5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367

General
Target

5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe

Filesize

1MB

Completed

25-06-2020 05:33

Score
9 /10
MD5

572fea5f025df78f2d316216fbeee52e

SHA1

91b2bf44b1f9282c09f07f16631deaa3ad9d956d

SHA256

5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367

Malware Config
Signatures 11

Filter: none

Defense Evasion
Impact
Persistence
  • Suspicious use of WriteProcessMemory
    5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exeF-97:binF-97.execmd.execmd.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3100 wrote to memory of 389631005cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exeF-97:bin
    PID 3100 wrote to memory of 389631005cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exeF-97:bin
    PID 3100 wrote to memory of 389631005cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exeF-97:bin
    PID 3896 wrote to memory of 33243896F-97:binvssadmin.exe
    PID 3896 wrote to memory of 33243896F-97:binvssadmin.exe
    PID 3896 wrote to memory of 31843896F-97:bintakeown.exe
    PID 3896 wrote to memory of 31843896F-97:bintakeown.exe
    PID 3896 wrote to memory of 31843896F-97:bintakeown.exe
    PID 3896 wrote to memory of 17683896F-97:binicacls.exe
    PID 3896 wrote to memory of 17683896F-97:binicacls.exe
    PID 3896 wrote to memory of 17683896F-97:binicacls.exe
    PID 3012 wrote to memory of 7363012F-97.execmd.exe
    PID 3012 wrote to memory of 7363012F-97.execmd.exe
    PID 3012 wrote to memory of 7363012F-97.execmd.exe
    PID 736 wrote to memory of 2640736cmd.exechoice.exe
    PID 736 wrote to memory of 2640736cmd.exechoice.exe
    PID 736 wrote to memory of 2640736cmd.exechoice.exe
    PID 3896 wrote to memory of 39843896F-97:bincmd.exe
    PID 3896 wrote to memory of 39843896F-97:bincmd.exe
    PID 3896 wrote to memory of 39843896F-97:bincmd.exe
    PID 3100 wrote to memory of 216431005cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.execmd.exe
    PID 3100 wrote to memory of 216431005cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.execmd.exe
    PID 3100 wrote to memory of 216431005cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.execmd.exe
    PID 2164 wrote to memory of 40482164cmd.exechoice.exe
    PID 2164 wrote to memory of 40482164cmd.exechoice.exe
    PID 2164 wrote to memory of 40482164cmd.exechoice.exe
    PID 3984 wrote to memory of 37923984cmd.exechoice.exe
    PID 3984 wrote to memory of 37923984cmd.exechoice.exe
    PID 3984 wrote to memory of 37923984cmd.exechoice.exe
    PID 736 wrote to memory of 3280736cmd.exeattrib.exe
    PID 736 wrote to memory of 3280736cmd.exeattrib.exe
    PID 736 wrote to memory of 3280736cmd.exeattrib.exe
    PID 2164 wrote to memory of 38522164cmd.exeattrib.exe
    PID 2164 wrote to memory of 38522164cmd.exeattrib.exe
    PID 2164 wrote to memory of 38522164cmd.exeattrib.exe
    PID 3984 wrote to memory of 19843984cmd.exeattrib.exe
    PID 3984 wrote to memory of 19843984cmd.exeattrib.exe
    PID 3984 wrote to memory of 19843984cmd.exeattrib.exe
  • Executes dropped EXE
    F-97:binF-97.exe

    Reported IOCs

    pidprocess
    3896F-97:bin
    3012F-97.exe
  • Suspicious use of AdjustPrivilegeToken
    vssvc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeBackupPrivilege3828vssvc.exe
    Token: SeRestorePrivilege3828vssvc.exe
    Token: SeAuditPrivilege3828vssvc.exe
  • Drops file in System32 directory
    F-97:binattrib.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SysWOW64\F-97.exeattrib.exe
    File opened for modificationC:\Windows\SysWOW64\F-97.exeF-97:bin
  • Possible privilege escalation attempt
    takeown.exeicacls.exe

    Tags

    Reported IOCs

    pidprocess
    3184takeown.exe
    1768icacls.exe
  • Views/modifies file attributes
    attrib.exeattrib.exeattrib.exe

    Tags

    TTPs

    Hidden Files and Directories

    Reported IOCs

    pidprocess
    3280attrib.exe
    3852attrib.exe
    1984attrib.exe
  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Interacts with shadow copies
    vssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    3324vssadmin.exe
  • Modifies service
    vssvc.exe

    TTPs

    Modify RegistryModify Existing Service

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}vssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writervssvc.exe
  • Modifies file permissions
    takeown.exeicacls.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    1768icacls.exe
    3184takeown.exe
  • NTFS ADS
    5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\AppData\Roaming\F-97:bin5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe
Processes
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Discovery
          Execution
            Exfiltration
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Roaming\F-97:bin

                      Download
                    • C:\Users\Admin\AppData\Roaming\F-97:bin

                      Download
                    • C:\Windows\SysWOW64\F-97.exe

                      Download
                    • C:\Windows\SysWOW64\F-97.exe

                      Download
                    • memory/736-8-0x0000000000000000-mapping.dmp

                      Download
                    • memory/1768-6-0x0000000000000000-mapping.dmp

                      Download
                    • memory/1984-16-0x0000000000000000-mapping.dmp

                      Download
                    • memory/2164-11-0x0000000000000000-mapping.dmp

                      Download
                    • memory/2640-9-0x0000000000000000-mapping.dmp

                      Download
                    • memory/3184-4-0x0000000000000000-mapping.dmp

                      Download
                    • memory/3280-14-0x0000000000000000-mapping.dmp

                      Download
                    • memory/3324-3-0x0000000000000000-mapping.dmp

                      Download
                    • memory/3792-13-0x0000000000000000-mapping.dmp

                      Download
                    • memory/3852-15-0x0000000000000000-mapping.dmp

                      Download
                    • memory/3896-0-0x0000000000000000-mapping.dmp

                      Download
                    • memory/3984-10-0x0000000000000000-mapping.dmp

                      Download
                    • memory/4048-12-0x0000000000000000-mapping.dmp

                      Download