46dc49be65d7165e2a6009854a4f27f0088230199e61e0555cb1bd266535874a

Analysis

max time kernel
154s
max time network
85s
platform
windows7_x64
resource
win7
submitted
11-08-2020 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

foo/60121ea2ab380455f7e143cd9438443e.exe

Score

9^/10

evasion ransomware

Malware Config

Signatures

Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Executes dropped EXE 1 IoCs

Processes:

sdelete.exe

pid process

684 sdelete.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1876 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

268 cmd.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ipinfo.io
4 ipinfo.io

pid	process
684	sdelete.exe

pid	process
1876	cmd.exe

pid	process
268	cmd.exe

flow	ioc
3	ipinfo.io
4	ipinfo.io

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

60121ea2ab380455f7e143cd9438443e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp6CA6.tmp.bmp"	60121ea2ab380455f7e143cd9438443e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\Wallpaper.jpg"	60121ea2ab380455f7e143cd9438443e.exe

Drops file in Program Files directory 2 IoCs

Processes:

60121ea2ab380455f7e143cd9438443e.exe

description	ioc	process
File created	C:\Program Files\Touch	60121ea2ab380455f7e143cd9438443e.exe
File created	C:\Program Files (x86)\Touch	60121ea2ab380455f7e143cd9438443e.exe

Drops file in Windows directory 1 IoCs

Processes:

60121ea2ab380455f7e143cd9438443e.exe

description ioc process

File created C:\Windows\Touch 60121ea2ab380455f7e143cd9438443e.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1860 tasklist.exe

description	ioc	process
File created	C:\Windows\Touch	60121ea2ab380455f7e143cd9438443e.exe

pid	process
1860	tasklist.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

60121ea2ab380455f7e143cd9438443e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\WallpaperStyle = "2"	60121ea2ab380455f7e143cd9438443e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\TileWallpaper = "0"	60121ea2ab380455f7e143cd9438443e.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2004 PING.EXE

pid	process
2004	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

60121ea2ab380455f7e143cd9438443e.exetasklist.exe

pid	process
1140	60121ea2ab380455f7e143cd9438443e.exe
1140	60121ea2ab380455f7e143cd9438443e.exe
1140	60121ea2ab380455f7e143cd9438443e.exe
1140	60121ea2ab380455f7e143cd9438443e.exe
1140	60121ea2ab380455f7e143cd9438443e.exe
1140	60121ea2ab380455f7e143cd9438443e.exe
1140	60121ea2ab380455f7e143cd9438443e.exe
1140	60121ea2ab380455f7e143cd9438443e.exe
1140	60121ea2ab380455f7e143cd9438443e.exe
1140	60121ea2ab380455f7e143cd9438443e.exe
1140	60121ea2ab380455f7e143cd9438443e.exe
1860	tasklist.exe
1860	tasklist.exe
1140	60121ea2ab380455f7e143cd9438443e.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

60121ea2ab380455f7e143cd9438443e.exewevtutil.exewevtutil.exewevtutil.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	1140	60121ea2ab380455f7e143cd9438443e.exe
Token: SeSecurityPrivilege	832	wevtutil.exe
Token: SeBackupPrivilege	832	wevtutil.exe
Token: SeSecurityPrivilege	744	wevtutil.exe
Token: SeBackupPrivilege	744	wevtutil.exe
Token: SeSecurityPrivilege	1060	wevtutil.exe
Token: SeBackupPrivilege	1060	wevtutil.exe
Token: SeDebugPrivilege	1860	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

