Analysis
-
max time kernel
125s -
max time network
130s -
platform
windows10_x64 -
resource
win10 -
submitted
10-08-2020 12:16
Static task
static1
Behavioral task
behavioral1
Sample
0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe
Resource
win7
Behavioral task
behavioral2
Sample
0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe
Resource
win10
General
-
Target
0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe
-
Size
112KB
-
MD5
d01fc079881dc0d33a88e4f8df1ae7ce
-
SHA1
c40c8848808da12ef78c68de1e6477b862161a43
-
SHA256
0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821
-
SHA512
83bca79d1f0ac14c6d79685fd192964e7117e8c9c734036abddfdbb068c801ff38027a0812a2499e1d9e528a47af07150cafee27384b5a78b8fc32c23bd21130
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3744 vssvc.exe Token: SeRestorePrivilege 3744 vssvc.exe Token: SeAuditPrivilege 3744 vssvc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3884 vssadmin.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Hiveredirectionlist.exedescription ioc process File created C:\Users\Admin\Pictures\EnterUnblock.tiff.tcwwasted_info Hiveredirectionlist.exe File opened for modification C:\Users\Admin\Pictures\EnterUnblock.tiff.tcwwasted Hiveredirectionlist.exe File renamed C:\Users\Admin\Pictures\OutExport.tif => C:\Users\Admin\Pictures\OutExport.tif.tcwwasted Hiveredirectionlist.exe File renamed C:\Users\Admin\Pictures\SwitchProtect.tif => C:\Users\Admin\Pictures\SwitchProtect.tif.tcwwasted Hiveredirectionlist.exe File created C:\Users\Admin\Pictures\UnprotectCompress.tif.tcwwasted_info Hiveredirectionlist.exe File renamed C:\Users\Admin\Pictures\UnprotectCompress.tif => C:\Users\Admin\Pictures\UnprotectCompress.tif.tcwwasted Hiveredirectionlist.exe File opened for modification C:\Users\Admin\Pictures\UnprotectCompress.tif.tcwwasted Hiveredirectionlist.exe File renamed C:\Users\Admin\Pictures\EnterUnblock.tiff => C:\Users\Admin\Pictures\EnterUnblock.tiff.tcwwasted Hiveredirectionlist.exe File created C:\Users\Admin\Pictures\OutExport.tif.tcwwasted_info Hiveredirectionlist.exe File opened for modification C:\Users\Admin\Pictures\OutExport.tif.tcwwasted Hiveredirectionlist.exe File created C:\Users\Admin\Pictures\SwitchProtect.tif.tcwwasted_info Hiveredirectionlist.exe File opened for modification C:\Users\Admin\Pictures\SwitchProtect.tif.tcwwasted Hiveredirectionlist.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exeHiveredirectionlist:binHiveredirectionlist.execmd.execmd.execmd.exedescription pid process target process PID 3020 wrote to memory of 2508 3020 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe Hiveredirectionlist:bin PID 3020 wrote to memory of 2508 3020 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe Hiveredirectionlist:bin PID 3020 wrote to memory of 2508 3020 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe Hiveredirectionlist:bin PID 2508 wrote to memory of 3884 2508 Hiveredirectionlist:bin vssadmin.exe PID 2508 wrote to memory of 3884 2508 Hiveredirectionlist:bin vssadmin.exe PID 2508 wrote to memory of 3484 2508 Hiveredirectionlist:bin takeown.exe PID 2508 wrote to memory of 3484 2508 Hiveredirectionlist:bin takeown.exe PID 2508 wrote to memory of 3484 2508 Hiveredirectionlist:bin takeown.exe PID 2508 wrote to memory of 3996 2508 Hiveredirectionlist:bin icacls.exe PID 2508 wrote to memory of 3996 2508 Hiveredirectionlist:bin icacls.exe PID 2508 wrote to memory of 3996 2508 Hiveredirectionlist:bin icacls.exe PID 504 wrote to memory of 1004 504 Hiveredirectionlist.exe cmd.exe PID 504 wrote to memory of 1004 504 Hiveredirectionlist.exe cmd.exe PID 504 wrote to memory of 1004 504 Hiveredirectionlist.exe cmd.exe PID 1004 wrote to memory of 1064 1004 cmd.exe choice.exe PID 1004 wrote to memory of 1064 1004 cmd.exe choice.exe PID 1004 wrote to memory of 1064 1004 cmd.exe choice.exe PID 2508 wrote to memory of 1164 2508 Hiveredirectionlist:bin cmd.exe PID 2508 wrote to memory of 1164 2508 Hiveredirectionlist:bin cmd.exe PID 2508 wrote to memory of 1164 2508 Hiveredirectionlist:bin cmd.exe PID 3020 wrote to memory of 1196 3020 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe cmd.exe PID 3020 wrote to memory of 1196 3020 