 2040 wrote to memory of 2616	2040	2020-05-22_17-36-19.bin.exe	103

Drops file in Windows directory 44 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F86418066F0}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Boot\PCAT\bootmgr.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Boot\DVD\EFI\BCD.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Boot\DVD\PCAT\BCD.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F86418066F0}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Resources\Maps\mwconfig_client.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Resources\Maps\mwconfig_client.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\state.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00}.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Boot\PCAT\bootnxt.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180660}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100}.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10}.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180660}.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_3e009a64-65d7-465c-9098-f2673dd3f416.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{12578975-C765-4BDF-8DDC-3284BC0E855F}.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Panther\setupinfo.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100}.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Installer\SourceHash{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Installer\SourceHash{12578975-C765-4BDF-8DDC-3284BC0E855F}.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00}.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10}.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\state.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_3e009a64-65d7-465c-9098-f2673dd3f416.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Panther\setupinfo.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.corona-lock	2020-05-22_17-36-19.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Interacts with shadow copies 2 TTPs 13 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2476	vssadmin.exe
3472	vssadmin.exe
4004	vssadmin.exe
3356	vssadmin.exe
864	vssadmin.exe
760	vssadmin.exe
1852	vssadmin.exe
2528	vssadmin.exe
1248	vssadmin.exe
2156	vssadmin.exe
4044	vssadmin.exe
3880	vssadmin.exe
3864	vssadmin.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\2020-05-22_17-36-19.bin.exe
"C:\Users\Admin\AppData\Local\Temp\2020-05-22_17-36-19.bin.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
- Drops file in Windows directory
PID:2040
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:2156
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:3472
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4044
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:3880
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3864
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:4004
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:3356
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:760
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:1852
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:864
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:2528
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:1248
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2476
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2020-0~1.EXE >> NUL
  2⤵
  PID:2616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:2624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2040-0-0x0000000002E46000-0x0000000002E47000-memory.dmp

Filesize
4KB

Download
memory/2040-1-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download