Analysis
-
max time kernel
75s -
max time network
137s -
platform
windows10_x64 -
resource
win10 -
submitted
26-06-2020 13:11
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
sample.exe
-
Size
56KB
-
MD5
ecb00e9a61f99a7d4c90723294986bbc
-
SHA1
be59c867da75e2a66b8c2519e950254f817cd4ad
-
SHA256
8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80
-
SHA512
9dee79827d865de41a63962b419eed7e1f9610ff27f00f8b7b2b9f51e905d5db907d310da590d8f1a11ac88e549373edf39bffdb44d1b205728f1b5e0a43aa5e
Score
9/10
Malware Config
Signatures
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3200 vssadmin.exe -
Drops file in System32 directory 2 IoCs
Processes:
Launch:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Launch.exe Launch:bin File opened for modification C:\Windows\SysWOW64\Launch.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 3200 attrib.exe 688 attrib.exe 1660 attrib.exe -
NTFS ADS 1 IoCs
Processes:
sample.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Launch:bin sample.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
sample.exeLaunch:binLaunch.execmd.execmd.execmd.exedescription pid process target process PID 3412 wrote to memory of 3836 3412 sample.exe Launch:bin PID 3412 wrote to memory of 3836 3412 sample.exe Launch:bin PID 3412 wrote to memory of 3836 3412 sample.exe Launch:bin PID 3836 wrote to memory of 3200 3836 Launch:bin vssadmin.exe PID 3836 wrote to memory of 3200 3836 Launch:bin vssadmin.exe PID 3836 wrote to memory of 1812 3836 Launch:bin takeown.exe PID 3836 wrote to memory of 1812 3836 Launch:bin takeown.exe PID 3836 wrote to memory of 1812 3836 Launch:bin takeown.exe PID 3836 wrote to memory of 732 3836 Launch:bin icacls.exe PID 3836 wrote to memory of 732 3836 Launch:bin icacls.exe PID 3836 wrote to memory of 732 3836 Launch:bin icacls.exe PID 3040 wrote to memory of 2788 3040 Launch.exe cmd.exe PID 3040 wrote to memory of 2788 3040 Launch.exe cmd.exe PID 3040 wrote to memory of 2788 3040 Launch.exe cmd.exe PID 2788 wrote to memory of 3912 2788 cmd.exe choice.exe PID 2788 wrote to memory of 3912 2788 cmd.exe choice.exe PID 2788 wrote to memory of 3912 2788 cmd.exe choice.exe PID 3836 wrote to memory of 3692 3836 Launch:bin cmd.exe PID 3836 wrote to memory of 3692 3836 Launch:bin cmd.exe PID 3836 wrote to memory of 3692 3836 Launch:bin cmd.exe PID 3412 wrote to memory of 3764 3412 sample.exe cmd.exe PID 3412 wrote to memory of 3764 3412 sample.exe cmd.exe PID 3412 wrote to memory of 3764 3412 sample.exe cmd.exe PID 3692 wrote to memory of 3608 3692 cmd.exe choice.exe PID 3692 wrote to memory of 3608 3692 cmd.exe choice.exe PID 3692 wrote to memory of 3608 3692 cmd.exe choice.exe PID 3764 wrote to memory of 256 3764 cmd.exe choice.exe PID 3764 wrote to memory of 256 3764 cmd.exe choice.exe PID 3764 wrote to memory of 256 3764 cmd.exe choice.exe PID 2788 wrote to memory of 3200 2788 cmd.exe attrib.exe PID 2788 wrote to memory of 3200 2788 cmd.exe attrib.exe PID 2788 wrote to memory of 3200 2788 cmd.exe attrib.exe PID 3692 wrote to memory of 688 3692 cmd.exe attrib.exe PID 3692 wrote to memory of 688 3692 cmd.exe attrib.exe PID 3692 wrote to memory of 688 3692 cmd.exe attrib.exe PID 3764 wrote to memory of 1660 3764 cmd.exe attrib.exe PID 3764 wrote to memory of 1660 3764 cmd.exe attrib.exe PID 3764 wrote to memory of 1660 3764 cmd.exe attrib.exe -
Executes dropped EXE 2 IoCs
Processes:
Launch:binLaunch.exepid process 3836 Launch:bin 3040 Launch.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1812 takeown.exe 732 icacls.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3892 vssvc.exe Token: SeRestorePrivilege 3892 vssvc.exe Token: SeAuditPrivilege 3892 vssvc.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1812 takeown.exe 732 icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Launch:binC:\Users\Admin\AppData\Roaming\Launch:bin -r2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Launch.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Launch.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Launch" & del "C:\Users\Admin\AppData\Roaming\Launch"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Launch"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\sample.exe" & del "C:\Users\Admin\AppData\Local\Temp\sample.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\sample.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
-
C:\Windows\SysWOW64\Launch.exeC:\Windows\SysWOW64\Launch.exe -s1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Launch.exe" & del "C:\Windows\SysWOW64\Launch.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Launch.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Launch:bin
-
C:\Users\Admin\AppData\Roaming\Launch:bin
-
C:\Windows\SysWOW64\Launch.exe
-
C:\Windows\SysWOW64\Launch.exe
-
memory/256-13-0x0000000000000000-mapping.dmp
-
memory/688-15-0x0000000000000000-mapping.dmp
-
memory/732-6-0x0000000000000000-mapping.dmp
-
memory/1660-16-0x0000000000000000-mapping.dmp
-
memory/1812-4-0x0000000000000000-mapping.dmp
-
memory/2788-8-0x0000000000000000-mapping.dmp
-
memory/3200-14-0x0000000000000000-mapping.dmp
-
memory/3200-3-0x0000000000000000-mapping.dmp
-
memory/3608-12-0x0000000000000000-mapping.dmp
-
memory/3692-10-0x0000000000000000-mapping.dmp
-
memory/3764-11-0x0000000000000000-mapping.dmp
-
memory/3836-0-0x0000000000000000-mapping.dmp
-
memory/3912-9-0x0000000000000000-mapping.dmp