Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows7_x64 -
resource
win7 -
submitted
26-06-2020 08:58
Static task
static1
Behavioral task
behavioral1
Sample
aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe
Resource
win7
Behavioral task
behavioral2
Sample
aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe
Resource
win10v200430
General
-
Target
aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe
-
Size
1.1MB
-
MD5
13e623cdfb75d99ea7e04c6157ca8ae6
-
SHA1
f25f0b369a355f30f5e11ac11a7f644bcfefd963
-
SHA256
aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772
-
SHA512
ea6b5c882a5298e527be1f3c40cc6d75c56453dd0111d7e9818c28fa7ec32feb19f17cab9a9e49eb0ab9f3a987f7dcc5cadfea7ae99a996f174b0a89e674f421
Malware Config
Signatures
-
Drops file in System32 directory 2 IoCs
Processes:
Pn:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Pn.exe Pn:bin File opened for modification C:\Windows\SysWOW64\Pn.exe attrib.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exePn:binPn.execmd.execmd.execmd.exedescription pid process target process PID 608 wrote to memory of 316 608 aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe Pn:bin PID 608 wrote to memory of 316 608 aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe Pn:bin PID 608 wrote to memory of 316 608 aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe Pn:bin PID 608 wrote to memory of 316 608 aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe Pn:bin PID 316 wrote to memory of 1460 316 Pn:bin vssadmin.exe PID 316 wrote to memory of 1460 316 Pn:bin vssadmin.exe PID 316 wrote to memory of 1460 316 Pn:bin vssadmin.exe PID 316 wrote to memory of 1460 316 Pn:bin vssadmin.exe PID 316 wrote to memory of 1680 316 Pn:bin takeown.exe PID 316 wrote to memory of 1680 316 Pn:bin takeown.exe PID 316 wrote to memory of 1680 316 Pn:bin takeown.exe PID 316 wrote to memory of 1680 316 Pn:bin takeown.exe PID 316 wrote to memory of 1816 316 Pn:bin icacls.exe PID 316 wrote to memory of 1816 316 Pn:bin icacls.exe PID 316 wrote to memory of 1816 316 Pn:bin icacls.exe PID 316 wrote to memory of 1816 316 Pn:bin icacls.exe PID 1764 wrote to memory of 1836 1764 Pn.exe cmd.exe PID 1764 wrote to memory of 1836 1764 Pn.exe cmd.exe PID 1764 wrote to memory of 1836 1764 Pn.exe cmd.exe PID 1764 wrote to memory of 1836 1764 Pn.exe cmd.exe PID 1836 wrote to memory of 1632 1836 cmd.exe choice.exe PID 1836 wrote to memory of 1632 1836 cmd.exe choice.exe PID 1836 wrote to memory of 1632 1836 cmd.exe choice.exe PID 1836 wrote to memory of 1632 1836 cmd.exe choice.exe PID 316 wrote to memory of 1576 316 Pn:bin cmd.exe PID 316 wrote to memory of 1576 316 Pn:bin cmd.exe PID 316 wrote to memory of 1576 316 Pn:bin cmd.exe PID 316 wrote to memory of 1576 316 Pn:bin cmd.exe PID 608 wrote to memory of 1636 608 aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe cmd.exe PID 608 wrote to memory of 1636 608 aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe cmd.exe PID 608 wrote to memory of 1636 608 aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe cmd.exe PID 608 wrote to memory of 1636 608 aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe cmd.exe PID 1576 wrote to memory of 1568 1576 cmd.exe choice.exe PID 1576 wrote to memory of 1568 1576 cmd.exe choice.exe PID 1576 wrote to memory of 1568 1576 cmd.exe choice.exe PID 1576 wrote to memory of 1568 1576 cmd.exe choice.exe PID 1636 wrote to memory of 1620 1636 cmd.exe choice.exe PID 1636 wrote to memory of 1620 1636 cmd.exe choice.exe PID 1636 wrote to memory of 1620 1636 cmd.exe choice.exe PID 1636 wrote to memory of 1620 1636 cmd.exe choice.exe PID 1836 wrote to memory of 1932 1836 cmd.exe attrib.exe PID 1836 wrote to memory of 1932 1836 cmd.exe attrib.exe PID 1836 wrote to memory of 1932 1836 cmd.exe attrib.exe PID 1836 wrote to memory of 1932 1836 cmd.exe attrib.exe PID 1576 wrote to memory of 1968 1576 cmd.exe attrib.exe PID 1576 wrote to memory of 1968 1576 cmd.exe attrib.exe PID 1576 wrote to memory of 1968 1576 cmd.exe attrib.exe PID 1576 wrote to memory of 1968 1576 cmd.exe attrib.exe PID 1636 wrote to memory of 1896 1636 cmd.exe attrib.exe PID 1636 wrote to memory of 1896 1636 cmd.exe attrib.exe PID 1636 wrote to memory of 1896 1636 cmd.exe attrib.exe PID 1636 wrote to memory of 1896 1636 cmd.exe attrib.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1680 takeown.exe 1816 icacls.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1460 vssadmin.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
NTFS ADS 1 IoCs
Processes:
aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Pn:bin aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1680 takeown.exe 1816 icacls.exe -
Loads dropped DLL 2 IoCs
Processes:
aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exepid process 608 aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe 608 aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe -
Executes dropped EXE 2 IoCs
Processes:
Pn:binPn.exepid process 316 Pn:bin 1764 Pn.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 876 vssvc.exe Token: SeRestorePrivilege 876 vssvc.exe Token: SeAuditPrivilege 876 vssvc.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1636 cmd.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 1968 attrib.exe 1932 attrib.exe 1896 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe"C:\Users\Admin\AppData\Local\Temp\aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe"1⤵
- Suspicious use of WriteProcessMemory
- NTFS ADS
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Pn:binC:\Users\Admin\AppData\Roaming\Pn:bin -r2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Pn.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Pn.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Pn" & del "C:\Users\Admin\AppData\Roaming\Pn"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Pn"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe" & del "C:\Users\Admin\AppData\Local\Temp\aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe"2⤵
- Suspicious use of WriteProcessMemory
- Deletes itself
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Pn.exeC:\Windows\SysWOW64\Pn.exe -s1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Pn.exe" & del "C:\Windows\SysWOW64\Pn.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Pn.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Pn:bin
-
C:\Users\Admin\AppData\Roaming\Pn:bin
-
C:\Windows\SysWOW64\Pn.exe
-
C:\Windows\SysWOW64\Pn.exe
-
\Users\Admin\AppData\Roaming\Pn
-
\Users\Admin\AppData\Roaming\Pn
-
memory/316-2-0x0000000000000000-mapping.dmp
-
memory/1460-4-0x0000000000000000-mapping.dmp
-
memory/1568-14-0x0000000000000000-mapping.dmp
-
memory/1576-12-0x0000000000000000-mapping.dmp
-
memory/1620-15-0x0000000000000000-mapping.dmp
-
memory/1632-11-0x0000000000000000-mapping.dmp
-
memory/1636-13-0x0000000000000000-mapping.dmp
-
memory/1680-6-0x0000000000000000-mapping.dmp
-
memory/1816-8-0x0000000000000000-mapping.dmp
-
memory/1836-10-0x0000000000000000-mapping.dmp
-
memory/1896-18-0x0000000000000000-mapping.dmp
-
memory/1932-16-0x0000000000000000-mapping.dmp
-
memory/1968-17-0x0000000000000000-mapping.dmp