Analysis
-
max time kernel
128s -
max time network
39s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
25-06-2020 05:30
Static task
static1
Behavioral task
behavioral1
Sample
bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe
Resource
win7
Behavioral task
behavioral2
Sample
bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe
Resource
win10v200430
General
-
Target
bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe
-
Size
60KB
-
MD5
0ed2ca539a01cdb86c88a9a1604b2005
-
SHA1
4fed7eae00bfa21938e49f33b7c6794fd7d0750c
-
SHA256
bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8
-
SHA512
34dad101cd7c5f9ff2267674d224986b9274e0e17d9ae665ca1af4ffa57408106238b1e248045465ab17c72a4b92473ab3714aefb705d95f9725a4251379c7e2
Score
9/10
Malware Config
Signatures
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 2188 attrib.exe 260 attrib.exe 280 attrib.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1516 vssvc.exe Token: SeRestorePrivilege 1516 vssvc.exe Token: SeAuditPrivilege 1516 vssvc.exe -
Executes dropped EXE 2 IoCs
Processes:
Resources:binResources.exepid process 1548 Resources:bin 3812 Resources.exe -
Drops file in System32 directory 2 IoCs
Processes:
Resources:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Resources.exe Resources:bin File opened for modification C:\Windows\SysWOW64\Resources.exe attrib.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 2604 takeown.exe 2824 icacls.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 2604 takeown.exe 2824 icacls.exe -
NTFS ADS 1 IoCs
Processes:
bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Resources:bin bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1664 vssadmin.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exeResources:binResources.execmd.execmd.execmd.exedescription pid process target process PID 1484 wrote to memory of 1548 1484 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe Resources:bin PID 1484 wrote to memory of 1548 1484 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe Resources:bin PID 1484 wrote to memory of 1548 1484 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe Resources:bin PID 1548 wrote to memory of 1664 1548 Resources:bin vssadmin.exe PID 1548 wrote to memory of 1664 1548 Resources:bin vssadmin.exe PID 1548 wrote to memory of 2604 1548 Resources:bin takeown.exe PID 1548 wrote to memory of 2604 1548 Resources:bin takeown.exe PID 1548 wrote to memory of 2604 1548 Resources:bin takeown.exe PID 1548 wrote to memory of 2824 1548 Resources:bin icacls.exe PID 1548 wrote to memory of 2824 1548 Resources:bin icacls.exe PID 1548 wrote to memory of 2824 1548 Resources:bin icacls.exe PID 3812 wrote to memory of 3980 3812 Resources.exe cmd.exe PID 3812 wrote to memory of 3980 3812 Resources.exe cmd.exe PID 3812 wrote to memory of 3980 3812 Resources.exe cmd.exe PID 3980 wrote to memory of 984 3980 cmd.exe choice.exe PID 3980 wrote to memory of 984 3980 cmd.exe choice.exe PID 3980 wrote to memory of 984 3980 cmd.exe choice.exe PID 1548 wrote to memory of 1672 1548 Resources:bin cmd.exe PID 1548 wrote to memory of 1672 1548 Resources:bin cmd.exe PID 1548 wrote to memory of 1672 1548 Resources:bin cmd.exe PID 1484 wrote to memory of 3484 1484 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe cmd.exe PID 1484 wrote to memory of 3484 1484 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe cmd.exe PID 1484 wrote to memory of 3484 1484 bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe cmd.exe PID 1672 wrote to memory of 3776 1672 cmd.exe choice.exe PID 1672 wrote to memory of 3776 1672 cmd.exe choice.exe PID 1672 wrote to memory of 3776 1672 cmd.exe choice.exe PID 3484 wrote to memory of 980 3484 cmd.exe choice.exe PID 3484 wrote to memory of 980 3484 cmd.exe choice.exe PID 3484 wrote to memory of 980 3484 cmd.exe choice.exe PID 3980 wrote to memory of 2188 3980 cmd.exe attrib.exe PID 3980 wrote to memory of 2188 3980 cmd.exe attrib.exe PID 3980 wrote to memory of 2188 3980 cmd.exe attrib.exe PID 1672 wrote to memory of 260 1672 cmd.exe attrib.exe PID 1672 wrote to memory of 260 1672 cmd.exe attrib.exe PID 1672 wrote to memory of 260 1672 cmd.exe attrib.exe PID 3484 wrote to memory of 280 3484 cmd.exe attrib.exe PID 3484 wrote to memory of 280 3484 cmd.exe attrib.exe PID 3484 wrote to memory of 280 3484 cmd.exe attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Resources:binC:\Users\Admin\AppData\Roaming\Resources:bin -r
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Resources.exe
- Modifies file permissions
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Resources.exe /reset
- Modifies file permissions
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Resources" & del "C:\Users\Admin\AppData\Roaming\Resources"
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Resources"
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe" & del "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Resources.exeC:\Windows\SysWOW64\Resources.exe -s
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Resources.exe" & del "C:\Windows\SysWOW64\Resources.exe"
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Resources.exe"
- Views/modifies file attributes
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Resources:bin
-
C:\Users\Admin\AppData\Roaming\Resources:bin
-
C:\Windows\SysWOW64\Resources.exe
-
C:\Windows\SysWOW64\Resources.exe
-
memory/260-15-0x0000000000000000-mapping.dmp
-
memory/280-16-0x0000000000000000-mapping.dmp
-
memory/980-13-0x0000000000000000-mapping.dmp
-
memory/984-9-0x0000000000000000-mapping.dmp
-
memory/1548-0-0x0000000000000000-mapping.dmp
-
memory/1664-3-0x0000000000000000-mapping.dmp
-
memory/1672-10-0x0000000000000000-mapping.dmp
-
memory/2188-14-0x0000000000000000-mapping.dmp
-
memory/2604-4-0x0000000000000000-mapping.dmp
-
memory/2824-6-0x0000000000000000-mapping.dmp
-
memory/3484-11-0x0000000000000000-mapping.dmp
-
memory/3776-12-0x0000000000000000-mapping.dmp
-
memory/3980-8-0x0000000000000000-mapping.dmp