Analysis
-
max time kernel
117s -
max time network
140s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
26/06/2020, 08:58
Static task
static1
Behavioral task
behavioral1
Sample
aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe
Resource
win7
Behavioral task
behavioral2
Sample
aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe
Resource
win10v200430
General
-
Target
aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe
-
Size
1.1MB
-
MD5
13e623cdfb75d99ea7e04c6157ca8ae6
-
SHA1
f25f0b369a355f30f5e11ac11a7f644bcfefd963
-
SHA256
aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772
-
SHA512
ea6b5c882a5298e527be1f3c40cc6d75c56453dd0111d7e9818c28fa7ec32feb19f17cab9a9e49eb0ab9f3a987f7dcc5cadfea7ae99a996f174b0a89e674f421
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 2 IoCs
pid Process 3612 takeown.exe 3856 icacls.exe -
Possible privilege escalation attempt 2 IoCs
pid Process 3612 takeown.exe 3856 icacls.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 3788 attrib.exe 1412 attrib.exe 2124 attrib.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2772 vssadmin.exe -
Executes dropped EXE 2 IoCs
pid Process 2140 Classes:bin 3948 Classes.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 3188 vssvc.exe Token: SeRestorePrivilege 3188 vssvc.exe Token: SeAuditPrivilege 3188 vssvc.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Classes:bin aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe -
Modifies service 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Classes.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Classes.exe Classes:bin -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2016 wrote to memory of 2140 2016 aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe 68 PID 2016 wrote to memory of 2140 2016 aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe 68 PID 2016 wrote to memory of 2140 2016 aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe 68 PID 2140 wrote to memory of 2772 2140 Classes:bin 71 PID 2140 wrote to memory of 2772 2140 Classes:bin 71 PID 2140 wrote to memory of 3612 2140 Classes:bin 75 PID 2140 wrote to memory of 3612 2140 Classes:bin 75 PID 2140 wrote to memory of 3612 2140 Classes:bin 75 PID 2140 wrote to memory of 3856 2140 Classes:bin 77 PID 2140 wrote to memory of 3856 2140 Classes:bin 77 PID 2140 wrote to memory of 3856 2140 Classes:bin 77 PID 3948 wrote to memory of 3924 3948 Classes.exe 81 PID 3948 wrote to memory of 3924 3948 Classes.exe 81 PID 3948 wrote to memory of 3924 3948 Classes.exe 81 PID 3924 wrote to memory of 724 3924 cmd.exe 83 PID 3924 wrote to memory of 724 3924 cmd.exe 83 PID 3924 wrote to memory of 724 3924 cmd.exe 83 PID 2140 wrote to memory of 672 2140 Classes:bin 84 PID 2140 wrote to memory of 672 2140 Classes:bin 84 PID 2140 wrote to memory of 672 2140 Classes:bin 84 PID 2016 wrote to memory of 640 2016 aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe 86 PID 2016 wrote to memory of 640 2016 aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe 86 PID 2016 wrote to memory of 640 2016 aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe 86 PID 672 wrote to memory of 932 672 cmd.exe 88 PID 672 wrote to memory of 932 672 cmd.exe 88 PID 672 wrote to memory of 932 672 cmd.exe 88 PID 640 wrote to memory of 1348 640 cmd.exe 89 PID 640 wrote to memory of 1348 640 cmd.exe 89 PID 640 wrote to memory of 1348 640 cmd.exe 89 PID 3924 wrote to memory of 3788 3924 cmd.exe 93 PID 3924 wrote to memory of 3788 3924 cmd.exe 93 PID 3924 wrote to memory of 3788 3924 cmd.exe 93 PID 640 wrote to memory of 1412 640 cmd.exe 94 PID 640 wrote to memory of 1412 640 cmd.exe 94 PID 640 wrote to memory of 1412 640 cmd.exe 94 PID 672 wrote to memory of 2124 672 cmd.exe 95 PID 672 wrote to memory of 2124 672 cmd.exe 95 PID 672 wrote to memory of 2124 672 cmd.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe"C:\Users\Admin\AppData\Local\Temp\aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Roaming\Classes:binC:\Users\Admin\AppData\Roaming\Classes:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:2772
-
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Classes.exe3⤵
- Modifies file permissions
- Possible privilege escalation attempt
PID:3612
-
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Classes.exe /reset3⤵
- Modifies file permissions
- Possible privilege escalation attempt
PID:3856
-
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Classes" & del "C:\Users\Admin\AppData\Roaming\Classes"3⤵
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵PID:932
-
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Classes"4⤵
- Views/modifies file attributes
PID:2124
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe" & del "C:\Users\Admin\AppData\Local\Temp\aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵PID:1348
-
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\aa05e7a187ddec2e11fc1c9eafe61408d085b0ab6cd12caeaf531c9dca129772.exe"3⤵
- Views/modifies file attributes
PID:1412
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:3188
-
C:\Windows\SysWOW64\Classes.exeC:\Windows\SysWOW64\Classes.exe -s1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Classes.exe" & del "C:\Windows\SysWOW64\Classes.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵PID:724
-
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Classes.exe"3⤵
- Views/modifies file attributes
- Drops file in System32 directory
PID:3788
-
-