bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8

General
Target

bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe

Filesize

60KB

Completed

25-06-2020 05:32

Score
9 /10
MD5

0ed2ca539a01cdb86c88a9a1604b2005

SHA1

4fed7eae00bfa21938e49f33b7c6794fd7d0750c

SHA256

bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8

Malware Config
Signatures 11

Filter: none

Defense Evasion
Impact
Persistence
  • Modifies service
    vssvc.exe

    Tags

    TTPs

    Modify RegistryModify Existing Service

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}vssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writervssvc.exe
  • Views/modifies file attributes
    attrib.exeattrib.exeattrib.exe

    Tags

    TTPs

    Hidden Files and Directories

    Reported IOCs

    pidprocess
    2188attrib.exe
    260attrib.exe
    280attrib.exe
  • Suspicious use of AdjustPrivilegeToken
    vssvc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeBackupPrivilege1516vssvc.exe
    Token: SeRestorePrivilege1516vssvc.exe
    Token: SeAuditPrivilege1516vssvc.exe
  • Executes dropped EXE
    Resources:binResources.exe

    Reported IOCs

    pidprocess
    1548Resources:bin
    3812Resources.exe
  • Drops file in System32 directory
    Resources:binattrib.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\SysWOW64\Resources.exeResources:bin
    File opened for modificationC:\Windows\SysWOW64\Resources.exeattrib.exe
  • Modifies file permissions
    takeown.exeicacls.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    2604takeown.exe
    2824icacls.exe
  • Possible privilege escalation attempt
    takeown.exeicacls.exe

