Analysis
-
max time kernel
136s -
max time network
50s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
29-05-2020 11:14
Static task
static1
Behavioral task
behavioral1
Sample
8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe
Resource
win10v200430
General
-
Target
8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe
-
Size
113KB
-
MD5
3bceadd4c2c546aba24e24307f1defcd
-
SHA1
81e4110a72821a1b1f01a3f3a8bf89188af40067
-
SHA256
8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c
-
SHA512
fbe80ee6902b76a533e8662e580cf887e7a6735752731a53a6189d7b8c1e1c7c881d817a137c3553ab1b6f40c673887d83460d35d01ad0ace18a89c7f5bea525
Malware Config
Extracted
C:\# !!!HELP_FILE!!! #.TXT
rev00@india.com
revenge00@writeme.com
rev_reserv@india.com
Signatures
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 632 vssadmin.exe 1232 vssadmin.exe -
Modifies registry class 1 IoCs
Processes:
8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe -
Enumerates connected drives 3 TTPs
-
Runs net.exe
-
Drops file in Program Files directory 2 IoCs
Processes:
8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exedescription ioc process File opened for modification C:\Program Files\# !!!HELP_FILE!!! #.TXT 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe File opened for modification C:\Program Files (x86)\# !!!HELP_FILE!!! #.TXT 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops file in Windows directory 1 IoCs
Processes:
8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exedescription ioc process File opened for modification C:\Windows\# !!!HELP_FILE!!! #.TXT 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.execmd.execmd.execmd.execmd.exenet.exenet.exedescription pid process target process PID 3848 wrote to memory of 3556 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe cmd.exe PID 3848 wrote to memory of 3556 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe cmd.exe PID 3848 wrote to memory of 3556 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe cmd.exe PID 3848 wrote to memory of 692 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe cmd.exe PID 3848 wrote to memory of 692 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe cmd.exe PID 3848 wrote to memory of 692 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe cmd.exe PID 3848 wrote to memory of 1792 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe cmd.exe PID 3848 wrote to memory of 1792 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe cmd.exe PID 3848 wrote to memory of 1792 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe cmd.exe PID 3848 wrote to memory of 4012 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe cmd.exe PID 3848 wrote to memory of 4012 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe cmd.exe PID 3848 wrote to memory of 4012 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe cmd.exe PID 3848 wrote to memory of 3088 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe cmd.exe PID 3848 wrote to memory of 3088 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe cmd.exe PID 3848 wrote to memory of 3088 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe cmd.exe PID 3848 wrote to memory of 2224 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe cmd.exe PID 3848 wrote to memory of 2224 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe cmd.exe PID 3848 wrote to memory of 2224 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe cmd.exe PID 3556 wrote to memory of 632 3556 cmd.exe vssadmin.exe PID 3556 wrote to memory of 632 3556 cmd.exe vssadmin.exe PID 3556 wrote to memory of 632 3556 cmd.exe vssadmin.exe PID 3088 wrote to memory of 1232 3088 cmd.exe vssadmin.exe PID 3088 wrote to memory of 1232 3088 cmd.exe vssadmin.exe PID 3088 wrote to memory of 1232 3088 cmd.exe vssadmin.exe PID 4012 wrote to memory of 3568 4012 cmd.exe net.exe PID 4012 wrote to memory of 3568 4012 cmd.exe net.exe PID 4012 wrote to memory of 3568 4012 cmd.exe net.exe PID 3848 wrote to memory of 3428 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe NOTEPAD.EXE PID 3848 wrote to memory of 3428 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe NOTEPAD.EXE PID 3848 wrote to memory of 3428 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe NOTEPAD.EXE PID 2224 wrote to memory of 964 2224 cmd.exe net.exe PID 2224 wrote to memory of 964 2224 cmd.exe net.exe PID 2224 wrote to memory of 964 2224 cmd.exe net.exe PID 964 wrote to memory of 2336 964 net.exe net1.exe PID 964 wrote to memory of 2336 964 net.exe net1.exe PID 964 wrote to memory of 2336 964 net.exe net1.exe PID 3568 wrote to memory of 2656 3568 net.exe net1.exe PID 3568 wrote to memory of 2656 3568 net.exe net1.exe PID 3568 wrote to memory of 2656 3568 net.exe net1.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exepid process 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe 3848 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3588 vssvc.exe Token: SeRestorePrivilege 3588 vssvc.exe Token: SeAuditPrivilege 3588 vssvc.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS Common User Interface = "\"C:\\ProgramData\\Microsofts\\Windows NT\\svchost.exe\"" 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS Common User Interface Updater = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe\"" 8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe"C:\Users\Admin\AppData\Local\Temp\8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c.exe"1⤵
- Modifies registry class
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled No2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop vss2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop vss3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vss4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop vss2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop vss3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vss4⤵
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Music\# !!!HELP_FILE!!! #.TXT2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service