Analysis
-
max time kernel
128s -
max time network
122s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 07:43
Static task
static1
Behavioral task
behavioral1
Sample
ransomware.exe
Resource
win7
Behavioral task
behavioral2
Sample
ransomware.exe
Resource
win10v200430
General
-
Target
ransomware.exe
-
Size
678KB
-
MD5
35271695a6202c514fef4520d49886ea
-
SHA1
8a7cc5c0f41ae45064a88ec67ab0e8a3ca2514f2
-
SHA256
58290a95e1795ec7312e4ce26bfff7e0fb7a620a3aac2627d3ae6c83f5a4bf60
-
SHA512
ff9e77f83fc28c4461cd335bb41b762e93ac57ad15c2489631ed4869a0c1d0fb94b1491629fcb29bb96629a5dcaaeedc9b31b07055d1465a14a685235fd8d4f9
Malware Config
Signatures
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 1016 vssadmin.exe 1780 vssadmin.exe 1908 vssadmin.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
ransomware.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" ransomware.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Suspicious behavior: EnumeratesProcesses 1125 IoCs
Processes:
ransomware.exepid process 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe 1496 ransomware.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
vssvc.exewmic.exewmic.exewmic.exedescription pid process Token: SeBackupPrivilege 1044 vssvc.exe Token: SeRestorePrivilege 1044 vssvc.exe Token: SeAuditPrivilege 1044 vssvc.exe Token: SeIncreaseQuotaPrivilege 1520 wmic.exe Token: SeSecurityPrivilege 1520 wmic.exe Token: SeTakeOwnershipPrivilege 1520 wmic.exe Token: SeLoadDriverPrivilege 1520 wmic.exe Token: SeSystemProfilePrivilege 1520 wmic.exe Token: SeSystemtimePrivilege 1520 wmic.exe Token: SeProfSingleProcessPrivilege 1520 wmic.exe Token: SeIncBasePriorityPrivilege 1520 wmic.exe Token: SeCreatePagefilePrivilege 1520 wmic.exe Token: SeBackupPrivilege 1520 wmic.exe Token: SeRestorePrivilege 1520 wmic.exe Token: SeShutdownPrivilege 1520 wmic.exe Token: SeDebugPrivilege 1520 wmic.exe Token: SeSystemEnvironmentPrivilege 1520 wmic.exe Token: SeRemoteShutdownPrivilege 1520 wmic.exe Token: SeUndockPrivilege 1520 wmic.exe Token: SeManageVolumePrivilege 1520 wmic.exe Token: 33 1520 wmic.exe Token: 34 1520 wmic.exe Token: 35 1520 wmic.exe Token: SeIncreaseQuotaPrivilege 1852 wmic.exe Token: SeSecurityPrivilege 1852 wmic.exe Token: SeTakeOwnershipPrivilege 1852 wmic.exe Token: SeLoadDriverPrivilege 1852 wmic.exe Token: SeSystemProfilePrivilege 1852 wmic.exe Token: SeSystemtimePrivilege 1852 wmic.exe Token: SeProfSingleProcessPrivilege 1852 wmic.exe Token: SeIncBasePriorityPrivilege 1852 wmic.exe Token: SeCreatePagefilePrivilege 1852 wmic.exe Token: SeBackupPrivilege 1852 wmic.exe Token: SeRestorePrivilege 1852 wmic.exe Token: SeShutdownPrivilege 1852 wmic.exe Token: SeDebugPrivilege 1852 wmic.exe Token: SeSystemEnvironmentPrivilege 1852 wmic.exe Token: SeRemoteShutdownPrivilege 1852 wmic.exe Token: SeUndockPrivilege 1852 wmic.exe Token: SeManageVolumePrivilege 1852 wmic.exe Token: 33 1852 wmic.exe Token: 34 1852 wmic.exe Token: 35 1852 wmic.exe Token: SeIncreaseQuotaPrivilege 1824 wmic.exe Token: SeSecurityPrivilege 1824 wmic.exe Token: SeTakeOwnershipPrivilege 1824 wmic.exe Token: SeLoadDriverPrivilege 1824 wmic.exe Token: SeSystemProfilePrivilege 1824 wmic.exe Token: SeSystemtimePrivilege 1824 wmic.exe Token: SeProfSingleProcessPrivilege 1824 wmic.exe Token: SeIncBasePriorityPrivilege 1824 wmic.exe Token: SeCreatePagefilePrivilege 1824 wmic.exe Token: SeBackupPrivilege 1824 wmic.exe Token: SeRestorePrivilege 1824 wmic.exe Token: SeShutdownPrivilege 1824 wmic.exe Token: SeDebugPrivilege 1824 wmic.exe Token: SeSystemEnvironmentPrivilege 1824 wmic.exe Token: SeRemoteShutdownPrivilege 1824 wmic.exe Token: SeUndockPrivilege 1824 wmic.exe Token: SeManageVolumePrivilege 1824 wmic.exe Token: 33 1824 wmic.exe Token: 34 1824 wmic.exe Token: 35 1824 wmic.exe -
