Analysis
-
max time kernel
95s -
max time network
124s -
platform
windows10_x64 -
resource
win10 -
submitted
30-06-2020 12:30
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
1.exe
Resource
win10
General
-
Target
1.exe
-
Size
2.0MB
-
MD5
f8290f2d593a05ea811edbd3bff6eacc
-
SHA1
497985116f4ebaa05f1774c16adb5aa52b8e9756
-
SHA256
01aa2cf8db4badde36f1896d341e31c0fe91a51772f1aa50b9f59ba368973993
-
SHA512
97e4563b6112e4f6c7ee46cc1e18de931d4e052d387e6c37f7fdd7d352ef817778bd95041eeaf05e2bdf657afa1b09e52f4933ca22c6ea8f98983d8c13b56c14
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs
-
System policy modification 1 TTPs 1 IoCs
Processes:
1.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 1.exe -
Suspicious behavior: EnumeratesProcesses 650 IoCs
Processes:
1.exepid process 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe 3888 1.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
1.exedescription pid process target process PID 3888 wrote to memory of 3364 3888 1.exe wmic.exe PID 3888 wrote to memory of 3364 3888 1.exe wmic.exe PID 3888 wrote to memory of 3364 3888 1.exe wmic.exe PID 3888 wrote to memory of 1964 3888 1.exe vssadmin.exe PID 3888 wrote to memory of 1964 3888 1.exe vssadmin.exe PID 3888 wrote to memory of 1964 3888 1.exe vssadmin.exe PID 3888 wrote to memory of 2516 3888 1.exe wmic.exe PID 3888 wrote to memory of 2516 3888 1.exe wmic.exe PID 3888 wrote to memory of 2516 3888 1.exe wmic.exe PID 3888 wrote to memory of 552 3888 1.exe vssadmin.exe PID 3888 wrote to memory of 552 3888 1.exe vssadmin.exe PID 3888 wrote to memory of 552 3888 1.exe vssadmin.exe PID 3888 wrote to memory of 1000 3888 1.exe wmic.exe PID 3888 wrote to memory of 1000 3888 1.exe wmic.exe PID 3888 wrote to memory of 1000 3888 1.exe wmic.exe PID 3888 wrote to memory of 1200 3888 1.exe vssadmin.exe PID 3888 wrote to memory of 1200 3888 1.exe vssadmin.exe PID 3888 wrote to memory of 1200 3888 1.exe vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 66 IoCs
Processes:
wmic.exevssvc.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 3364 wmic.exe Token: SeSecurityPrivilege 3364 wmic.exe Token: SeTakeOwnershipPrivilege 3364 wmic.exe Token: SeLoadDriverPrivilege 3364 wmic.exe Token: SeSystemProfilePrivilege 3364 wmic.exe Token: SeSystemtimePrivilege 3364 wmic.exe Token: SeProfSingleProcessPrivilege 3364 wmic.exe Token: SeIncBasePriorityPrivilege 3364 wmic.exe Token: SeCreatePagefilePrivilege 3364 wmic.exe Token: SeBackupPrivilege 3364 wmic.exe Token: SeRestorePrivilege 3364 wmic.exe Token: SeShutdownPrivilege 3364 wmic.exe Token: SeDebugPrivilege 3364 wmic.exe Token: SeSystemEnvironmentPrivilege 3364 wmic.exe Token: SeRemoteShutdownPrivilege 3364 wmic.exe Token: SeUndockPrivilege 3364 wmic.exe Token: SeManageVolumePrivilege 3364 wmic.exe Token: 33 3364 wmic.exe Token: 34 3364 wmic.exe Token: 35 3364 wmic.exe Token: 36 3364 wmic.exe Token: SeBackupPrivilege 2220 vssvc.exe Token: SeRestorePrivilege 2220 vssvc.exe Token: SeAuditPrivilege 2220 vssvc.exe Token: SeIncreaseQuotaPrivilege 2516 wmic.exe Token: SeSecurityPrivilege 2516 wmic.exe Token: SeTakeOwnershipPrivilege 2516 wmic.exe Token: SeLoadDriverPrivilege 2516 wmic.exe Token: SeSystemProfilePrivilege 2516 wmic.exe Token: SeSystemtimePrivilege 2516 wmic.exe Token: SeProfSingleProcessPrivilege 2516 wmic.exe Token: SeIncBasePriorityPrivilege 2516 wmic.exe Token: SeCreatePagefilePrivilege 2516 wmic.exe Token: SeBackupPrivilege 2516 wmic.exe Token: SeRestorePrivilege 2516 wmic.exe Token: SeShutdownPrivilege 2516 wmic.exe Token: SeDebugPrivilege 2516 wmic.exe Token: SeSystemEnvironmentPrivilege 2516 wmic.exe Token: SeRemoteShutdownPrivilege 2516 wmic.exe Token: SeUndockPrivilege 2516 wmic.exe Token: SeManageVolumePrivilege 2516 wmic.exe Token: 33 2516 wmic.exe Token: 34 2516 wmic.exe Token: 35 2516 wmic.exe Token: 36 2516 wmic.exe Token: SeIncreaseQuotaPrivilege 1000 wmic.exe Token: SeSecurityPrivilege 1000 wmic.exe Token: SeTakeOwnershipPrivilege 1000 wmic.exe Token: SeLoadDriverPrivilege 1000 wmic.exe Token: SeSystemProfilePrivilege 1000 wmic.exe Token: SeSystemtimePrivilege 1000 wmic.exe Token: SeProfSingleProcessPrivilege 1000 wmic.exe Token: SeIncBasePriorityPrivilege 1000 wmic.exe Token: SeCreatePagefilePrivilege 1000 wmic.exe Token: SeBackupPrivilege 1000 wmic.exe Token: SeRestorePrivilege 1000 wmic.exe Token: SeShutdownPrivilege 1000 wmic.exe Token: SeDebugPrivilege 1000 wmic.exe Token: SeSystemEnvironmentPrivilege 1000 wmic.exe Token: SeRemoteShutdownPrivilege 1000 wmic.exe Token: SeUndockPrivilege 1000 wmic.exe Token: SeManageVolumePrivilege 1000 wmic.exe Token: 33 1000 wmic.exe Token: 34 1000 wmic.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops desktop.ini file(s) 1 IoCs
Processes:
1.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2066881839-3229799743-3576549721-1000\desktop.ini 1.exe -
Processes:
1.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1.exe -
Processes:
1.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 api.myip.com 2 api.myip.com -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 1200 vssadmin.exe 1964 vssadmin.exe 552 vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- System policy modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Drops desktop.ini file(s)
- UAC bypass
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/552-3-0x0000000000000000-mapping.dmp
-
memory/1000-4-0x0000000000000000-mapping.dmp
-
memory/1200-5-0x0000000000000000-mapping.dmp
-
memory/1964-1-0x0000000000000000-mapping.dmp
-
memory/2516-2-0x0000000000000000-mapping.dmp
-
memory/3364-0-0x0000000000000000-mapping.dmp