Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
22-09-2020 17:31
Static task
static1
Behavioral task
behavioral1
Sample
pewpew_p.bin.exe
Resource
win7
Behavioral task
behavioral2
Sample
pewpew_p.bin.exe
Resource
win10v200722
General
-
Target
pewpew_p.bin.exe
-
Size
1.0MB
-
MD5
202bf9be9a4e45526e482f08104717ad
-
SHA1
1e5bbfb9167150935c6eb25bbbebbe5c77a97aa2
-
SHA256
7282df1360af4c028930ffd9fbc30ea9d17f08f14b725f8020677dd9df961c55
-
SHA512
89db20536030f28af5997d4b93e90ead0ccd7299d6777d422159a0a41b658274743a390fed1a9f942b668f4f04afd1119e7b4a41356b10ea37393c8b5e05f5ea
Malware Config
Extracted
C:\info-decrypt.txt
pewpew@TuTa.io
pewpew@Protonmail.Com
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies Windows Firewall 1 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 13 IoCs
Processes:
pewpew_p.bin.exedescription ioc process File created C:\Program Files\desktop.ini pewpew_p.bin.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini pewpew_p.bin.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini pewpew_p.bin.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini pewpew_p.bin.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini pewpew_p.bin.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini pewpew_p.bin.exe File created C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini pewpew_p.bin.exe File created C:\Program Files (x86)\desktop.ini pewpew_p.bin.exe File created C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini pewpew_p.bin.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini pewpew_p.bin.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini pewpew_p.bin.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini pewpew_p.bin.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini pewpew_p.bin.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 ip-api.com -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
Processes:
pewpew_p.bin.exepid process 864 pewpew_p.bin.exe 864 pewpew_p.bin.exe 864 pewpew_p.bin.exe 864 pewpew_p.bin.exe 864 pewpew_p.bin.exe 864 pewpew_p.bin.exe 864 pewpew_p.bin.exe 864 pewpew_p.bin.exe 864 pewpew_p.bin.exe 864 pewpew_p.bin.exe 864 pewpew_p.bin.exe 864 pewpew_p.bin.exe 864 pewpew_p.bin.exe 864 pewpew_p.bin.exe 864 pewpew_p.bin.exe 864 pewpew_p.bin.exe -
Drops file in Program Files directory 1168 IoCs
Processes:
pewpew_p.bin.exedescription ioc process File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml pewpew_p.bin.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml pewpew_p.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\info-decrypt.hta pewpew_p.bin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat pewpew_p.bin.exe File created C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PDDom.api pewpew_p.bin.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui pewpew_p.bin.exe File created C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\chstic.dgml pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_base_non_fips.dll pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\UnifiedShare.aapp pewpew_p.bin.exe File created C:\Program Files\Common Files\microsoft shared\ink\mip.exe pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_download_pdf_18.svg pewpew_p.bin.exe File created C:\Program Files\Common Files\System\msadc\msadcor.dll pewpew_p.bin.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\dd_arrow_small.png pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluNoSearchResults_180x160.svg pewpew_p.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\info-decrypt.hta pewpew_p.bin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\create_form.gif pewpew_p.bin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png pewpew_p.bin.exe File opened for modification C:\Program Files\CompareStep.cab pewpew_p.bin.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui pewpew_p.bin.exe File created C:\Program Files\Common Files\microsoft shared\Stationery\Stars.jpg pewpew_p.bin.exe File created C:\Program Files\Common Files\System\ado\msado25.tlb pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforsignature.svg pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\selection-actions.png pewpew_p.bin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll pewpew_p.bin.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll pewpew_p.bin.exe File created C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\StorageConnectors.api pewpew_p.bin.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\large_trefoil.png pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Updater.api pewpew_p.bin.exe File created C:\Program Files\Common Files\microsoft shared\ink\sk-SK\info-decrypt.hta pewpew_p.