bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8

General
Target

bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe

Filesize

60KB

Completed

25-06-2020 05:32

Score
9 /10
MD5

0ed2ca539a01cdb86c88a9a1604b2005

SHA1

4fed7eae00bfa21938e49f33b7c6794fd7d0750c

SHA256

bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8

Malware Config
Signatures 13

Filter: none

Defense Evasion
Impact
Persistence
  • Suspicious use of AdjustPrivilegeToken
    vssvc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeBackupPrivilege740vssvc.exe
    Token: SeRestorePrivilege740vssvc.exe
    Token: SeAuditPrivilege740vssvc.exe
  • Modifies service
    vssvc.exe

    TTPs

    Modify RegistryModify Existing Service

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}vssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writervssvc.exe
  • Modifies file permissions
    takeown.exeicacls.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    1804takeown.exe
    1356icacls.exe
  • Possible privilege escalation attempt
    takeown.exeicacls.exe

    Tags

    Reported IOCs

    pidprocess
    1356icacls.exe
    1804takeown.exe
  • Loads dropped DLL
    bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe

    Reported IOCs

    pidprocess
    1456bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe
    1456bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe
  • Suspicious use of WriteProcessMemory
    bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exeMpdev:binMpdev.execmd.execmd.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1456 wrote to memory of 14841456bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exeMpdev:bin
    PID 1456 wrote to memory of 14841456bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exeMpdev:bin
    PID 1456 wrote to memory of 14841456bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exeMpdev:bin
    PID 1456 wrote to memory of 14841456bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exeMpdev:bin
    PID 1484 wrote to memory of 2841484Mpdev:binvssadmin.exe
    PID 1484 wrote to memory of 2841484Mpdev:binvssadmin.exe
    PID 1484 wrote to memory of 2841484Mpdev:binvssadmin.exe
    PID 1484 wrote to memory of 2841484Mpdev:binvssadmin.exe
    PID 1484 wrote to memory of 18041484Mpdev:bintakeown.exe
    PID 1484 wrote to memory of 18041484Mpdev:bintakeown.exe
    PID 1484 wrote to memory of 18041484Mpdev:bintakeown.exe
    PID 1484 wrote to memory of 18041484Mpdev:bintakeown.exe
    PID 1484 wrote to memory of 13561484Mpdev:binicacls.exe
    PID 1484 wrote to memory of 13561484Mpdev:binicacls.exe
    PID 1484 wrote to memory of 13561484Mpdev:binicacls.exe
    PID 1484 wrote to memory of 13561484Mpdev:binicacls.exe
    PID 1760 wrote to memory of 16241760Mpdev.execmd.exe
    PID 1760 wrote to memory of 16241760Mpdev.execmd.exe
    PID 1760 wrote to memory of 16241760Mpdev.execmd.exe
    PID 1760 wrote to memory of 16241760Mpdev.execmd.exe
    PID 1624 wrote to memory of 15321624cmd.exechoice.exe
    PID 1624 wrote to memory of 15321624cmd.exechoice.exe
    PID 1624 wrote to memory of 15321624cmd.exechoice.exe
    PID 1624 wrote to memory of 15321624cmd.exechoice.exe
    PID 1484 wrote to memory of 19161484Mpdev:bincmd.exe
    PID 1484 wrote to memory of 19161484Mpdev:bincmd.exe
    PID 1484 wrote to memory of 19161484Mpdev:bincmd.exe
    PID 1484 wrote to memory of 19161484Mpdev:bincmd.exe
    PID 1456 wrote to memory of 19441456bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.execmd.exe
    PID 1456 wrote to memory of 19441456bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.execmd.exe
    PID 1456 wrote to memory of 19441456bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.execmd.exe
    PID 1456 wrote to memory of 19441456bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.execmd.exe
    PID 1916 wrote to memory of 19721916cmd.exechoice.exe
    PID 1916 wrote to memory of 19721916cmd.exechoice.exe
    PID 1916 wrote to memory of 19721916cmd.exechoice.exe
    PID 1916 wrote to memory of 19721916cmd.exechoice.exe
    PID 1944 wrote to memory of 19641944cmd.exechoice.exe
    PID 1944 wrote to memory of 19641944cmd.exechoice.exe
    PID 1944 wrote to memory of 19641944cmd.exechoice.exe
    PID 1944 wrote to memory of 19641944cmd.exechoice.exe
    PID 1624 wrote to memory of 19801624cmd.exeattrib.exe
    PID 1624 wrote to memory of 19801624cmd.exeattrib.exe
    PID 1624 wrote to memory of 19801624cmd.exeattrib.exe
    PID 1624 wrote to memory of 19801624cmd.exeattrib.exe
    PID 1916 wrote to memory of 20401916cmd.exeattrib.exe
    PID 1916 wrote to memory of 20401916cmd.exeattrib.exe
    PID 1916 wrote to memory of 20401916cmd.exeattrib.exe
    PID 1916 wrote to memory of 20401916cmd.exeattrib.exe
    PID 1944 wrote to memory of 20041944cmd.exeattrib.exe
    PID 1944 wrote to memory of 20041944cmd.exeattrib.exe
    PID 1944 wrote to memory of 20041944cmd.exeattrib.exe
    PID 1944 wrote to memory of 20041944cmd.exeattrib.exe
  • Interacts with shadow copies
    vssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    284vssadmin.exe
  • Drops file in System32 directory
    Mpdev:binattrib.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SysWOW64\Mpdev.exeMpdev:bin
    File opened for modificationC:\Windows\SysWOW64\Mpdev.exeattrib.exe
  • Views/modifies file attributes
    attrib.exeattrib.exeattrib.exe

