Overview

overview

10

Static

static

Fast.exe

windows7_x64

10

Fast.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    56s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    07-07-2020 13:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fast.exe

  • Size

    55KB

  • MD5

    4a3762d49120264f48deb29ca8668082

  • SHA1

    4ed52a74441ed443c09d51b625d07cded9e2ba08

  • SHA256

    b25587ffe305c8f1374213d7cdf586ad8e0f8d9cf1cd49b3ce0c1b34ba8fa5b3

  • SHA512

    dcbe5bb3f9cd2bbdacd0a2fad7728d7a78e07950e6cd8423bcd10f2c698e81b80fa9f8582af0925cae9a4c3c08c786ac38b07068a61a6b97d82a3f408a6b8f39

Score
10/10
ransomwareevasionpersistencephobosspyware

Malware Config

Extracted

Path

\??\c:\users\admin\desktop\info.txt

Ransom Note
All your files have been ENCRYPTED!!! Install ICQ software on your PC or mobile phone here https://icq.com/windows/ Write to our ICQ @VIRTUALHORSE https://icq.im/VIRTUALHORSE Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss.
URLs

https://icq.com/windows/

https://icq.im/VIRTUALHORSE

Extracted

Path

C:\Users\Admin\Desktop\info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, install ICQ software on your PC or mobile phone here Write to our ICQ @VIRTUALHORSE Write this ID in the title of your message You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. Free decryption as guarantee How to obtain Bitcoins Also you can find other places to buy Bitcoins and beginners guide here: Attention!

Signatures

  • Drops file in Program Files directory 19470 IoCs
  • Suspicious use of AdjustPrivilegeToken 87 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • Adds Run entry to start application 2 TTPs 2 IoCs
    persistence
  • Deletes system backup catalog 2 TTPs

    Ransomware often tries to delete backup files to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Modifies service 2 TTPs 15 IoCs
    persistence
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 280 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Drops startup file 3 IoCs
  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Drops desktop.ini file(s) 77 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fast.exe
    "C:\Users\Admin\AppData\Local\Temp\Fast.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • Adds Run entry to start application
    • Suspicious behavior: EnumeratesProcesses
    • Drops startup file
    • Drops desktop.ini file(s)
    PID:240
    • C:\Users\Admin\AppData\Local\Temp\Fast.exe
      "C:\Users\Admin\AppData\Local\Temp\Fast.exe"
      2⤵
        PID:1620
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:772
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
          • Modifies service
          PID:1772
        • C:\Windows\system32\netsh.exe
          netsh firewall set opmode mode=disable
          3⤵
          • Modifies service
          PID:1304
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:844
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:1764
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1632
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:1220
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:2040
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:2044
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
        2⤵
        • Suspicious use of FindShellTrayWindow
        • Modifies Internet Explorer settings
        PID:1296
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
        2⤵
        • Suspicious use of FindShellTrayWindow
        • Modifies Internet Explorer settings
        PID:1932
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
        2⤵
        • Suspicious use of FindShellTrayWindow
        • Modifies Internet Explorer settings
        PID:776
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1748
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:1612
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1148
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:364
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:844
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:1792
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Modifies service
      PID:1880
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1436
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:1488
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
          PID:1180
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\info.txt
          1⤵
          • Opens file in notepad (likely ransom note)
          PID:820

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Command-Line Interface

        1
        T1059

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Modify Existing Service

        2
        T1031

        Privilege Escalation

        Defense Evasion

        Modify Registry

        3
        T1112

        File Deletion

        4
        T1107

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Exfiltration

        Command and Control

        Impact

        Inhibit System Recovery

        5
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Desktop\info.hta
          Download Submit
        • C:\Users\Public\Desktop\info.txt
          Download Submit
        • C:\info.hta
          Download Submit
        • C:\users\public\desktop\info.hta
          Download Submit
        • memory/364-18-0x0000000000000000-mapping.dmp
          Download
        • memory/772-0-0x0000000000000000-mapping.dmp
          Download
        • memory/776-12-0x0000000000000000-mapping.dmp
          Download
        • memory/844-19-0x0000000000000000-mapping.dmp
          Download
        • memory/844-1-0x0000000000000000-mapping.dmp
          Download
        • memory/1148-17-0x0000000000000000-mapping.dmp
          Download
        • memory/1220-6-0x0000000000000000-mapping.dmp
          Download
        • memory/1296-9-0x0000000000000000-mapping.dmp
          Download
        • memory/1304-4-0x0000000000000000-mapping.dmp
          Download
        • memory/1612-16-0x0000000000000000-mapping.dmp
          Download
        • memory/1632-5-0x0000000000000000-mapping.dmp
          Download
        • memory/1748-14-0x0000000000000000-mapping.dmp
          Download
        • memory/1764-3-0x0000000000000000-mapping.dmp
          Download
        • memory/1772-2-0x0000000000000000-mapping.dmp
          Download
        • memory/1792-20-0x0000000000000000-mapping.dmp
          Download
        • memory/1932-10-0x0000000000000000-mapping.dmp
          Download
        • memory/2040-7-0x0000000000000000-mapping.dmp
          Download
        • memory/2044-8-0x0000000000000000-mapping.dmp
          Download