Analysis
-
max time kernel
43s -
max time network
55s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
25-06-2020 05:31
Static task
static1
Behavioral task
behavioral1
Sample
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe
Resource
win10
General
-
Target
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe
-
Size
1.0MB
-
MD5
572fea5f025df78f2d316216fbeee52e
-
SHA1
91b2bf44b1f9282c09f07f16631deaa3ad9d956d
-
SHA256
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367
-
SHA512
eb238272227c5825477ff1e37dc4f7e467665049d4db5649fff59c39d7745e88b06234d6d1218c05c802e33e21577f9d4a533cb9e23ebe6fb09654f97759c187
Malware Config
Signatures
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1092 vssadmin.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1812 takeown.exe 1832 icacls.exe -
Loads dropped DLL 2 IoCs
Processes:
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exepid process 1412 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe 1412 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exeUsbstor:bincmd.execmd.exedescription pid process target process PID 1412 wrote to memory of 1448 1412 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe Usbstor:bin PID 1412 wrote to memory of 1448 1412 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe Usbstor:bin PID 1412 wrote to memory of 1448 1412 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe Usbstor:bin PID 1412 wrote to memory of 1448 1412 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe Usbstor:bin PID 1448 wrote to memory of 1092 1448 Usbstor:bin vssadmin.exe PID 1448 wrote to memory of 1092 1448 Usbstor:bin vssadmin.exe PID 1448 wrote to memory of 1092 1448 Usbstor:bin vssadmin.exe PID 1448 wrote to memory of 1092 1448 Usbstor:bin vssadmin.exe PID 1448 wrote to memory of 1812 1448 Usbstor:bin takeown.exe PID 1448 wrote to memory of 1812 1448 Usbstor:bin takeown.exe PID 1448 wrote to memory of 1812 1448 Usbstor:bin takeown.exe PID 1448 wrote to memory of 1812 1448 Usbstor:bin takeown.exe PID 1448 wrote to memory of 1832 1448 Usbstor:bin icacls.exe PID 1448 wrote to memory of 1832 1448 Usbstor:bin icacls.exe PID 1448 wrote to memory of 1832 1448 Usbstor:bin icacls.exe PID 1448 wrote to memory of 1832 1448 Usbstor:bin icacls.exe PID 1448 wrote to memory of 1768 1448 Usbstor:bin cmd.exe PID 1448 wrote to memory of 1768 1448 Usbstor:bin cmd.exe PID 1448 wrote to memory of 1768 1448 Usbstor:bin cmd.exe PID 1448 wrote to memory of 1768 1448 Usbstor:bin cmd.exe PID 1412 wrote to memory of 1788 1412 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe cmd.exe PID 1412 wrote to memory of 1788 1412 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe cmd.exe PID 1412 wrote to memory of 1788 1412 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe cmd.exe PID 1412 wrote to memory of 1788 1412 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe cmd.exe PID 1768 wrote to memory of 1604 1768 cmd.exe choice.exe PID 1768 wrote to memory of 1604 1768 cmd.exe choice.exe PID 1768 wrote to memory of 1604 1768 cmd.exe choice.exe PID 1768 wrote to memory of 1604 1768 cmd.exe choice.exe PID 1788 wrote to memory of 1588 1788 cmd.exe choice.exe PID 1788 wrote to memory of 1588 1788 cmd.exe choice.exe PID 1788 wrote to memory of 1588 1788 cmd.exe choice.exe PID 1788 wrote to memory of 1588 1788 cmd.exe choice.exe PID 1768 wrote to memory of 1580 1768 cmd.exe attrib.exe PID 1768 wrote to memory of 1580 1768 cmd.exe attrib.exe PID 1768 wrote to memory of 1580 1768 cmd.exe attrib.exe PID 1768 wrote to memory of 1580 1768 cmd.exe attrib.exe PID 1788 wrote to memory of 1568 1788 cmd.exe attrib.exe PID 1788 wrote to memory of 1568 1788 cmd.exe attrib.exe PID 1788 wrote to memory of 1568 1788 cmd.exe attrib.exe PID 1788 wrote to memory of 1568 1788 cmd.exe attrib.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 788 vssvc.exe Token: SeRestorePrivilege 788 vssvc.exe Token: SeAuditPrivilege 788 vssvc.exe -
NTFS ADS 1 IoCs
Processes:
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Usbstor:bin 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1812 takeown.exe 1832 icacls.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1580 attrib.exe 1568 attrib.exe -
Executes dropped EXE 1 IoCs
Processes:
Usbstor:binpid process 1448 Usbstor:bin -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1788 cmd.exe -
Drops file in System32 directory 1 IoCs
Processes:
Usbstor:bindescription ioc process File opened for modification C:\Windows\SysWOW64\Usbstor.exe Usbstor:bin
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe"C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\Usbstor:binC:\Users\Admin\AppData\Roaming\Usbstor:bin -r2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Usbstor.exe3⤵
- Modifies file permissions
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Usbstor.exe /reset3⤵
- Modifies file permissions
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Usbstor" & del "C:\Users\Admin\AppData\Roaming\Usbstor"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Usbstor"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe" & del "C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe"2⤵
- Suspicious use of WriteProcessMemory
- Deletes itself
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Usbstor:bin
-
C:\Users\Admin\AppData\Roaming\Usbstor:bin
-
C:\Windows\SysWOW64\Usbstor.exe
-
\Users\Admin\AppData\Roaming\Usbstor
-
\Users\Admin\AppData\Roaming\Usbstor
-
memory/1092-4-0x0000000000000000-mapping.dmp
-
memory/1448-2-0x0000000000000000-mapping.dmp
-
memory/1568-14-0x0000000000000000-mapping.dmp
-
memory/1580-13-0x0000000000000000-mapping.dmp
-
memory/1588-12-0x0000000000000000-mapping.dmp
-
memory/1604-11-0x0000000000000000-mapping.dmp
-
memory/1768-9-0x0000000000000000-mapping.dmp
-
memory/1788-10-0x0000000000000000-mapping.dmp
-
memory/1812-6-0x0000000000000000-mapping.dmp
-
memory/1832-8-0x0000000000000000-mapping.dmp