Analysis
-
max time kernel
68s -
max time network
120s -
platform
windows10_x64 -
resource
win10 -
submitted
25-06-2020 05:31
Static task
static1
Behavioral task
behavioral1
Sample
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe
Resource
win10
General
-
Target
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe
-
Size
1.0MB
-
MD5
572fea5f025df78f2d316216fbeee52e
-
SHA1
91b2bf44b1f9282c09f07f16631deaa3ad9d956d
-
SHA256
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367
-
SHA512
eb238272227c5825477ff1e37dc4f7e467665049d4db5649fff59c39d7745e88b06234d6d1218c05c802e33e21577f9d4a533cb9e23ebe6fb09654f97759c187
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exeF-97:binF-97.execmd.execmd.execmd.exedescription pid process target process PID 3100 wrote to memory of 3896 3100 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe F-97:bin PID 3100 wrote to memory of 3896 3100 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe F-97:bin PID 3100 wrote to memory of 3896 3100 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe F-97:bin PID 3896 wrote to memory of 3324 3896 F-97:bin vssadmin.exe PID 3896 wrote to memory of 3324 3896 F-97:bin vssadmin.exe PID 3896 wrote to memory of 3184 3896 F-97:bin takeown.exe PID 3896 wrote to memory of 3184 3896 F-97:bin takeown.exe PID 3896 wrote to memory of 3184 3896 F-97:bin takeown.exe PID 3896 wrote to memory of 1768 3896 F-97:bin icacls.exe PID 3896 wrote to memory of 1768 3896 F-97:bin icacls.exe PID 3896 wrote to memory of 1768 3896 F-97:bin icacls.exe PID 3012 wrote to memory of 736 3012 F-97.exe cmd.exe PID 3012 wrote to memory of 736 3012 F-97.exe cmd.exe PID 3012 wrote to memory of 736 3012 F-97.exe cmd.exe PID 736 wrote to memory of 2640 736 cmd.exe choice.exe PID 736 wrote to memory of 2640 736 cmd.exe choice.exe PID 736 wrote to memory of 2640 736 cmd.exe choice.exe PID 3896 wrote to memory of 3984 3896 F-97:bin cmd.exe PID 3896 wrote to memory of 3984 3896 F-97:bin cmd.exe PID 3896 wrote to memory of 3984 3896 F-97:bin cmd.exe PID 3100 wrote to memory of 2164 3100 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe cmd.exe PID 3100 wrote to memory of 2164 3100 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe cmd.exe PID 3100 wrote to memory of 2164 3100 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe cmd.exe PID 2164 wrote to memory of 4048 2164 cmd.exe choice.exe PID 2164 wrote to memory of 4048 2164 cmd.exe choice.exe PID 2164 wrote to memory of 4048 2164 cmd.exe choice.exe PID 3984 wrote to memory of 3792 3984 cmd.exe choice.exe PID 3984 wrote to memory of 3792 3984 cmd.exe choice.exe PID 3984 wrote to memory of 3792 3984 cmd.exe choice.exe PID 736 wrote to memory of 3280 736 cmd.exe attrib.exe PID 736 wrote to memory of 3280 736 cmd.exe attrib.exe PID 736 wrote to memory of 3280 736 cmd.exe attrib.exe PID 2164 wrote to memory of 3852 2164 cmd.exe attrib.exe PID 2164 wrote to memory of 3852 2164 cmd.exe attrib.exe PID 2164 wrote to memory of 3852 2164 cmd.exe attrib.exe PID 3984 wrote to memory of 1984 3984 cmd.exe attrib.exe PID 3984 wrote to memory of 1984 3984 cmd.exe attrib.exe PID 3984 wrote to memory of 1984 3984 cmd.exe attrib.exe -
Executes dropped EXE 2 IoCs
Processes:
F-97:binF-97.exepid process 3896 F-97:bin 3012 F-97.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3828 vssvc.exe Token: SeRestorePrivilege 3828 vssvc.exe Token: SeAuditPrivilege 3828 vssvc.exe -
Drops file in System32 directory 2 IoCs
Processes:
attrib.exeF-97:bindescription ioc process File opened for modification C:\Windows\SysWOW64\F-97.exe attrib.exe File opened for modification C:\Windows\SysWOW64\F-97.exe F-97:bin -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 3184 takeown.exe 1768 icacls.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 3280 attrib.exe 3852 attrib.exe 1984 attrib.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3324 vssadmin.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
icacls.exetakeown.exepid process 1768 icacls.exe 3184 takeown.exe -
NTFS ADS 1 IoCs
Processes:
5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\F-97:bin 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe"C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe"1⤵
- Suspicious use of WriteProcessMemory
- NTFS ADS
PID:3100 -
C:\Users\Admin\AppData\Roaming\F-97:binC:\Users\Admin\AppData\Roaming\F-97:bin -r2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Drops file in System32 directory
PID:3896 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:3324 -
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\F-97.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3184 -
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\F-97.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1768 -
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\F-97" & del "C:\Users\Admin\AppData\Roaming\F-97"3⤵
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵PID:3792
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\F-97"4⤵
- Views/modifies file attributes
PID:1984 -
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe" & del "C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵PID:4048
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367.exe"3⤵
- Views/modifies file attributes
PID:3852
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:3828
-
C:\Windows\SysWOW64\F-97.exeC:\Windows\SysWOW64\F-97.exe -s1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\F-97.exe" & del "C:\Windows\SysWOW64\F-97.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵PID:2640
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\F-97.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:3280