c41d1ff004b7e49d601b10e11e3591a99da6c95dcc1272fdcbeb8663e502e83b

General

Target

2020-05-22_17-36-19.bin.exe
Size

448KB
MD5

412568f078ec521bdba6ae14b9f36823
SHA1

3e5a80fe286834f6d5f0aaf014a420ec40ebad7d
SHA256

e2c2a80cb4ecc511f30d72b3487cb9023b40a25f6bbe07a92f47230fb76544f4
SHA512

9e979c3873778991bfd05b22370fbab32f7ec16dd78b8c3f2b0f54ccfd26fcdfc84f881bdf4414d24228ad2a19ef00ecb062dd5e9e2e243966f1276698f1ff85

Score

9^/10

persistence spyware ransomware

Malware Config

Signatures

Drops file in Program Files directory 28 IoCs

Processes:

2020-05-22_17-36-19.bin.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Program Files\Mozilla Firefox\precomplete.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Program Files\Mozilla Firefox\removed-files.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\master_preferences.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Program Files (x86)\Google\Chrome\Application\master_preferences.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.corona-lock	2020-05-22_17-36-19.bin.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

2020-05-22_17-36-19.bin.exe

pid	process
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe
2040	2020-05-22_17-36-19.bin.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

vssvc.exewmic.exe

description	pid	process
Token: SeBackupPrivilege	2624	vssvc.exe
Token: SeRestorePrivilege	2624	vssvc.exe
Token: SeAuditPrivilege	2624	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1964	wmic.exe
Token: SeSecurityPrivilege	1964	wmic.exe
Token: SeTakeOwnershipPrivilege	1964	wmic.exe
Token: SeLoadDriverPrivilege	1964	wmic.exe
Token: SeSystemProfilePrivilege	1964	wmic.exe
Token: SeSystemtimePrivilege	1964	wmic.exe
Token: SeProfSingleProcessPrivilege	1964	wmic.exe
Token: SeIncBasePriorityPrivilege	1964	wmic.exe
Token: SeCreatePagefilePrivilege	1964	wmic.exe
Token: SeBackupPrivilege	1964	wmic.exe
Token: SeRestorePrivilege	1964	wmic.exe
Token: SeShutdownPrivilege	1964	wmic.exe
Token: SeDebugPrivilege	1964	wmic.exe
Token: SeSystemEnvironmentPrivilege	1964	wmic.exe
Token: SeRemoteShutdownPrivilege	1964	wmic.exe
Token: SeUndockPrivilege	1964	wmic.exe
Token: SeManageVolumePrivilege	1964	wmic.exe
Token: 33	1964	wmic.exe
Token: 34	1964	wmic.exe
Token: 35	1964	wmic.exe
Token: 36	1964	wmic.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

2020-05-22_17-36-19.bin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	2020-05-22_17-36-19.bin.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2020-05-22_17-36-19.bin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run	2020-05-22_17-36-19.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2020-05-22_17-36-19.bin.exe\" e"	2020-05-22_17-36-19.bin.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

2020-05-22_17-36-19.bin.exe

description	pid	process	target process
PID 2040 wrote to memory of 2156	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 2156	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 2156	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 3472	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 3472	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 3472	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 4044	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 4044	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 4044	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 3880	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 3880	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 3880	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 3864	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 3864	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 3864	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 4004	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 4004	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 4004	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 3356	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 3356	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 3356	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 760	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 760	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 760	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 1852	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 1852	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 1852	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 864	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 864	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 864	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 2528	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 2528	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 2528	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 1248	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 1248	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 1248	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 2476	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 2476	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 2476	2040	2020-05-22_17-36-19.bin.exe	vssadmin.exe
PID 2040 wrote to memory of 1964	2040	2020-05-22_17-36-19.bin.exe	wmic.exe
PID 2040 wrote to memory of 1964	2040	2020-05-22_17-36-19.bin.exe	wmic.exe
PID 2040 wrote to memory of 1964	2040	2020-05-22_17-36-19.bin.exe	wmic.exe
PID 2040 wrote to memory of 2616	2040	2020-05-22_17-36-19.bin.exe	cmd.exe
PID 2040 wrote to memory of 2616	2040	2020-05-22_17-36-19.bin.exe	cmd.exe
PID 2040 wrote to memory of 2616	2040	2020-05-22_17-36-19.bin.exe	cmd.exe

Drops file in Windows directory 44 IoCs

Processes:

2020-05-22_17-36-19.bin.exe

description	ioc	process
File created	C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F86418066F0}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Boot\PCAT\bootmgr.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Boot\DVD\EFI\BCD.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Boot\DVD\PCAT\BCD.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F86418066F0}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Resources\Maps\mwconfig_client.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Resources\Maps\mwconfig_client.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\state.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00}.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Boot\PCAT\bootnxt.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180660}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100}.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10}.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{64A3A4F4-B792-11D6-A78A-00B0D0180660}.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_3e009a64-65d7-465c-9098-f2673dd3f416.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{12578975-C765-4BDF-8DDC-3284BC0E855F}.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Panther\setupinfo.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{AC76BA86-7AD7-1033-7B44-AC0F074E4100}.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Installer\SourceHash{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Installer\SourceHash{12578975-C765-4BDF-8DDC-3284BC0E855F}.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Installer\SourceHash{37B8F9C7-03FB-3253-8781-2517C99D7C00}.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10}.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Installer\SourceHash{CB0836EC-B072-368D-82B2-D3470BF95707}.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\state.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_3e009a64-65d7-465c-9098-f2673dd3f416.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\Panther\setupinfo.corona-lock	2020-05-22_17-36-19.bin.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.corona-lock	2020-05-22_17-36-19.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.corona-lock	2020-05-22_17-36-19.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Interacts with shadow copies 2 TTPs 13 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
2476	vssadmin.exe
3472	vssadmin.exe
4004	vssadmin.exe
3356	vssadmin.exe
864	vssadmin.exe
760	vssadmin.exe
1852	vssadmin.exe
2528	vssadmin.exe
1248	vssadmin.exe
2156	vssadmin.exe
4044	vssadmin.exe
3880	vssadmin.exe
3864	vssadmin.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\2020-05-22_17-36-19.bin.exe
"C:\Users\Admin\AppData\Local\Temp\2020-05-22_17-36-19.bin.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
- Drops file in Windows directory
PID:2040

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:2156

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:3472

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:4044

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:3880

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:3864

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:4004

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:3356

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:760

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:1852

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:864

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:2528

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:1248

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:2476

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2020-0~1.EXE >> NUL
2⤵
PID:2616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:2624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2040-0-0x0000000002E46000-0x0000000002E47000-memory.dmp

Filesize
4KB

Download
memory/2040-1-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads