48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c

Analysis

max time kernel
53s
max time network
53s
platform
windows7_x64
resource
win7
submitted
15-07-2020 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.bin.exe
Size

645KB
MD5

79cdf459683c39e9704a37a6be9bc877
SHA1

450d4f351c3dd168e313b309da4bd8a817453d1d
SHA256

48689c986eb553e6a7aeba973501b9660cb1418d4ec3ba9d0511f82799d1422c
SHA512

2cc3f164e92650c4d4aed7012da7d303d24cdc63565ed744a28cb6d59465189233a128a01f4b807aa972057e0d0d98742c5ca9b41a67bf59f0f115de30eb6bd4

Score

10^/10

evasion trojan ransomware persistence

Malware Config

Signatures

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 1400	1144	1.bin.exe	24
PID 1144 wrote to memory of 1400	1144	1.bin.exe	24
PID 1144 wrote to memory of 1400	1144	1.bin.exe	24
PID 1144 wrote to memory of 1400	1144	1.bin.exe	24
PID 1144 wrote to memory of 276	1144	1.bin.exe	26
PID 1144 wrote to memory of 276	1144	1.bin.exe	26
PID 1144 wrote to memory of 276	1144	1.bin.exe	26
PID 1144 wrote to memory of 276	1144	1.bin.exe	26
PID 1144 wrote to memory of 1040	1144	1.bin.exe	29
PID 1144 wrote to memory of 1040	1144	1.bin.exe	29
PID 1144 wrote to memory of 1040	1144	1.bin.exe	29
PID 1144 wrote to memory of 1040	1144	1.bin.exe	29
PID 1144 wrote to memory of 1796	1144	1.bin.exe	31
PID 1144 wrote to memory of 1796	1144	1.bin.exe	31
PID 1144 wrote to memory of 1796	1144	1.bin.exe	31
PID 1144 wrote to memory of 1796	1144	1.bin.exe	31
PID 1144 wrote to memory of 1808	1144	1.bin.exe	33
PID 1144 wrote to memory of 1808	1144	1.bin.exe	33
PID 1144 wrote to memory of 1808	1144	1.bin.exe	33
PID 1144 wrote to memory of 1808	1144	1.bin.exe	33
PID 1144 wrote to memory of 1820	1144	1.bin.exe	35
PID 1144 wrote to memory of 1820	1144	1.bin.exe	35
PID 1144 wrote to memory of 1820	1144	1.bin.exe	35
PID 1144 wrote to memory of 1820	1144	1.bin.exe	35

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1400	wmic.exe
Token: SeSecurityPrivilege	1400	wmic.exe
Token: SeTakeOwnershipPrivilege	1400	wmic.exe
Token: SeLoadDriverPrivilege	1400	wmic.exe
Token: SeSystemProfilePrivilege	1400	wmic.exe
Token: SeSystemtimePrivilege	1400	wmic.exe
Token: SeProfSingleProcessPrivilege	1400	wmic.exe
Token: SeIncBasePriorityPrivilege	1400	wmic.exe
Token: SeCreatePagefilePrivilege	1400	wmic.exe
Token: SeBackupPrivilege	1400	wmic.exe
Token: SeRestorePrivilege	1400	wmic.exe
Token: SeShutdownPrivilege	1400	wmic.exe
Token: SeDebugPrivilege	1400	wmic.exe
Token: SeSystemEnvironmentPrivilege	1400	wmic.exe
Token: SeRemoteShutdownPrivilege	1400	wmic.exe
Token: SeUndockPrivilege	1400	wmic.exe
Token: SeManageVolumePrivilege	1400	wmic.exe
Token: 33	1400	wmic.exe
Token: 34	1400	wmic.exe
Token: 35	1400	wmic.exe
Token: SeBackupPrivilege	740	vssvc.exe
Token: SeRestorePrivilege	740	vssvc.exe
Token: SeAuditPrivilege	740	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1040	wmic.exe
Token: SeSecurityPrivilege	1040	wmic.exe
Token: SeTakeOwnershipPrivilege	1040	wmic.exe
Token: SeLoadDriverPrivilege	1040	wmic.exe
Token: SeSystemProfilePrivilege	1040	wmic.exe
Token: SeSystemtimePrivilege	1040	wmic.exe
Token: SeProfSingleProcessPrivilege	1040	wmic.exe
Token: SeIncBasePriorityPrivilege	1040	wmic.exe
Token: SeCreatePagefilePrivilege	1040	wmic.exe
Token: SeBackupPrivilege	1040	wmic.exe
Token: SeRestorePrivilege	1040	wmic.exe
Token: SeShutdownPrivilege	1040	wmic.exe
Token: SeDebugPrivilege	1040	wmic.exe
Token: SeSystemEnvironmentPrivilege	1040	wmic.exe
Token: SeRemoteShutdownPrivilege	1040	wmic.exe
Token: SeUndockPrivilege	1040	wmic.exe
Token: SeManageVolumePrivilege	1040	wmic.exe
Token: 33	1040	wmic.exe
Token: 34	1040	wmic.exe
Token: 35	1040	wmic.exe
Token: SeIncreaseQuotaPrivilege	1808	wmic.exe
Token: SeSecurityPrivilege	1808	wmic.exe
Token: SeTakeOwnershipPrivilege	1808	wmic.exe
Token: SeLoadDriverPrivilege	1808	wmic.exe
Token: SeSystemProfilePrivilege	1808	wmic.exe
Token: SeSystemtimePrivilege	1808	wmic.exe
Token: SeProfSingleProcessPrivilege	1808	wmic.exe
Token: SeIncBasePriorityPrivilege	1808	wmic.exe
Token: SeCreatePagefilePrivilege	1808	wmic.exe
Token: SeBackupPrivilege	1808	wmic.exe
Token: SeRestorePrivilege	1808	wmic.exe
Token: SeShutdownPrivilege	1808	wmic.exe
Token: SeDebugPrivilege	1808	wmic.exe
Token: SeSystemEnvironmentPrivilege	1808	wmic.exe
Token: SeRemoteShutdownPrivilege	1808	wmic.exe
Token: SeUndockPrivilege	1808	wmic.exe
Token: SeManageVolumePrivilege	1808	wmic.exe
Token: 33	1808	wmic.exe
Token: 34	1808	wmic.exe
Token: 35	1808	wmic.exe

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1796	vssadmin.exe
1820	vssadmin.exe
276	vssadmin.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-1131729243-447456001-3632642222-1000\desktop.ini	1.bin.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1.bin.exe

Suspicious behavior: EnumeratesProcesses 855 IoCs

pid	Process
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe
1144	1.bin.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	1.bin.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

C:\Users\Admin\AppData\Local\Temp\1.bin.exe
"C:\Users\Admin\AppData\Local\Temp\1.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Drops desktop.ini file(s)
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1144
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1400
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:276
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1040
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1796
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1808
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1144-0-0x00000000034DA000-0x00000000034DB000-memory.dmp

Filesize
4KB

Download
memory/1144-1-0x00000000035C0000-0x00000000035D1000-memory.dmp

Filesize
68KB

Download