Analysis
-
max time kernel
147s -
max time network
119s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
30-06-2020 12:30
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
1.exe
Resource
win10
General
-
Target
1.exe
-
Size
2.0MB
-
MD5
f8290f2d593a05ea811edbd3bff6eacc
-
SHA1
497985116f4ebaa05f1774c16adb5aa52b8e9756
-
SHA256
01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993
-
SHA512
97e4563b6112e4f6c7ee46cc1e18de931d4e052d387e6c37f7fdd7d352ef817778bd95041eeaf05e2bdf657afa1b09e52f4933ca22c6ea8f98983d8c13b56c14
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
wmic.exevssvc.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 1524 wmic.exe Token: SeSecurityPrivilege 1524 wmic.exe Token: SeTakeOwnershipPrivilege 1524 wmic.exe Token: SeLoadDriverPrivilege 1524 wmic.exe Token: SeSystemProfilePrivilege 1524 wmic.exe Token: SeSystemtimePrivilege 1524 wmic.exe Token: SeProfSingleProcessPrivilege 1524 wmic.exe Token: SeIncBasePriorityPrivilege 1524 wmic.exe Token: SeCreatePagefilePrivilege 1524 wmic.exe Token: SeBackupPrivilege 1524 wmic.exe Token: SeRestorePrivilege 1524 wmic.exe Token: SeShutdownPrivilege 1524 wmic.exe Token: SeDebugPrivilege 1524 wmic.exe Token: SeSystemEnvironmentPrivilege 1524 wmic.exe Token: SeRemoteShutdownPrivilege 1524 wmic.exe Token: SeUndockPrivilege 1524 wmic.exe Token: SeManageVolumePrivilege 1524 wmic.exe Token: 33 1524 wmic.exe Token: 34 1524 wmic.exe Token: 35 1524 wmic.exe Token: SeBackupPrivilege 1756 vssvc.exe Token: SeRestorePrivilege 1756 vssvc.exe Token: SeAuditPrivilege 1756 vssvc.exe Token: SeIncreaseQuotaPrivilege 712 wmic.exe Token: SeSecurityPrivilege 712 wmic.exe Token: SeTakeOwnershipPrivilege 712 wmic.exe Token: SeLoadDriverPrivilege 712 wmic.exe Token: SeSystemProfilePrivilege 712 wmic.exe Token: SeSystemtimePrivilege 712 wmic.exe Token: SeProfSingleProcessPrivilege 712 wmic.exe Token: SeIncBasePriorityPrivilege 712 wmic.exe Token: SeCreatePagefilePrivilege 712 wmic.exe Token: SeBackupPrivilege 712 wmic.exe Token: SeRestorePrivilege 712 wmic.exe Token: SeShutdownPrivilege 712 wmic.exe Token: SeDebugPrivilege 712 wmic.exe Token: SeSystemEnvironmentPrivilege 712 wmic.exe Token: SeRemoteShutdownPrivilege 712 wmic.exe Token: SeUndockPrivilege 712 wmic.exe Token: SeManageVolumePrivilege 712 wmic.exe Token: 33 712 wmic.exe Token: 34 712 wmic.exe Token: 35 712 wmic.exe Token: SeIncreaseQuotaPrivilege 1596 wmic.exe Token: SeSecurityPrivilege 1596 wmic.exe Token: SeTakeOwnershipPrivilege 1596 wmic.exe Token: SeLoadDriverPrivilege 1596 wmic.exe Token: SeSystemProfilePrivilege 1596 wmic.exe Token: SeSystemtimePrivilege 1596 wmic.exe Token: SeProfSingleProcessPrivilege 1596 wmic.exe Token: SeIncBasePriorityPrivilege 1596 wmic.exe Token: SeCreatePagefilePrivilege 1596 wmic.exe Token: SeBackupPrivilege 1596 wmic.exe Token: SeRestorePrivilege 1596 wmic.exe Token: SeShutdownPrivilege 1596 wmic.exe Token: SeDebugPrivilege 1596 wmic.exe Token: SeSystemEnvironmentPrivilege 1596 wmic.exe Token: SeRemoteShutdownPrivilege 1596 wmic.exe Token: SeUndockPrivilege 1596 wmic.exe Token: SeManageVolumePrivilege 1596 wmic.exe Token: 33 1596 wmic.exe Token: 34 1596 wmic.exe Token: 35 1596 wmic.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 1736 vssadmin.exe 568 vssadmin.exe 1860 vssadmin.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
1.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 1.exe -
Processes:
1.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1.exe -
Suspicious behavior: EnumeratesProcesses 715 IoCs
Processes:
1.exepid process 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe 1292 1.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
1.exedescription pid process target process PID 1292 wrote to memory of 1524 1292 1.exe wmic.exe PID 1292 wrote to memory of 1524 1292 1.exe wmic.exe PID 1292 wrote to memory of 1524 1292 1.exe wmic.exe PID 1292 wrote to memory of 1524 1292 1.exe wmic.exe PID 1292 wrote to memory of 1736 1292 1.exe vssadmin.exe PID 1292 wrote to memory of 1736 1292 1.exe vssadmin.exe PID 1292 wrote to memory of 1736 1292 1.exe vssadmin.exe PID 1292 wrote to memory of 1736 1292 1.exe vssadmin.exe PID 1292 wrote to memory of 712 1292 1.exe wmic.exe PID 1292 wrote to memory of 712 1292 1.exe wmic.exe PID 1292 wrote to memory of 712 1292 1.exe wmic.exe PID 1292 wrote to memory of 712 1292 1.exe wmic.exe PID 1292 wrote to memory of 568 1292 1.exe vssadmin.exe PID 1292 wrote to memory of 568 1292 1.exe vssadmin.exe PID 1292 wrote to memory of 568 1292 1.exe vssadmin.exe PID 1292 wrote to memory of 568 1292 1.exe vssadmin.exe PID 1292 wrote to memory of 1596 1292 1.exe wmic.exe PID 1292 wrote to memory of 1596 1292 1.exe wmic.exe PID 1292 wrote to memory of 1596 1292 1.exe wmic.exe PID 1292 wrote to memory of 1596 1292 1.exe wmic.exe PID 1292 wrote to memory of 1860 1292 1.exe vssadmin.exe PID 1292 wrote to memory of 1860 1292 1.exe vssadmin.exe PID 1292 wrote to memory of 1860 1292 1.exe vssadmin.exe PID 1292 wrote to memory of 1860 1292 1.exe vssadmin.exe -
Processes:
1.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
1.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-910373003-3952921535-3480519689-1000\desktop.ini 1.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.myip.com 4 api.myip.com -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates connected drives 3 TTPs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- System policy modification
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- UAC bypass
- Drops desktop.ini file(s)
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/568-3-0x0000000000000000-mapping.dmp
-
memory/712-2-0x0000000000000000-mapping.dmp
-
memory/1524-0-0x0000000000000000-mapping.dmp
-
memory/1596-4-0x0000000000000000-mapping.dmp
-
memory/1736-1-0x0000000000000000-mapping.dmp
-
memory/1860-5-0x0000000000000000-mapping.dmp