    Tags

    Reported IOCs

    pidprocess
    2604takeown.exe
    2824icacls.exe
  • NTFS ADS
    bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\AppData\Roaming\Resources:binbcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe
  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Interacts with shadow copies
    vssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    1664vssadmin.exe
  • Suspicious use of WriteProcessMemory
    bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exeResources:binResources.execmd.execmd.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1484 wrote to memory of 15481484bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exeResources:bin
    PID 1484 wrote to memory of 15481484bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exeResources:bin
    PID 1484 wrote to memory of 15481484bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exeResources:bin
    PID 1548 wrote to memory of 16641548Resources:binvssadmin.exe
    PID 1548 wrote to memory of 16641548Resources:binvssadmin.exe
    PID 1548 wrote to memory of 26041548Resources:bintakeown.exe
    PID 1548 wrote to memory of 26041548Resources:bintakeown.exe
    PID 1548 wrote to memory of 26041548Resources:bintakeown.exe
    PID 1548 wrote to memory of 28241548Resources:binicacls.exe
    PID 1548 wrote to memory of 28241548Resources:binicacls.exe
    PID 1548 wrote to memory of 28241548Resources:binicacls.exe
    PID 3812 wrote to memory of 39803812Resources.execmd.exe
    PID 3812 wrote to memory of 39803812Resources.execmd.exe
    PID 3812 wrote to memory of 39803812Resources.execmd.exe
    PID 3980 wrote to memory of 9843980cmd.exechoice.exe
    PID 3980 wrote to memory of 9843980cmd.exechoice.exe
    PID 3980 wrote to memory of 9843980cmd.exechoice.exe
    PID 1548 wrote to memory of 16721548Resources:bincmd.exe
    PID 1548 wrote to memory of 16721548Resources:bincmd.exe
    PID 1548 wrote to memory of 16721548Resources:bincmd.exe
    PID 1484 wrote to memory of 34841484bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.execmd.exe
    PID 1484 wrote to memory of 34841484bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.execmd.exe
    PID 1484 wrote to memory of 34841484bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.execmd.exe
    PID 1672 wrote to memory of 37761672cmd.exechoice.exe
    PID 1672 wrote to memory of 37761672cmd.exechoice.exe
    PID 1672 wrote to memory of 37761672cmd.exechoice.exe
    PID 3484 wrote to memory of 9803484cmd.exechoice.exe
    PID 3484 wrote to memory of 9803484cmd.exechoice.exe
    PID 3484 wrote to memory of 9803484cmd.exechoice.exe
    PID 3980 wrote to memory of 21883980cmd.exeattrib.exe
    PID 3980 wrote to memory of 21883980cmd.exeattrib.exe
    PID 3980 wrote to memory of 21883980cmd.exeattrib.exe
    PID 1672 wrote to memory of 2601672cmd.exeattrib.exe
    PID 1672 wrote to memory of 2601672cmd.exeattrib.exe
    PID 1672 wrote to memory of 2601672cmd.exeattrib.exe
    PID 3484 wrote to memory of 2803484cmd.exeattrib.exe
    PID 3484 wrote to memory of 2803484cmd.exeattrib.exe
    PID 3484 wrote to memory of 2803484cmd.exeattrib.exe
Processes 16
  • C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe
    "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"
    NTFS ADS
    Suspicious use of WriteProcessMemory
    PID:1484
    • C:\Users\Admin\AppData\Roaming\Resources:bin
      C:\Users\Admin\AppData\Roaming\Resources:bin -r
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1548
      • C:\Windows\system32\vssadmin.exe
        C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
        Interacts with shadow copies
        PID:1664
      • C:\Windows\SysWOW64\takeown.exe
        C:\Windows\system32\takeown.exe /F C:\Windows\system32\Resources.exe
        Modifies file permissions
        Possible privilege escalation attempt
        PID:2604
      • C:\Windows\SysWOW64\icacls.exe
        C:\Windows\system32\icacls.exe C:\Windows\system32\Resources.exe /reset
        Modifies file permissions
        Possible privilege escalation attempt
        PID:2824
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Resources" & del "C:\Users\Admin\AppData\Roaming\Resources"
        Suspicious use of WriteProcessMemory
        PID:1672
        • C:\Windows\SysWOW64\choice.exe
          choice /t 10 /d y
          PID:3776
        • C:\Windows\SysWOW64\attrib.exe
          attrib -h "C:\Users\Admin\AppData\Roaming\Resources"
          Views/modifies file attributes
          PID:260
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe" & del "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"
      Suspicious use of WriteProcessMemory
      PID:3484
      • C:\Windows\SysWOW64\choice.exe
        choice /t 10 /d y
        PID:980
      • C:\Windows\SysWOW64\attrib.exe
        attrib -h "C:\Users\Admin\AppData\Local\Temp\bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8.exe"
        Views/modifies file attributes
        PID:280
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Modifies service
    Suspicious use of AdjustPrivilegeToken
    PID:1516
  • C:\Windows\SysWOW64\Resources.exe
    C:\Windows\SysWOW64\Resources.exe -s
    Executes dropped EXE
    Suspicious use of WriteProcessMemory
    PID:3812
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Resources.exe" & del "C:\Windows\SysWOW64\Resources.exe"
      Suspicious use of WriteProcessMemory
      PID:3980
      • C:\Windows\SysWOW64\choice.exe
        choice /t 10 /d y
        PID:984
      • C:\Windows\SysWOW64\attrib.exe
        attrib -h "C:\Windows\SysWOW64\Resources.exe"
        Views/modifies file attributes
        Drops file in System32 directory
        PID:2188
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
              Initial Access
                Lateral Movement
                  Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads

                    • C:\Users\Admin\AppData\Roaming\Resources:bin

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Resources:bin

                      Download Submit

                    • C:\Windows\SysWOW64\Resources.exe

                      Download Submit

                    • C:\Windows\SysWOW64\Resources.exe

                      Download Submit

                    • memory/260-15-0x0000000000000000-mapping.dmp

                      Download

                    • memory/280-16-0x0000000000000000-mapping.dmp

                      Download

                    • memory/980-13-0x0000000000000000-mapping.dmp

                      Download

                    • memory/984-9-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1548-0-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1664-3-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1672-10-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2188-14-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2604-4-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2824-6-0x0000000000000000-mapping.dmp

                      Download

                    • memory/3484-11-0x0000000000000000-mapping.dmp

                      Download

                    • memory/3776-12-0x0000000000000000-mapping.dmp

                      Download

                    • memory/3980-8-0x0000000000000000-mapping.dmp

                      Download