Resubmissions

07-07-2020 11:05

200707-lprhwzb5g6 9

06-07-2020 17:18

200706-g81fk3nfca 9

Analysis

  • max time kernel
    600s
  • max time network
    425s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    07-07-2020 11:05

General

  • Target

    c.exe

  • Size

    19KB

  • MD5

    2f209bf174d0959960fbab2900131ecc

  • SHA1

    b11f0a4832d5872bfce08d93bdd36bdd158b104b

  • SHA256

    62862a4c988effae378b18b7f4c3e250c7593d4e448bb0757e7e088bd80b1576

  • SHA512

    28758ddfd1b7e788a851b564722181a80f5d0bad5a42bf4d0f6575e89a6fa28812fd9bd3c2d4ab791c43a45b55bb4cae739a482cab8135e773bae83c2daca915

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies service 2 TTPs 5 IoCs
  • Drops file in Program Files directory 11232 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c.exe
    "C:\Users\Admin\AppData\Local\Temp\c.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:3544
    • C:\Windows\System32\vssadmin.exe
      "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:508
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:1012

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/508-0-0x0000000000000000-mapping.dmp