Analysis
-
max time kernel
68s -
max time network
120s -
platform
windows10_x64 -
resource
win10 -
submitted
28/06/2020, 16:12
Static task
static1
Behavioral task
behavioral1
Sample
4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
Resource
win10
General
-
Target
4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
-
Size
156KB
-
MD5
fcd21c6fca3b9378961aa1865bee7ecb
-
SHA1
0abaa05da2a05977e0baf68838cff1712f1789e0
-
SHA256
4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458
-
SHA512
e39c1f965f6faeaa33dfec6eba23fbfff14b287f4777797ea79480bb037d6d806516bda7046315e051961fce12e935ac546819c1e0bef5c33568d68955a9792a
Malware Config
Extracted
C:\odt\!TXDOT_READ_ME!.txt
Signatures
-
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 3100 wrote to memory of 3060 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 72 PID 3100 wrote to memory of 3608 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 73 PID 3100 wrote to memory of 3060 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 72 PID 3100 wrote to memory of 3608 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 73 PID 3100 wrote to memory of 736 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 70 PID 3100 wrote to memory of 736 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 70 PID 3100 wrote to memory of 3780 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 74 PID 3100 wrote to memory of 3780 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 74 PID 3100 wrote to memory of 3668 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 75 PID 3100 wrote to memory of 3668 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 75 PID 3100 wrote to memory of 2328 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 77 PID 3100 wrote to memory of 2328 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 77 PID 3100 wrote to memory of 3768 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 76 PID 3100 wrote to memory of 3768 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 76 PID 3100 wrote to memory of 3132 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 78 PID 3100 wrote to memory of 3132 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 78 PID 3100 wrote to memory of 3132 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 78 PID 3100 wrote to memory of 2324 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 79 PID 3100 wrote to memory of 2324 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 79 PID 3100 wrote to memory of 3612 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 69 PID 3100 wrote to memory of 3612 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 69 PID 3100 wrote to memory of 3612 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 69 PID 3100 wrote to memory of 3136 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 80 PID 3100 wrote to memory of 3136 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 80 PID 3100 wrote to memory of 3164 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 71 PID 3100 wrote to memory of 3164 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 71 -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeSecurityPrivilege 2324 wevtutil.exe Token: SeBackupPrivilege 2324 wevtutil.exe Token: SeSecurityPrivilege 3768 wevtutil.exe Token: SeBackupPrivilege 3768 wevtutil.exe Token: SeSecurityPrivilege 3164 wevtutil.exe Token: SeBackupPrivilege 3164 wevtutil.exe Token: SeSecurityPrivilege 3136 wevtutil.exe Token: SeBackupPrivilege 3136 wevtutil.exe Token: SeSecurityPrivilege 2328 wevtutil.exe Token: SeBackupPrivilege 2328 wevtutil.exe Token: SeBackupPrivilege 3032 wbengine.exe Token: SeRestorePrivilege 3032 wbengine.exe Token: SeSecurityPrivilege 3032 wbengine.exe -
Disables use of System Restore points 1 TTPs
-
Clears Windows event logs 1 TTPs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 3100 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3608 bcdedit.exe 3780 bcdedit.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe -
pid Process 3060 wbadmin.exe -
Deletes system backup catalog 2 TTPs
Ransomware often tries to delete backup files to inhibit system recovery.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe"C:\Users\Admin\AppData\Local\Temp\4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:3100 -
C:\Windows\SysWOW64\cipher.exe"C:\Windows\System32\cipher.exe" /w:C:2⤵PID:3612
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:736
-
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" cl Security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
-
C:\Windows\System32\wbadmin.exe"C:\Windows\System32\wbadmin.exe" delete catalog -quiet2⤵
- Deletes backup catalog
PID:3060
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:3608
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:3780
-
-
C:\Windows\System32\fsutil.exe"C:\Windows\System32\fsutil.exe" usn deletejournal /D C:2⤵PID:3668
-
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" cl Setup2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3768
-
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" sl Security /e:false2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
C:\Windows\SysWOW64\cipher.exe"C:\Windows\System32\cipher.exe" /w:D:2⤵PID:3132
-
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" cl Application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" cl System2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3136
-
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3448
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:2164