Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    24-06-2020 14:57

General

  • Target

    084574bf3180c1493c8f1bb5522e80255be673dbeca80b0a37ee487daf8c6919.exe

  • Size

    160KB

  • MD5

    a9a6801356bda621d857929a25919e67

  • SHA1

    c71c6a6dc811aab2d597a758bd09b2177f317497

  • SHA256

    084574bf3180c1493c8f1bb5522e80255be673dbeca80b0a37ee487daf8c6919

  • SHA512

    19540587b5c24976eec13465bb198f366379a022a1e0db5cee46da38c84de2ad0fac358a05b90bfd0772c9a648470cb7857782f59a25ba7faa39da2145c25624

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\FILES ENCRYPTED.txt

Ransom Note
all your data has been locked us You want to return? Write email [email protected]

Signatures

  • Suspicious use of WriteProcessMemory 24 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Drops desktop.ini file(s) 70 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Drops file in Program Files directory 35207 IoCs
  • Modifies service 2 TTPs 5 IoCs
  • Drops file in System32 directory 2 IoCs
  • Adds Run entry to start application 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 461 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

  • Drops startup file 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\084574bf3180c1493c8f1bb5522e80255be673dbeca80b0a37ee487daf8c6919.exe
    "C:\Users\Admin\AppData\Local\Temp\084574bf3180c1493c8f1bb5522e80255be673dbeca80b0a37ee487daf8c6919.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetThreadContext
    PID:3612
    • C:\Users\Admin\AppData\Local\Temp\084574bf3180c1493c8f1bb5522e80255be673dbeca80b0a37ee487daf8c6919.exe
      "C:/Users/Admin/AppData/Local/Temp/084574bf3180c1493c8f1bb5522e80255be673dbeca80b0a37ee487daf8c6919.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      • Drops file in System32 directory
      • Adds Run entry to start application
      • Suspicious behavior: EnumeratesProcesses
      • Drops startup file
      PID:2576
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3820
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          4⤵
            PID:3456
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:3412
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2664
          • C:\Windows\system32\mode.com
            mode con cp select=1251
            4⤵
              PID:1832
            • C:\Windows\system32\vssadmin.exe
              vssadmin delete shadows /all /quiet
              4⤵
              • Interacts with shadow copies
              PID:276
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            3⤵
              PID:1992
            • C:\Windows\System32\mshta.exe
              "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
              3⤵
                PID:256
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            • Modifies service
            PID:3728

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Persistence

          Modify Existing Service

          1
          T1031

          Registry Run Keys / Startup Folder

          1
          T1060

          Defense Evasion

          File Deletion

          2
          T1107

          Modify Registry

          2
          T1112

          Credential Access

          Credentials in Files

          1
          T1081

          Collection

          Data from Local System

          1
          T1005

          Impact

          Inhibit System Recovery

          2
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\084574bf3180c1493c8f1bb5522e80255be673dbeca80b0a37ee487daf8c6919.exe.log
          • C:\Users\Admin\AppData\Local\Temp\svhost.exe
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
          • memory/256-24-0x0000000000000000-mapping.dmp
          • memory/276-25-0x0000000000000000-mapping.dmp
          • memory/1832-23-0x0000000000000000-mapping.dmp
          • memory/1992-22-0x0000000000000000-mapping.dmp
          • memory/2576-0-0x0000000000400000-0x0000000000419000-memory.dmp
            Filesize

            100KB

          • memory/2576-2-0x0000000000400000-0x0000000000419000-memory.dmp
            Filesize

            100KB

          • memory/2576-1-0x000000000040A9D0-mapping.dmp
          • memory/2664-21-0x0000000000000000-mapping.dmp
          • memory/3412-5-0x0000000000000000-mapping.dmp
          • memory/3456-4-0x0000000000000000-mapping.dmp
          • memory/3820-3-0x0000000000000000-mapping.dmp