    Tags

    TTPs

    Hidden Files and Directories

    Reported IOCs

    pidprocess
    1980attrib.exe
    2040attrib.exe
    2004attrib.exe
  • NTFS ADS
    bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\AppData\Roaming\Mpdev:binbcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe
  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Executes dropped EXE
    Mpdev:binMpdev.exe

    Reported IOCs

    pidprocess
    1484Mpdev:bin
    1760Mpdev.exe
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    1944cmd.exe
Processes 16
  • C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe
    "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"
    Loads dropped DLL
    NTFS ADS
    Suspicious use of WriteProcessMemory
    PID:1456
    • C:\Users\Admin\AppData\Roaming\Mpdev:bin
      C:\Users\Admin\AppData\Roaming\Mpdev:bin -r
      Drops file in System32 directory
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
        Interacts with shadow copies
        PID:284
      • C:\Windows\SysWOW64\takeown.exe
        C:\Windows\system32\takeown.exe /F C:\Windows\system32\Mpdev.exe
        Modifies file permissions
        Possible privilege escalation attempt
        PID:1804
      • C:\Windows\SysWOW64\icacls.exe
        C:\Windows\system32\icacls.exe C:\Windows\system32\Mpdev.exe /reset
        Modifies file permissions
        Possible privilege escalation attempt
        PID:1356
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Mpdev" & del "C:\Users\Admin\AppData\Roaming\Mpdev"
        Suspicious use of WriteProcessMemory
        PID:1916
        • C:\Windows\SysWOW64\choice.exe
          choice /t 10 /d y
          PID:1972
        • C:\Windows\SysWOW64\attrib.exe
          attrib -h "C:\Users\Admin\AppData\Roaming\Mpdev"
          Views/modifies file attributes
          PID:2040
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe" & del "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"
      Deletes itself
      Suspicious use of WriteProcessMemory
      PID:1944
      • C:\Windows\SysWOW64\choice.exe
        choice /t 10 /d y
        PID:1964
      • C:\Windows\SysWOW64\attrib.exe
        attrib -h "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"
        Views/modifies file attributes
        PID:2004
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Modifies service
    Suspicious use of AdjustPrivilegeToken
    PID:740
  • C:\Windows\SysWOW64\Mpdev.exe
    C:\Windows\SysWOW64\Mpdev.exe -s
    Executes dropped EXE
    Suspicious use of WriteProcessMemory
    PID:1760
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Mpdev.exe" & del "C:\Windows\SysWOW64\Mpdev.exe"
      Suspicious use of WriteProcessMemory
      PID:1624
      • C:\Windows\SysWOW64\choice.exe
        choice /t 10 /d y
        PID:1532
      • C:\Windows\SysWOW64\attrib.exe
        attrib -h "C:\Windows\SysWOW64\Mpdev.exe"
        Drops file in System32 directory
        Views/modifies file attributes
        PID:1980
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Discovery
          Execution
            Exfiltration
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Roaming\Mpdev:bin

                    • C:\Users\Admin\AppData\Roaming\Mpdev:bin

                    • C:\Windows\SysWOW64\Mpdev.exe

                    • C:\Windows\SysWOW64\Mpdev.exe

                    • \Users\Admin\AppData\Roaming\Mpdev

                    • \Users\Admin\AppData\Roaming\Mpdev

                    • memory/284-4-0x0000000000000000-mapping.dmp

                    • memory/1356-8-0x0000000000000000-mapping.dmp

                    • memory/1484-2-0x0000000000000000-mapping.dmp

                    • memory/1532-11-0x0000000000000000-mapping.dmp

                    • memory/1624-10-0x0000000000000000-mapping.dmp

                    • memory/1804-6-0x0000000000000000-mapping.dmp

                    • memory/1916-12-0x0000000000000000-mapping.dmp

                    • memory/1944-13-0x0000000000000000-mapping.dmp

                    • memory/1964-15-0x0000000000000000-mapping.dmp

                    • memory/1972-14-0x0000000000000000-mapping.dmp

                    • memory/1980-16-0x0000000000000000-mapping.dmp

                    • memory/2004-18-0x0000000000000000-mapping.dmp

                    • memory/2040-17-0x0000000000000000-mapping.dmp