01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993

General

Target

1.exe
Size

2.0MB
MD5

f8290f2d593a05ea811edbd3bff6eacc
SHA1

497985116f4ebaa05f1774c16adb5aa52b8e9756
SHA256

01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993
SHA512

97e4563b6112e4f6c7ee46cc1e18de931d4e052d387e6c37f7fdd7d352ef817778bd95041eeaf05e2bdf657afa1b09e52f4933ca22c6ea8f98983d8c13b56c14

Score

10^/10

ransomware evasion trojan persistence

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

wmic.exevssvc.exewmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1524	wmic.exe
Token: SeSecurityPrivilege	1524	wmic.exe
Token: SeTakeOwnershipPrivilege	1524	wmic.exe
Token: SeLoadDriverPrivilege	1524	wmic.exe
Token: SeSystemProfilePrivilege	1524	wmic.exe
Token: SeSystemtimePrivilege	1524	wmic.exe
Token: SeProfSingleProcessPrivilege	1524	wmic.exe
Token: SeIncBasePriorityPrivilege	1524	wmic.exe
Token: SeCreatePagefilePrivilege	1524	wmic.exe
Token: SeBackupPrivilege	1524	wmic.exe
Token: SeRestorePrivilege	1524	wmic.exe
Token: SeShutdownPrivilege	1524	wmic.exe
Token: SeDebugPrivilege	1524	wmic.exe
Token: SeSystemEnvironmentPrivilege	1524	wmic.exe
Token: SeRemoteShutdownPrivilege	1524	wmic.exe
Token: SeUndockPrivilege	1524	wmic.exe
Token: SeManageVolumePrivilege	1524	wmic.exe
Token: 33	1524	wmic.exe
Token: 34	1524	wmic.exe
Token: 35	1524	wmic.exe
Token: SeBackupPrivilege	1756	vssvc.exe
Token: SeRestorePrivilege	1756	vssvc.exe
Token: SeAuditPrivilege	1756	vssvc.exe
Token: SeIncreaseQuotaPrivilege	712	wmic.exe
Token: SeSecurityPrivilege	712	wmic.exe
Token: SeTakeOwnershipPrivilege	712	wmic.exe
Token: SeLoadDriverPrivilege	712	wmic.exe
Token: SeSystemProfilePrivilege	712	wmic.exe
Token: SeSystemtimePrivilege	712	wmic.exe
Token: SeProfSingleProcessPrivilege	712	wmic.exe
Token: SeIncBasePriorityPrivilege	712	wmic.exe
Token: SeCreatePagefilePrivilege	712	wmic.exe
Token: SeBackupPrivilege	712	wmic.exe
Token: SeRestorePrivilege	712	wmic.exe
Token: SeShutdownPrivilege	712	wmic.exe
Token: SeDebugPrivilege	712	wmic.exe
Token: SeSystemEnvironmentPrivilege	712	wmic.exe
Token: SeRemoteShutdownPrivilege	712	wmic.exe
Token: SeUndockPrivilege	712	wmic.exe
Token: SeManageVolumePrivilege	712	wmic.exe
Token: 33	712	wmic.exe
Token: 34	712	wmic.exe
Token: 35	712	wmic.exe
Token: SeIncreaseQuotaPrivilege	1596	wmic.exe
Token: SeSecurityPrivilege	1596	wmic.exe
Token: SeTakeOwnershipPrivilege	1596	wmic.exe
Token: SeLoadDriverPrivilege	1596	wmic.exe
Token: SeSystemProfilePrivilege	1596	wmic.exe
Token: SeSystemtimePrivilege	1596	wmic.exe
Token: SeProfSingleProcessPrivilege	1596	wmic.exe
Token: SeIncBasePriorityPrivilege	1596	wmic.exe
Token: SeCreatePagefilePrivilege	1596	wmic.exe
Token: SeBackupPrivilege	1596	wmic.exe
Token: SeRestorePrivilege	1596	wmic.exe
Token: SeShutdownPrivilege	1596	wmic.exe
Token: SeDebugPrivilege	1596	wmic.exe
Token: SeSystemEnvironmentPrivilege	1596	wmic.exe
Token: SeRemoteShutdownPrivilege	1596	wmic.exe
Token: SeUndockPrivilege	1596	wmic.exe
Token: SeManageVolumePrivilege	1596	wmic.exe
Token: 33	1596	wmic.exe
Token: 34	1596	wmic.exe
Token: 35	1596	wmic.exe

Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

1736 vssadmin.exe
568 vssadmin.exe
1860 vssadmin.exe
System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

1.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 1.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

1.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1.exe

pid	process
1736	vssadmin.exe
568	vssadmin.exe
1860	vssadmin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	1.exe

Suspicious behavior: EnumeratesProcesses 715 IoCs

Processes:

1.exe

pid	process
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe
1292	1.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

1.exe

description	pid	process	target process
PID 1292 wrote to memory of 1524	1292	1.exe	wmic.exe
PID 1292 wrote to memory of 1524	1292	1.exe	wmic.exe
PID 1292 wrote to memory of 1524	1292	1.exe	wmic.exe
PID 1292 wrote to memory of 1524	1292	1.exe	wmic.exe
PID 1292 wrote to memory of 1736	1292	1.exe	vssadmin.exe
PID 1292 wrote to memory of 1736	1292	1.exe	vssadmin.exe
PID 1292 wrote to memory of 1736	1292	1.exe	vssadmin.exe
PID 1292 wrote to memory of 1736	1292	1.exe	vssadmin.exe
PID 1292 wrote to memory of 712	1292	1.exe	wmic.exe
PID 1292 wrote to memory of 712	1292	1.exe	wmic.exe
PID 1292 wrote to memory of 712	1292	1.exe	wmic.exe
PID 1292 wrote to memory of 712	1292	1.exe	wmic.exe
PID 1292 wrote to memory of 568	1292	1.exe	vssadmin.exe
PID 1292 wrote to memory of 568	1292	1.exe	vssadmin.exe
PID 1292 wrote to memory of 568	1292	1.exe	vssadmin.exe
PID 1292 wrote to memory of 568	1292	1.exe	vssadmin.exe
PID 1292 wrote to memory of 1596	1292	1.exe	wmic.exe
PID 1292 wrote to memory of 1596	1292	1.exe	wmic.exe
PID 1292 wrote to memory of 1596	1292	1.exe	wmic.exe
PID 1292 wrote to memory of 1596	1292	1.exe	wmic.exe
PID 1292 wrote to memory of 1860	1292	1.exe	vssadmin.exe
PID 1292 wrote to memory of 1860	1292	1.exe	vssadmin.exe
PID 1292 wrote to memory of 1860	1292	1.exe	vssadmin.exe
PID 1292 wrote to memory of 1860	1292	1.exe	vssadmin.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

1.exe

description ioc process

File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-910373003-3952921535-3480519689-1000\desktop.ini 1.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.myip.com
4 api.myip.com
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-910373003-3952921535-3480519689-1000\desktop.ini	1.exe

flow	ioc
3	api.myip.com
4	api.myip.com

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- System policy modification
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- UAC bypass
- Drops desktop.ini file(s)
PID:1292