60121ea2ab380455f7e143cd9438443e.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1140 wrote to memory of 1436	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1140 wrote to memory of 1436	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1140 wrote to memory of 1436	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1140 wrote to memory of 1436	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1436 wrote to memory of 832	1436	cmd.exe	wevtutil.exe
PID 1436 wrote to memory of 832	1436	cmd.exe	wevtutil.exe
PID 1436 wrote to memory of 832	1436	cmd.exe	wevtutil.exe
PID 1436 wrote to memory of 832	1436	cmd.exe	wevtutil.exe
PID 1140 wrote to memory of 304	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1140 wrote to memory of 304	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1140 wrote to memory of 304	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1140 wrote to memory of 304	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 304 wrote to memory of 744	304	cmd.exe	wevtutil.exe
PID 304 wrote to memory of 744	304	cmd.exe	wevtutil.exe
PID 304 wrote to memory of 744	304	cmd.exe	wevtutil.exe
PID 304 wrote to memory of 744	304	cmd.exe	wevtutil.exe
PID 1140 wrote to memory of 1088	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1140 wrote to memory of 1088	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1140 wrote to memory of 1088	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1140 wrote to memory of 1088	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1088 wrote to memory of 1060	1088	cmd.exe	wevtutil.exe
PID 1088 wrote to memory of 1060	1088	cmd.exe	wevtutil.exe
PID 1088 wrote to memory of 1060	1088	cmd.exe	wevtutil.exe
PID 1088 wrote to memory of 1060	1088	cmd.exe	wevtutil.exe
PID 1140 wrote to memory of 1524	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1140 wrote to memory of 1524	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1140 wrote to memory of 1524	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1140 wrote to memory of 1524	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1524 wrote to memory of 1696	1524	cmd.exe	sc.exe
PID 1524 wrote to memory of 1696	1524	cmd.exe	sc.exe
PID 1524 wrote to memory of 1696	1524	cmd.exe	sc.exe
PID 1524 wrote to memory of 1696	1524	cmd.exe	sc.exe
PID 1140 wrote to memory of 1360	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1140 wrote to memory of 1360	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1140 wrote to memory of 1360	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1140 wrote to memory of 1360	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1140 wrote to memory of 1852	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1140 wrote to memory of 1852	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1140 wrote to memory of 1852	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1140 wrote to memory of 1852	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1852 wrote to memory of 1240	1852	cmd.exe	reg.exe
PID 1852 wrote to memory of 1240	1852	cmd.exe	reg.exe
PID 1852 wrote to memory of 1240	1852	cmd.exe	reg.exe
PID 1852 wrote to memory of 1240	1852	cmd.exe	reg.exe
PID 1140 wrote to memory of 1860	1140	60121ea2ab380455f7e143cd9438443e.exe	tasklist.exe
PID 1140 wrote to memory of 1860	1140	60121ea2ab380455f7e143cd9438443e.exe	tasklist.exe
PID 1140 wrote to memory of 1860	1140	60121ea2ab380455f7e143cd9438443e.exe	tasklist.exe
PID 1140 wrote to memory of 1860	1140	60121ea2ab380455f7e143cd9438443e.exe	tasklist.exe
PID 1140 wrote to memory of 1900	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1140 wrote to memory of 1900	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1140 wrote to memory of 1900	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1140 wrote to memory of 1900	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1140 wrote to memory of 1876	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1140 wrote to memory of 1876	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1140 wrote to memory of 1876	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1140 wrote to memory of 1876	1140	60121ea2ab380455f7e143cd9438443e.exe	cmd.exe
PID 1900 wrote to memory of 1940	1900	cmd.exe	reg.exe
PID 1900 wrote to memory of 1940	1900	cmd.exe	reg.exe
PID 1900 wrote to memory of 1940	1900	cmd.exe	reg.exe
PID 1900 wrote to memory of 1940	1900	cmd.exe	reg.exe
PID 1876 wrote to memory of 2004	1876	cmd.exe	PING.EXE
PID 1876 wrote to memory of 2004	1876	cmd.exe	PING.EXE
PID 1876 wrote to memory of 2004	1876	cmd.exe	PING.EXE
PID 1876 wrote to memory of 2004	1876	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\foo\60121ea2ab380455f7e143cd9438443e.exe
"C:\Users\Admin\AppData\Local\Temp\foo\60121ea2ab380455f7e143cd9438443e.exe"
1⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C wevtutil.exe clear-log Application
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe clear-log Application
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:832
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C wevtutil.exe clear-log Security
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:304
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe clear-log Security
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:744
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C wevtutil.exe clear-log System
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe clear-log System
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1060
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C sc config eventlog start=disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\SysWOW64\sc.exe
    sc config eventlog start=disabled
    3⤵
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" sc stop eventlog
  2⤵
  PID:1360
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C REG add "HKLM\SYSTEM\CurrentControlSet\services\eventlog" / v Start / t REG_DWORD / d 4 / f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\SysWOW64\reg.exe
    REG add "HKLM\SYSTEM\CurrentControlSet\services\eventlog" / v Start / t REG_DWORD / d 4 / f
    3⤵
    PID:1240
- C:\Windows\SysWOW64\tasklist.exe
  "tasklist" /V /FO CSV
  2⤵
  - Enumerates processes with tasklist
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1860
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C cd C:\ProgramData\ && release.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Sysinternals\SDelete"
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Sysinternals\SDelete" /v EulaAccepted /t REG_DWORD /d 1 /f
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c C:\ProgramData\sdelete.exe -c -z C:
    3⤵
    - Loads dropped DLL
    PID:268
  - - C:\ProgramData\sdelete.exe
      C:\ProgramData\sdelete.exe -c -z C:
      4⤵
      Executes dropped EXE
      PID:684
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 127.0.0.1 -n 3 > NUL&&del /Q /F /S "C:\Users\Admin\AppData\Local\Temp\foo\60121ea2ab380455f7e143cd9438443e.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3
    3⤵
    - Runs ping.exe
    PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal on Host