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe cmd.exe PID 3020 wrote to memory of 1196 3020 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe cmd.exe PID 1164 wrote to memory of 1524 1164 cmd.exe choice.exe PID 1164 wrote to memory of 1524 1164 cmd.exe choice.exe PID 1164 wrote to memory of 1524 1164 cmd.exe choice.exe PID 1196 wrote to memory of 1668 1196 cmd.exe choice.exe PID 1196 wrote to memory of 1668 1196 cmd.exe choice.exe PID 1196 wrote to memory of 1668 1196 cmd.exe choice.exe PID 1004 wrote to memory of 1796 1004 cmd.exe attrib.exe PID 1004 wrote to memory of 1796 1004 cmd.exe attrib.exe PID 1004 wrote to memory of 1796 1004 cmd.exe attrib.exe PID 1164 wrote to memory of 2008 1164 cmd.exe attrib.exe PID 1164 wrote to memory of 2008 1164 cmd.exe attrib.exe PID 1164 wrote to memory of 2008 1164 cmd.exe attrib.exe PID 1196 wrote to memory of 2064 1196 cmd.exe attrib.exe PID 1196 wrote to memory of 2064 1196 cmd.exe attrib.exe PID 1196 wrote to memory of 2064 1196 cmd.exe attrib.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies file permissions 1 TTPs 2 IoCs
Processes:
icacls.exetakeown.exepid process 3996 icacls.exe 3484 takeown.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 1796 attrib.exe 2008 attrib.exe 2064 attrib.exe -
NTFS ADS 1 IoCs
Processes:
0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Hiveredirectionlist:bin 0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 3484 takeown.exe 3996 icacls.exe -
WastedLocker
Ransomware family seen in the wild since May 2020.
-
Drops file in System32 directory 2 IoCs
Processes:
Hiveredirectionlist:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Hiveredirectionlist.exe Hiveredirectionlist:bin File opened for modification C:\Windows\SysWOW64\Hiveredirectionlist.exe attrib.exe -
Executes dropped EXE 2 IoCs
Processes:
Hiveredirectionlist:binHiveredirectionlist.exepid process 2508 Hiveredirectionlist:bin 504 Hiveredirectionlist.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe"C:\Users\Admin\AppData\Local\Temp\0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe"1⤵
- Suspicious use of WriteProcessMemory
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\Hiveredirectionlist:binC:\Users\Admin\AppData\Roaming\Hiveredirectionlist:bin -r2⤵
- Suspicious use of WriteProcessMemory
- Drops file in System32 directory
- Executes dropped EXE
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Hiveredirectionlist.exe3⤵
- Modifies file permissions
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Hiveredirectionlist.exe /reset3⤵
- Modifies file permissions
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Hiveredirectionlist" & del "C:\Users\Admin\AppData\Roaming\Hiveredirectionlist"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Hiveredirectionlist"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe" & del "C:\Users\Admin\AppData\Local\Temp\0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\0e061255b12ade5dc10f4ad9aeca9ebe5496d28ed251acb376c66c1d9f405821.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
-
C:\Windows\SysWOW64\Hiveredirectionlist.exeC:\Windows\SysWOW64\Hiveredirectionlist.exe -s1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Hiveredirectionlist.exe" & del "C:\Windows\SysWOW64\Hiveredirectionlist.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Hiveredirectionlist.exe"3⤵
- Views/modifies file attributes
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Hiveredirectionlist:bin
-
C:\Users\Admin\AppData\Roaming\Hiveredirectionlist:bin
-
C:\Windows\SysWOW64\Hiveredirectionlist.exe
-
C:\Windows\SysWOW64\Hiveredirectionlist.exe
-
memory/1004-8-0x0000000000000000-mapping.dmp
-
memory/1064-9-0x0000000000000000-mapping.dmp
-
memory/1164-10-0x0000000000000000-mapping.dmp
-
memory/1196-11-0x0000000000000000-mapping.dmp
-
memory/1524-12-0x0000000000000000-mapping.dmp
-
memory/1668-13-0x0000000000000000-mapping.dmp
-
memory/1796-14-0x0000000000000000-mapping.dmp
-
memory/2008-15-0x0000000000000000-mapping.dmp
-
memory/2064-16-0x0000000000000000-mapping.dmp
-
memory/2508-0-0x0000000000000000-mapping.dmp
-
memory/3484-4-0x0000000000000000-mapping.dmp
-
memory/3884-3-0x0000000000000000-mapping.dmp
-
memory/3996-6-0x0000000000000000-mapping.dmp