5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367

General
Target

5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe

Filesize

1MB

Completed

25-06-2020 05:33

Score
9 /10
MD5

572fea5f025df78f2d316216fbeee52e

SHA1

91b2bf44b1f9282c09f07f16631deaa3ad9d956d

SHA256

5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367

Malware Config
Signatures 13

Filter: none

Defense Evasion
Impact
Persistence
  • Interacts with shadow copies
    vssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    1092vssadmin.exe
  • Modifies service
    vssvc.exe

    TTPs

    Modify RegistryModify Existing Service

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}vssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writervssvc.exe
  • Modifies file permissions
    takeown.exeicacls.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    1812takeown.exe
    1832icacls.exe
  • Loads dropped DLL
    5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe

    Reported IOCs

    pidprocess
    14125cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe
    14125cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe
  • Suspicious use of WriteProcessMemory
    5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exeUsbstor:bincmd.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1412 wrote to memory of 144814125cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exeUsbstor:bin
    PID 1412 wrote to memory of 144814125cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exeUsbstor:bin
    PID 1412 wrote to memory of 144814125cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exeUsbstor:bin
    PID 1412 wrote to memory of 144814125cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exeUsbstor:bin
    PID 1448 wrote to memory of 10921448Usbstor:binvssadmin.exe
    PID 1448 wrote to memory of 10921448Usbstor:binvssadmin.exe
    PID 1448 wrote to memory of 10921448Usbstor:binvssadmin.exe
    PID 1448 wrote to memory of 10921448Usbstor:binvssadmin.exe
    PID 1448 wrote to memory of 18121448Usbstor:bintakeown.exe
    PID 1448 wrote to memory of 18121448Usbstor:bintakeown.exe
    PID 1448 wrote to memory of 18121448Usbstor:bintakeown.exe
    PID 1448 wrote to memory of 18121448Usbstor:bintakeown.exe
    PID 1448 wrote to memory of 18321448Usbstor:binicacls.exe
    PID 1448 wrote to memory of 18321448Usbstor:binicacls.exe
    PID 1448 wrote to memory of 18321448Usbstor:binicacls.exe
    PID 1448 wrote to memory of 18321448Usbstor:binicacls.exe
    PID 1448 wrote to memory of 17681448Usbstor:bincmd.exe
    PID 1448 wrote to memory of 17681448Usbstor:bincmd.exe
    PID 1448 wrote to memory of 17681448Usbstor:bincmd.exe
    PID 1448 wrote to memory of 17681448Usbstor:bincmd.exe
    PID 1412 wrote to memory of 178814125cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.execmd.exe
    PID 1412 wrote to memory of 178814125cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.execmd.exe
    PID 1412 wrote to memory of 178814125cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.execmd.exe
    PID 1412 wrote to memory of 178814125cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.execmd.exe
    PID 1768 wrote to memory of 16041768cmd.exechoice.exe
    PID 1768 wrote to memory of 16041768cmd.exechoice.exe
    PID 1768 wrote to memory of 16041768cmd.exechoice.exe
    PID 1768 wrote to memory of 16041768cmd.exechoice.exe
    PID 1788 wrote to memory of 15881788cmd.exechoice.exe
    PID 1788 wrote to memory of 15881788cmd.exechoice.exe
    PID 1788 wrote to memory of 15881788cmd.exechoice.exe
    PID 1788 wrote to memory of 15881788cmd.exechoice.exe
    PID 1768 wrote to memory of 15801768cmd.exeattrib.exe
    PID 1768 wrote to memory of 15801768cmd.exeattrib.exe
    PID 1768 wrote to memory of 15801768cmd.exeattrib.exe
    PID 1768 wrote to memory of 15801768cmd.exeattrib.exe
    PID 1788 wrote to memory of 15681788cmd.exeattrib.exe
    PID 1788 wrote to memory of 15681788cmd.exeattrib.exe
    PID 1788 wrote to memory of 15681788cmd.exeattrib.exe
    PID 1788 wrote to memory of 15681788cmd.exeattrib.exe
  • Suspicious use of AdjustPrivilegeToken
    vssvc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeBackupPrivilege788vssvc.exe
    Token: SeRestorePrivilege788vssvc.exe
    Token: SeAuditPrivilege788vssvc.exe
  • NTFS ADS
    5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\AppData\Roaming\Usbstor:bin5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe
  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Possible privilege escalation attempt
    takeown.exeicacls.exe

    Tags

    Reported IOCs

    pidprocess
    1812takeown.exe
    1832icacls.exe
  • Views/modifies file attributes
    attrib.exeattrib.exe

    Tags

    TTPs

    Hidden Files and Directories

    Reported IOCs

    pidprocess
    1580attrib.exe
    1568attrib.exe
  • Executes dropped EXE
    Usbstor:bin

    Reported IOCs

    pidprocess
    1448Usbstor:bin
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    1788cmd.exe
  • Drops file in System32 directory
    Usbstor:bin

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SysWOW64\Usbstor.exeUsbstor:bin
Processes 12
  • C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe
    "C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe"
    Loads dropped DLL
    NTFS ADS
    Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Users\Admin\AppData\Roaming\Usbstor:bin
      C:\Users\Admin\AppData\Roaming\Usbstor:bin -r
      Drops file in System32 directory
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1448
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
        Interacts with shadow copies
        PID:1092
      • C:\Windows\SysWOW64\takeown.exe
        C:\Windows\system32\takeown.exe /F C:\Windows\system32\Usbstor.exe
        Modifies file permissions
        Possible privilege escalation attempt
        PID:1812
      • C:\Windows\SysWOW64\icacls.exe
        C:\Windows\system32\icacls.exe C:\Windows\system32\Usbstor.exe /reset
        Modifies file permissions
        Possible privilege escalation attempt
        PID:1832
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Usbstor" & del "C:\Users\Admin\AppData\Roaming\Usbstor"
        Suspicious use of WriteProcessMemory
        PID:1768
        • C:\Windows\SysWOW64\choice.exe
          choice /t 10 /d y
          PID:1604
        • C:\Windows\SysWOW64\attrib.exe
          attrib -h "C:\Users\Admin\AppData\Roaming\Usbstor"
          Views/modifies file attributes
          PID:1580
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe" & del "C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe"
      Deletes itself
      Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Windows\SysWOW64\choice.exe
        choice /t 10 /d y
        PID:1588
      • C:\Windows\SysWOW64\attrib.exe
        attrib -h "C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe"
        Views/modifies file attributes
        PID:1568
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Modifies service
    Suspicious use of AdjustPrivilegeToken
    PID:788
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Discovery
          Execution
            Exfiltration
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Roaming\Usbstor:bin

                    • C:\Users\Admin\AppData\Roaming\Usbstor:bin

                    • C:\Windows\SysWOW64\Usbstor.exe

                    • \Users\Admin\AppData\Roaming\Usbstor

                    • \Users\Admin\AppData\Roaming\Usbstor

                    • memory/1092-4-0x0000000000000000-mapping.dmp

                    • memory/1448-2-0x0000000000000000-mapping.dmp

                    • memory/1568-14-0x0000000000000000-mapping.dmp

                    • memory/1580-13-0x0000000000000000-mapping.dmp

                    • memory/1588-12-0x0000000000000000-mapping.dmp

                    • memory/1604-11-0x0000000000000000-mapping.dmp

                    • memory/1768-9-0x0000000000000000-mapping.dmp

                    • memory/1788-10-0x0000000000000000-mapping.dmp

                    • memory/1812-6-0x0000000000000000-mapping.dmp

                    • memory/1832-8-0x0000000000000000-mapping.dmp