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 784 svhost.exe -
Processes:
ransomware.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ransomware.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops desktop.ini file(s) 1 IoCs
Processes:
ransomware.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-1131729243-447456001-3632642222-1000\desktop.ini ransomware.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
ransomware.exetaskeng.exedescription pid process target process PID 1496 wrote to memory of 1016 1496 ransomware.exe vssadmin.exe PID 1496 wrote to memory of 1016 1496 ransomware.exe vssadmin.exe PID 1496 wrote to memory of 1016 1496 ransomware.exe vssadmin.exe PID 1496 wrote to memory of 1016 1496 ransomware.exe vssadmin.exe PID 1496 wrote to memory of 1520 1496 ransomware.exe wmic.exe PID 1496 wrote to memory of 1520 1496 ransomware.exe wmic.exe PID 1496 wrote to memory of 1520 1496 ransomware.exe wmic.exe PID 1496 wrote to memory of 1520 1496 ransomware.exe wmic.exe PID 1496 wrote to memory of 1780 1496 ransomware.exe vssadmin.exe PID 1496 wrote to memory of 1780 1496 ransomware.exe vssadmin.exe PID 1496 wrote to memory of 1780 1496 ransomware.exe vssadmin.exe PID 1496 wrote to memory of 1780 1496 ransomware.exe vssadmin.exe PID 1496 wrote to memory of 1852 1496 ransomware.exe wmic.exe PID 1496 wrote to memory of 1852 1496 ransomware.exe wmic.exe PID 1496 wrote to memory of 1852 1496 ransomware.exe wmic.exe PID 1496 wrote to memory of 1852 1496 ransomware.exe wmic.exe PID 1496 wrote to memory of 1908 1496 ransomware.exe vssadmin.exe PID 1496 wrote to memory of 1908 1496 ransomware.exe vssadmin.exe PID 1496 wrote to memory of 1908 1496 ransomware.exe vssadmin.exe PID 1496 wrote to memory of 1908 1496 ransomware.exe vssadmin.exe PID 1496 wrote to memory of 1824 1496 ransomware.exe wmic.exe PID 1496 wrote to memory of 1824 1496 ransomware.exe wmic.exe PID 1496 wrote to memory of 1824 1496 ransomware.exe wmic.exe PID 1496 wrote to memory of 1824 1496 ransomware.exe wmic.exe PID 612 wrote to memory of 784 612 taskeng.exe svhost.exe PID 612 wrote to memory of 784 612 taskeng.exe svhost.exe PID 612 wrote to memory of 784 612 taskeng.exe svhost.exe PID 612 wrote to memory of 784 612 taskeng.exe svhost.exe -
Processes:
ransomware.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ransomware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ransomware.exe -
Enumerates connected drives 3 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ransomware.exe"C:\Users\Admin\AppData\Local\Temp\ransomware.exe"1⤵
- System policy modification
- Suspicious behavior: EnumeratesProcesses
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
- UAC bypass
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {03A0AD7B-8A07-43C1-BFC9-ACCA638BE6F9} S-1-5-21-1131729243-447456001-3632642222-1000:AVGLFESB\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svhost.exe
-
C:\Users\Admin\AppData\Roaming\svhost.exe
-
memory/784-7-0x0000000000000000-mapping.dmp
-
memory/1016-0-0x0000000000000000-mapping.dmp
-
memory/1520-1-0x0000000000000000-mapping.dmp
-
memory/1780-2-0x0000000000000000-mapping.dmp
-
memory/1824-5-0x0000000000000000-mapping.dmp
-
memory/1852-3-0x0000000000000000-mapping.dmp
-
memory/1908-4-0x0000000000000000-mapping.dmp