Analysis
-
max time kernel
54s -
max time network
6s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 13:56
Static task
static1
Behavioral task
behavioral1
Sample
602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe
Resource
win7
Behavioral task
behavioral2
Sample
602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe
Resource
win10
General
-
Target
602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe
-
Size
4.6MB
-
MD5
1d3e630e85d4055a6b00bf588f30af21
-
SHA1
64658fd77ddcb9496d2c6a6f174210010bbcdf54
-
SHA256
602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9
-
SHA512
0fe39d9fdfc317c5fbbafa7dab5380be6daac8e9cee54df4814e976b8d4a95db45e1259b2a99f1a451dc2a8d4c1435bc9134e13a6ead2df6c812c4a128236246
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\HOW TO RESTORE YOUR FILES.TXT
Signatures
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.execmd.execmd.exedescription pid process target process PID 1324 wrote to memory of 1420 1324 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe cmd.exe PID 1324 wrote to memory of 1420 1324 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe cmd.exe PID 1324 wrote to memory of 1420 1324 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe cmd.exe PID 1420 wrote to memory of 976 1420 cmd.exe sc.exe PID 1420 wrote to memory of 976 1420 cmd.exe sc.exe PID 1420 wrote to memory of 976 1420 cmd.exe sc.exe PID 1420 wrote to memory of 900 1420 cmd.exe findstr.exe PID 1420 wrote to memory of 900 1420 cmd.exe findstr.exe PID 1420 wrote to memory of 900 1420 cmd.exe findstr.exe PID 1324 wrote to memory of 688 1324 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe cmd.exe PID 1324 wrote to memory of 688 1324 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe cmd.exe PID 1324 wrote to memory of 688 1324 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe cmd.exe PID 1324 wrote to memory of 1396 1324 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe cmd.exe PID 1324 wrote to memory of 1396 1324 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe cmd.exe PID 1324 wrote to memory of 1396 1324 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe cmd.exe PID 1396 wrote to memory of 1784 1396 cmd.exe vssadmin.exe PID 1396 wrote to memory of 1784 1396 cmd.exe vssadmin.exe PID 1396 wrote to memory of 1784 1396 cmd.exe vssadmin.exe PID 1324 wrote to memory of 1964 1324 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe cmd.exe PID 1324 wrote to memory of 1964 1324 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe cmd.exe PID 1324 wrote to memory of 1964 1324 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1760 vssvc.exe Token: SeRestorePrivilege 1760 vssvc.exe Token: SeAuditPrivilege 1760 vssvc.exe -
Drops startup file 2 IoCs
Processes:
602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO RESTORE YOUR FILES.TXT 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HOW TO RESTORE YOUR FILES.TXT 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops file in Program Files directory 14827 IoCs
Processes:
602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\jvm.lib.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\splash.gif 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\WINWORD_K_COL.HXK.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\jvm.lib 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-tabcontrol.jar.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02218_.GIF.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14791_.GIF.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SecStoreFile.ico 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Azores 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_zh_TW.properties.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14983_.GIF.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Istanbul.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0174639.WMF 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099157.JPG.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14984_.GIF.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA00438_.WMF 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\vlc.mo 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TN00687_.WMF.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImagesMask.bmp 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolIcons\INDOMAIN.ICO 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File created C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\HOW TO RESTORE YOUR FILES.TXT 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0186362.WMF 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files (x86)\Google\Chrome\Application\83.0.4103.106\Locales\bn.pak.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME12.CSS.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBBA\MSPUB5A.BDR 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\LABEL98.POC.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File created C:\Program Files\VideoLAN\VLC\locale\az\HOW TO RESTORE YOUR FILES.TXT 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Sydney.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Faroe.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE03339_.WMF.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File created C:\Program Files\VideoLAN\VLC\locale\da\HOW TO RESTORE YOUR FILES.TXT 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.SF 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\org-openide-filesystems.jar 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh87.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Sts2.css.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\SettingsInternal.zip.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Stockholm 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_ja_4.4.0.v20140623020002.jar.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BL00248_.WMF 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH03143I.JPG 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\jvm.cfg.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_ja.jar 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0185778.WMF 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0215070.WMF 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\MP00646_.WMF.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\Office14\MEDIA\WIND.WAV.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0280468.WMF 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR35B.GIF 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.ICO 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0199805.WMF 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\VeriSignLogo.jpg.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGLBL081.XML.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files (x86)\Google\Chrome\Application\83.0.4103.106\Locales\uk.pak 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterBold.ttf 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html.sdkkxbh 602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1784 vssadmin.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe"C:\Users\Admin\AppData\Local\Temp\602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe"1⤵
- Suspicious use of WriteProcessMemory
- Drops startup file
- Drops file in Program Files directory
PID:1324 -
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\nhnbyqhmkfbwpmos.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\system32\sc.exeSC QUERY3⤵PID:976
-
C:\Windows\system32\findstr.exeFINDSTR SERVICE_NAME3⤵PID:900
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\cpmpxruqajffusqrl.bat2⤵PID:688
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\nonyhhaipsbdmfrwx.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1784 -
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\jjqsuskj.bat2⤵PID:1964
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1760