Analysis
-
max time kernel
89s -
max time network
130s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
01-07-2020 09:38
Static task
static1
Behavioral task
behavioral1
Sample
2F8D2E2177EE32CA380C4EDF4F7160D4.bin.exe
Resource
win7
Behavioral task
behavioral2
Sample
2F8D2E2177EE32CA380C4EDF4F7160D4.bin.exe
Resource
win10v200430
General
-
Target
2F8D2E2177EE32CA380C4EDF4F7160D4.bin.exe
-
Size
27KB
-
MD5
2f8d2e2177ee32ca380c4edf4f7160d4
-
SHA1
54682e6579620b6f8406b5122fcca2ff6c7cd80b
-
SHA256
2cc7e6ee6c500f4968b6f989ac295d2de0b3974b5905ec1fc3ab9e8662788379
-
SHA512
49dd1f1d1e862166f5ba142ea93f339a46684ff43c7890a24b2700bdde996750c0ee98030469091d78ec4b38552b7ca92e162088c32e912f96b4fac8ca22c139
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\README.txt
darkcrypt
http://coindesk.com/information/how-can-i-buy-bitcoins
Extracted
C:\Users\Admin\AppData\Local\Temp\WannaScream.hta
Signatures
-
DarkCrypt
Another variant of WannaCry ransomware (Imitation).
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
2F8D2E2177EE32CA380C4EDF4F7160D4.bin.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\DismountUnlock.tiff 2F8D2E2177EE32CA380C4EDF4F7160D4.bin.exe File opened for modification C:\Users\Admin\Pictures\SubmitResume.tiff 2F8D2E2177EE32CA380C4EDF4F7160D4.bin.exe -
Drops startup file 3 IoCs
Processes:
2F8D2E2177EE32CA380C4EDF4F7160D4.bin.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe 2F8D2E2177EE32CA380C4EDF4F7160D4.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.exe 2F8D2E2177EE32CA380C4EDF4F7160D4.bin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WannaScream.hta 2F8D2E2177EE32CA380C4EDF4F7160D4.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 icanhazip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3396 vssadmin.exe -
Modifies registry class 1 IoCs
Processes:
2F8D2E2177EE32CA380C4EDF4F7160D4.bin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings 2F8D2E2177EE32CA380C4EDF4F7160D4.bin.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
2F8D2E2177EE32CA380C4EDF4F7160D4.bin.exevssvc.exedescription pid process Token: SeDebugPrivilege 4004 2F8D2E2177EE32CA380C4EDF4F7160D4.bin.exe Token: SeBackupPrivilege 3116 vssvc.exe Token: SeRestorePrivilege 3116 vssvc.exe Token: SeAuditPrivilege 3116 vssvc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
2F8D2E2177EE32CA380C4EDF4F7160D4.bin.execmd.exedescription pid process target process PID 4004 wrote to memory of 3412 4004 2F8D2E2177EE32CA380C4EDF4F7160D4.bin.exe cmd.exe PID 4004 wrote to memory of 3412 4004 2F8D2E2177EE32CA380C4EDF4F7160D4.bin.exe cmd.exe PID 3412 wrote to memory of 3396 3412 cmd.exe vssadmin.exe PID 3412 wrote to memory of 3396 3412 cmd.exe vssadmin.exe PID 4004 wrote to memory of 3064 4004 2F8D2E2177EE32CA380C4EDF4F7160D4.bin.exe mshta.exe PID 4004 wrote to memory of 3064 4004 2F8D2E2177EE32CA380C4EDF4F7160D4.bin.exe mshta.exe PID 4004 wrote to memory of 3064 4004 2F8D2E2177EE32CA380C4EDF4F7160D4.bin.exe mshta.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2F8D2E2177EE32CA380C4EDF4F7160D4.bin.exe"C:\Users\Admin\AppData\Local\Temp\2F8D2E2177EE32CA380C4EDF4F7160D4.bin.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3396
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\WannaScream.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵PID:3064
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3116
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fb2bf10a3484c6a231aa54cb72371c24
SHA1610e98bbd86a91e983795c5443f319ccc1dbe361
SHA256d0479aa5c8179c1ec85fd2f3e438e6535536c87856aac16aa6e1f86de8deb6ce
SHA512df8974f14c90fffb03750a202c1e64dfaed166bfaaa6041e9c124e794bd2965d22a78da98554d15b4db1296ab6bd81c410ffa3391dd8544aadcb1ec14a902be5