Analysis
-
max time kernel
117s -
max time network
140s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
26-06-2020 08:58
Static task
static1
Behavioral task
behavioral1
Sample
aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe
Resource
win7
Behavioral task
behavioral2
Sample
aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe
Resource
win10v200430
General
-
Target
aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe
-
Size
1.1MB
-
MD5
13e623cdfb75d99ea7e04c6157ca8ae6
-
SHA1
f25f0b369a355f30f5e11ac11a7f644bcfefd963
-
SHA256
aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772
-
SHA512
ea6b5c882a5298e527be1f3c40cc6d75c56453dd0111d7e9818c28fa7ec32feb19f17cab9a9e49eb0ab9f3a987f7dcc5cadfea7ae99a996f174b0a89e674f421
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 3612 takeown.exe 3856 icacls.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 3612 takeown.exe 3856 icacls.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 3788 attrib.exe 1412 attrib.exe 2124 attrib.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2772 vssadmin.exe -
Executes dropped EXE 2 IoCs
Processes:
Classes:binClasses.exepid process 2140 Classes:bin 3948 Classes.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3188 vssvc.exe Token: SeRestorePrivilege 3188 vssvc.exe Token: SeAuditPrivilege 3188 vssvc.exe -
NTFS ADS 1 IoCs
Processes:
aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Classes:bin aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in System32 directory 2 IoCs
Processes:
attrib.exeClasses:bindescription ioc process File opened for modification C:\Windows\SysWOW64\Classes.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Classes.exe Classes:bin -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exeClasses:binClasses.execmd.execmd.execmd.exedescription pid process target process PID 2016 wrote to memory of 2140 2016 aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe Classes:bin PID 2016 wrote to memory of 2140 2016 aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe Classes:bin PID 2016 wrote to memory of 2140 2016 aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe Classes:bin PID 2140 wrote to memory of 2772 2140 Classes:bin vssadmin.exe PID 2140 wrote to memory of 2772 2140 Classes:bin vssadmin.exe PID 2140 wrote to memory of 3612 2140 Classes:bin takeown.exe PID 2140 wrote to memory of 3612 2140 Classes:bin takeown.exe PID 2140 wrote to memory of 3612 2140 Classes:bin takeown.exe PID 2140 wrote to memory of 3856 2140 Classes:bin icacls.exe PID 2140 wrote to memory of 3856 2140 Classes:bin icacls.exe PID 2140 wrote to memory of 3856 2140 Classes:bin icacls.exe PID 3948 wrote to memory of 3924 3948 Classes.exe cmd.exe PID 3948 wrote to memory of 3924 3948 Classes.exe cmd.exe PID 3948 wrote to memory of 3924 3948 Classes.exe cmd.exe PID 3924 wrote to memory of 724 3924 cmd.exe choice.exe PID 3924 wrote to memory of 724 3924 cmd.exe choice.exe PID 3924 wrote to memory of 724 3924 cmd.exe choice.exe PID 2140 wrote to memory of 672 2140 Classes:bin cmd.exe PID 2140 wrote to memory of 672 2140 Classes:bin cmd.exe PID 2140 wrote to memory of 672 2140 Classes:bin cmd.exe PID 2016 wrote to memory of 640 2016 aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe cmd.exe PID 2016 wrote to memory of 640 2016 aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe cmd.exe PID 2016 wrote to memory of 640 2016 aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe cmd.exe PID 672 wrote to memory of 932 672 cmd.exe choice.exe PID 672 wrote to memory of 932 672 cmd.exe choice.exe PID 672 wrote to memory of 932 672 cmd.exe choice.exe PID 640 wrote to memory of 1348 640 cmd.exe choice.exe PID 640 wrote to memory of 1348 640 cmd.exe choice.exe PID 640 wrote to memory of 1348 640 cmd.exe choice.exe PID 3924 wrote to memory of 3788 3924 cmd.exe attrib.exe PID 3924 wrote to memory of 3788 3924 cmd.exe attrib.exe PID 3924 wrote to memory of 3788 3924 cmd.exe attrib.exe PID 640 wrote to memory of 1412 640 cmd.exe attrib.exe PID 640 wrote to memory of 1412 640 cmd.exe attrib.exe PID 640 wrote to memory of 1412 640 cmd.exe attrib.exe PID 672 wrote to memory of 2124 672 cmd.exe attrib.exe PID 672 wrote to memory of 2124 672 cmd.exe attrib.exe PID 672 wrote to memory of 2124 672 cmd.exe attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe"C:\Users\Admin\AppData\Local\Temp\aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Classes:binC:\Users\Admin\AppData\Roaming\Classes:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Classes.exe3⤵
- Modifies file permissions
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Classes.exe /reset3⤵
- Modifies file permissions
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Classes" & del "C:\Users\Admin\AppData\Roaming\Classes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Classes"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe" & del "C:\Users\Admin\AppData\Local\Temp\aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
-
C:\Windows\SysWOW64\Classes.exeC:\Windows\SysWOW64\Classes.exe -s1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Classes.exe" & del "C:\Windows\SysWOW64\Classes.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Classes.exe"3⤵
- Views/modifies file attributes
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Classes:bin
-
C:\Users\Admin\AppData\Roaming\Classes:bin
-
C:\Windows\SysWOW64\Classes.exe
-
C:\Windows\SysWOW64\Classes.exe
-
memory/640-11-0x0000000000000000-mapping.dmp
-
memory/672-10-0x0000000000000000-mapping.dmp
-
memory/724-9-0x0000000000000000-mapping.dmp
-
memory/932-12-0x0000000000000000-mapping.dmp
-
memory/1348-13-0x0000000000000000-mapping.dmp
-
memory/1412-15-0x0000000000000000-mapping.dmp
-
memory/2124-16-0x0000000000000000-mapping.dmp
-
memory/2140-0-0x0000000000000000-mapping.dmp
-
memory/2772-3-0x0000000000000000-mapping.dmp
-
memory/3612-4-0x0000000000000000-mapping.dmp
-
memory/3788-14-0x0000000000000000-mapping.dmp
-
memory/3856-6-0x0000000000000000-mapping.dmp
-
memory/3924-8-0x0000000000000000-mapping.dmp