Overview

overview

10

Static

static

ransomware.exe

windows7_x64

10

ransomware.exe

windows10_x64

10

Analysis

  • max time kernel
    130s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    30-06-2020 07:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ransomware.exe

  • Size

    678KB

  • MD5

    35271695a6202c514fef4520d49886ea

  • SHA1

    8a7cc5c0f41ae45064a88ec67ab0e8a3ca2514f2

  • SHA256

    58290a95e1795ec7312e4ce26bfff7e0fb7a620a3aac2627d3ae6c83f5a4bf60

  • SHA512

    ff9e77f83fc28c4461cd335bb41b762e93ac57ad15c2489631ed4869a0c1d0fb94b1491629fcb29bb96629a5dcaaeedc9b31b07055d1465a14a685235fd8d4f9

Score
10/10
ransomwarepersistencespywareevasiontrojan

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 66 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious behavior: EnumeratesProcesses 1122 IoCs
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan

Processes

  • C:\Users\Admin\AppData\Local\Temp\ransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\ransomware.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Drops desktop.ini file(s)
    • System policy modification
    • Suspicious behavior: EnumeratesProcesses
    • UAC bypass
    • Checks whether UAC is enabled
    PID:1612
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1568
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2960
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:3928
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3248
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:3368
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2968
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Modifies service
    PID:3596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

File Deletion

2
T1107

Modify Registry

3
T1112

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1568-0-0x0000000000000000-mapping.dmp
    Download
  • memory/2960-1-0x0000000000000000-mapping.dmp
    Download
  • memory/2968-5-0x0000000000000000-mapping.dmp
    Download
  • memory/3248-3-0x0000000000000000-mapping.dmp
    Download
  • memory/3368-4-0x0000000000000000-mapping.dmp
    Download
  • memory/3928-2-0x0000000000000000-mapping.dmp
    Download