Analysis
-
max time kernel
130s -
max time network
149s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
30-06-2020 07:43
Static task
static1
Behavioral task
behavioral1
Sample
ransomware.exe
Resource
win7
Behavioral task
behavioral2
Sample
ransomware.exe
Resource
win10v200430
General
-
Target
ransomware.exe
-
Size
678KB
-
MD5
35271695a6202c514fef4520d49886ea
-
SHA1
8a7cc5c0f41ae45064a88ec67ab0e8a3ca2514f2
-
SHA256
58290a95e1795ec7312e4ce26bfff7e0fb7a620a3aac2627d3ae6c83f5a4bf60
-
SHA512
ff9e77f83fc28c4461cd335bb41b762e93ac57ad15c2489631ed4869a0c1d0fb94b1491629fcb29bb96629a5dcaaeedc9b31b07055d1465a14a685235fd8d4f9
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
ransomware.exedescription pid process target process PID 1612 wrote to memory of 1568 1612 ransomware.exe vssadmin.exe PID 1612 wrote to memory of 1568 1612 ransomware.exe vssadmin.exe PID 1612 wrote to memory of 1568 1612 ransomware.exe vssadmin.exe PID 1612 wrote to memory of 2960 1612 ransomware.exe wmic.exe PID 1612 wrote to memory of 2960 1612 ransomware.exe wmic.exe PID 1612 wrote to memory of 2960 1612 ransomware.exe wmic.exe PID 1612 wrote to memory of 3928 1612 ransomware.exe vssadmin.exe PID 1612 wrote to memory of 3928 1612 ransomware.exe vssadmin.exe PID 1612 wrote to memory of 3928 1612 ransomware.exe vssadmin.exe PID 1612 wrote to memory of 3248 1612 ransomware.exe wmic.exe PID 1612 wrote to memory of 3248 1612 ransomware.exe wmic.exe PID 1612 wrote to memory of 3248 1612 ransomware.exe wmic.exe PID 1612 wrote to memory of 3368 1612 ransomware.exe vssadmin.exe PID 1612 wrote to memory of 3368 1612 ransomware.exe vssadmin.exe PID 1612 wrote to memory of 3368 1612 ransomware.exe vssadmin.exe PID 1612 wrote to memory of 2968 1612 ransomware.exe wmic.exe PID 1612 wrote to memory of 2968 1612 ransomware.exe wmic.exe PID 1612 wrote to memory of 2968 1612 ransomware.exe wmic.exe -
Suspicious use of AdjustPrivilegeToken 66 IoCs
Processes:
vssvc.exewmic.exewmic.exewmic.exedescription pid process Token: SeBackupPrivilege 3596 vssvc.exe Token: SeRestorePrivilege 3596 vssvc.exe Token: SeAuditPrivilege 3596 vssvc.exe Token: SeIncreaseQuotaPrivilege 2960 wmic.exe Token: SeSecurityPrivilege 2960 wmic.exe Token: SeTakeOwnershipPrivilege 2960 wmic.exe Token: SeLoadDriverPrivilege 2960 wmic.exe Token: SeSystemProfilePrivilege 2960 wmic.exe Token: SeSystemtimePrivilege 2960 wmic.exe Token: SeProfSingleProcessPrivilege 2960 wmic.exe Token: SeIncBasePriorityPrivilege 2960 wmic.exe Token: SeCreatePagefilePrivilege 2960 wmic.exe Token: SeBackupPrivilege 2960 wmic.exe Token: SeRestorePrivilege 2960 wmic.exe Token: SeShutdownPrivilege 2960 wmic.exe Token: SeDebugPrivilege 2960 wmic.exe Token: SeSystemEnvironmentPrivilege 2960 wmic.exe Token: SeRemoteShutdownPrivilege 2960 wmic.exe Token: SeUndockPrivilege 2960 wmic.exe Token: SeManageVolumePrivilege 2960 wmic.exe Token: 33 2960 wmic.exe Token: 34 2960 wmic.exe Token: 35 2960 wmic.exe Token: 36 2960 wmic.exe Token: SeIncreaseQuotaPrivilege 3248 wmic.exe Token: SeSecurityPrivilege 3248 wmic.exe Token: SeTakeOwnershipPrivilege 3248 wmic.exe Token: SeLoadDriverPrivilege 3248 wmic.exe Token: SeSystemProfilePrivilege 3248 wmic.exe Token: SeSystemtimePrivilege 3248 wmic.exe Token: SeProfSingleProcessPrivilege 3248 wmic.exe Token: SeIncBasePriorityPrivilege 3248 wmic.exe Token: SeCreatePagefilePrivilege 3248 wmic.exe Token: SeBackupPrivilege 3248 wmic.exe Token: SeRestorePrivilege 3248 wmic.exe Token: SeShutdownPrivilege 3248 wmic.exe Token: SeDebugPrivilege 3248 wmic.exe Token: SeSystemEnvironmentPrivilege 3248 wmic.exe Token: SeRemoteShutdownPrivilege 3248 wmic.exe Token: SeUndockPrivilege 3248 wmic.exe Token: SeManageVolumePrivilege 3248 wmic.exe Token: 33 3248 wmic.exe Token: 34 3248 wmic.exe Token: 35 3248 wmic.exe Token: 36 3248 wmic.exe Token: SeIncreaseQuotaPrivilege 2968 wmic.exe Token: SeSecurityPrivilege 2968 wmic.exe Token: SeTakeOwnershipPrivilege 2968 wmic.exe Token: SeLoadDriverPrivilege 2968 wmic.exe Token: SeSystemProfilePrivilege 2968 wmic.exe Token: SeSystemtimePrivilege 2968 wmic.exe Token: SeProfSingleProcessPrivilege 2968 wmic.exe Token: SeIncBasePriorityPrivilege 2968 wmic.exe Token: SeCreatePagefilePrivilege 2968 wmic.exe Token: SeBackupPrivilege 2968 wmic.exe Token: SeRestorePrivilege 2968 wmic.exe Token: SeShutdownPrivilege 2968 wmic.exe Token: SeDebugPrivilege 2968 wmic.exe Token: SeSystemEnvironmentPrivilege 2968 wmic.exe Token: SeRemoteShutdownPrivilege 2968 wmic.exe Token: SeUndockPrivilege 2968 wmic.exe Token: SeManageVolumePrivilege 2968 wmic.exe Token: 33 2968 wmic.exe Token: 34 2968 wmic.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 3368 vssadmin.exe 1568 vssadmin.exe 3928 vssadmin.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
ransomware.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-1231583446-2617009595-2137880041-1000\desktop.ini ransomware.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
ransomware.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" ransomware.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 1122 IoCs
Processes:
ransomware.exepid process 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe 1612 ransomware.exe -
Processes:
ransomware.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ransomware.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ransomware.exe -
Processes:
ransomware.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ransomware.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ransomware.exe"C:\Users\Admin\AppData\Local\Temp\ransomware.exe"1⤵
- Suspicious use of WriteProcessMemory
- Drops desktop.ini file(s)
- System policy modification
- Suspicious behavior: EnumeratesProcesses
- UAC bypass
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1568-0-0x0000000000000000-mapping.dmp
-
memory/2960-1-0x0000000000000000-mapping.dmp
-
memory/2968-5-0x0000000000000000-mapping.dmp
-
memory/3248-3-0x0000000000000000-mapping.dmp
-
memory/3368-4-0x0000000000000000-mapping.dmp
-
memory/3928-2-0x0000000000000000-mapping.dmp