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\next-arrow-disabled.svg pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_ellipses_selected-hover.svg pewpew_p.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\info-decrypt.hta pewpew_p.bin.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml pewpew_p.bin.exe File created C:\Program Files\Common Files\Services\verisign.bmp pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Search.api pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\distribute_form.gif pewpew_p.bin.exe File created C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\InAppSign.aapp pewpew_p.bin.exe File created C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adobe_spinner.gif pewpew_p.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_de_DE.jar pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-disabled_32.svg pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons_retina.png pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\export.svg pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_ellipses-hover.svg pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress-indeterminate.gif pewpew_p.bin.exe File created C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui pewpew_p.bin.exe File created C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui pewpew_p.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\info-decrypt.hta pewpew_p.bin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf pewpew_p.bin.exe File created C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions.png pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_comment_18.svg pewpew_p.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp pewpew_p.bin.exe -
Drops file in Windows directory 1 IoCs
Processes:
pewpew_p.bin.exedescription ioc process File created C:\Windows\info-decrypt.txt pewpew_p.bin.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 2252 vssadmin.exe 2480 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
pewpew_p.bin.exevssvc.exedescription pid process Token: SeDebugPrivilege 864 pewpew_p.bin.exe Token: SeBackupPrivilege 1132 vssvc.exe Token: SeRestorePrivilege 1132 vssvc.exe Token: SeAuditPrivilege 1132 vssvc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
pewpew_p.bin.exepid process 864 pewpew_p.bin.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
pewpew_p.bin.execmd.execmd.exedescription pid process target process PID 864 wrote to memory of 3392 864 pewpew_p.bin.exe cmd.exe PID 864 wrote to memory of 3392 864 pewpew_p.bin.exe cmd.exe PID 864 wrote to memory of 3392 864 pewpew_p.bin.exe cmd.exe PID 864 wrote to memory of 1352 864 pewpew_p.bin.exe cmd.exe PID 864 wrote to memory of 1352 864 pewpew_p.bin.exe cmd.exe PID 3392 wrote to memory of 2252 3392 cmd.exe vssadmin.exe PID 3392 wrote to memory of 2252 3392 cmd.exe vssadmin.exe PID 3392 wrote to memory of 2252 3392 cmd.exe vssadmin.exe PID 1352 wrote to memory of 2480 1352 cmd.exe vssadmin.exe PID 1352 wrote to memory of 2480 1352 cmd.exe vssadmin.exe PID 864 wrote to memory of 3952 864 pewpew_p.bin.exe netsh.exe PID 864 wrote to memory of 3952 864 pewpew_p.bin.exe netsh.exe PID 864 wrote to memory of 3940 864 pewpew_p.bin.exe netsh.exe PID 864 wrote to memory of 3940 864 pewpew_p.bin.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pewpew_p.bin.exe"C:\Users\Admin\AppData\Local\Temp\pewpew_p.bin.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C vssadmin Delete Shadows /All /Quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\netsh.exe"netsh.exe" Advfirewall set allprofiles state off2⤵
-
C:\Windows\SYSTEM32\netsh.exe"netsh.exe" Advfirewall set allprofiles state off2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/864-0-0x0000000003C90000-0x0000000003C91000-memory.dmpFilesize
4KB
-
memory/864-2-0x0000000003C90000-0x0000000003C91000-memory.dmpFilesize
4KB
-
memory/864-4-0x0000000073150000-0x000000007383E000-memory.dmpFilesize
6.9MB
-
memory/864-5-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/864-7-0x0000000005FA0000-0x0000000005FA1000-memory.dmpFilesize
4KB
-
memory/864-9-0x0000000007D10000-0x0000000007D11000-memory.dmpFilesize
4KB
-
memory/1352-11-0x0000000000000000-mapping.dmp
-
memory/2252-12-0x0000000000000000-mapping.dmp
-
memory/2480-13-0x0000000000000000-mapping.dmp
-
memory/3392-10-0x0000000000000000-mapping.dmp
-
memory/3940-15-0x0000000000000000-mapping.dmp
-
memory/3952-14-0x0000000000000000-mapping.dmp