T1070

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\release.bat

MD5
d6f5eca30ce21c143637f6ae69575644

SHA1
698662a8b177f5611e96b01e79ca9c4eea9a2a1d

SHA256
003b7de471a4cdc835cc093fa030c99dc9037a9643512127aa94473832e10a6f

SHA512
02179f3d3ba676c53518aefa0db9b2fd84c92cb9eb139a7f114d526fe60334e00b499240f2ecd0ed5dd660c0c26d8496747e0d845e752b5abc0708b5f08a752a

Download Submit
C:\ProgramData\sdelete.exe

MD5
2b5cb081721b8ba454713119be062491

SHA1
7bcd946326b67f806b3db4595ede9fbdf29d0c36

SHA256
feec1457836a5f84291215a2a003fcde674e7e422df8c4ed6fe5bb3b679cdc87

SHA512
413c1ef210c97cbded7728bc609f9641dc16be53bd6e0242e9cba01af90a3d5abc3dbafa9ef75e3370b23bfdd895d3d45195dfaf9cbdb44a37f37190f8233522

Download Submit
\ProgramData\sdelete.exe

MD5
2b5cb081721b8ba454713119be062491

SHA1
7bcd946326b67f806b3db4595ede9fbdf29d0c36

SHA256
feec1457836a5f84291215a2a003fcde674e7e422df8c4ed6fe5bb3b679cdc87

SHA512
413c1ef210c97cbded7728bc609f9641dc16be53bd6e0242e9cba01af90a3d5abc3dbafa9ef75e3370b23bfdd895d3d45195dfaf9cbdb44a37f37190f8233522

Download Submit
memory/268-18-0x0000000000000000-mapping.dmp

Download
memory/304-2-0x0000000000000000-mapping.dmp

Download
memory/684-20-0x0000000000000000-mapping.dmp

Download
memory/744-3-0x0000000000000000-mapping.dmp

Download
memory/832-1-0x0000000000000000-mapping.dmp

Download
memory/1060-5-0x0000000000000000-mapping.dmp

Download
memory/1088-4-0x0000000000000000-mapping.dmp

Download
memory/1240-10-0x0000000000000000-mapping.dmp

Download
memory/1360-8-0x0000000000000000-mapping.dmp

Download
memory/1436-0-0x0000000000000000-mapping.dmp

Download
memory/1524-6-0x0000000000000000-mapping.dmp

Download
memory/1696-7-0x0000000000000000-mapping.dmp

Download
memory/1852-9-0x0000000000000000-mapping.dmp

Download
memory/1860-11-0x0000000000000000-mapping.dmp

Download
memory/1876-13-0x0000000000000000-mapping.dmp

Download
memory/1900-12-0x0000000000000000-mapping.dmp

Download
memory/1940-15-0x0000000000000000-mapping.dmp

Download
memory/1996-17-0x0000000000000000-mapping.dmp

Download
memory/2004-16-0x0000000000000000-mapping.dmp

Download