Analysis
-
max time kernel
57s -
max time network
66s -
platform
windows7_x64 -
resource
win7 -
submitted
05-10-2020 08:48
Static task
static1
Behavioral task
behavioral1
Sample
63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps1
Resource
win7
Behavioral task
behavioral2
Sample
63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps1
Resource
win10v200722
General
-
Target
63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps1
-
Size
1.6MB
-
MD5
c171bcd34151cbcd48edbce13796e0ed
-
SHA1
2770fec86275dfb1a4a05e2d56bc27a089197666
-
SHA256
63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806
-
SHA512
d25cbb70dae9bcc49d32c15300734879fe4c1b7ae35cb5affab50e8a61ae7226832b278d846f76f7eedc3a1baf35e2aec4e8c364eab99cddb00c2ffeb97283da
Malware Config
Signatures
-
SunCrypt Ransomware
Family which threatens to leak data alongside encrypting files. Has claimed to be collaborating with the Maze ransomware group.
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 6 1988 powershell.exe -
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
powershell.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\CloseRequest.tiff powershell.exe File opened for modification C:\Users\Admin\Pictures\InstallRegister.tiff powershell.exe File renamed C:\Users\Admin\Pictures\CloseRequest.tiff => C:\Users\Admin\Pictures\CloseRequest.tiff.65534A05975BF04B53430708FF9E0DBC3B587BE8CFE7478D4D2505D05A12A93D powershell.exe File renamed C:\Users\Admin\Pictures\GroupInvoke.crw => C:\Users\Admin\Pictures\GroupInvoke.crw.EFA1F8C06A9FC9DA2F5E0D9D30CA3FF6BFF9144C141EDDC31610B66B7ED27211 powershell.exe File renamed C:\Users\Admin\Pictures\InstallRegister.tiff => C:\Users\Admin\Pictures\InstallRegister.tiff.7AFD42031A724DC5D59003F2782845AE3EACB2334F066B8325885383D40A3458 powershell.exe File renamed C:\Users\Admin\Pictures\SplitUnlock.tif => C:\Users\Admin\Pictures\SplitUnlock.tif.27482F072767359798181B5909A3E3CD153333F4E19727025808F5E1F9B44164 powershell.exe -
Drops startup file 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\YOUR_FILES_ARE_ENCRYPTED.HTML powershell.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 35 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Users\Admin\Saved Games\desktop.ini powershell.exe File opened for modification C:\Users\Public\Desktop\desktop.ini powershell.exe File opened for modification C:\Users\Public\desktop.ini powershell.exe File opened for modification C:\Users\Public\Videos\desktop.ini powershell.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini powershell.exe File opened for modification C:\Users\Public\Libraries\desktop.ini powershell.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini powershell.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini powershell.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AJM03J3Y\desktop.ini powershell.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini powershell.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini powershell.exe File opened for modification C:\Users\Admin\Documents\desktop.ini powershell.exe File opened for modification C:\Users\Admin\Videos\desktop.ini powershell.exe File opened for modification C:\Users\Public\Downloads\desktop.ini powershell.exe File opened for modification C:\Users\Public\Music\desktop.ini powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini powershell.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini powershell.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini powershell.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini powershell.exe File opened for modification C:\Users\Admin\Links\desktop.ini powershell.exe File opened for modification C:\Users\Public\Documents\desktop.ini powershell.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RBDIK06K\desktop.ini powershell.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini powershell.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini powershell.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini powershell.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini powershell.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini powershell.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini powershell.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TGVUK4BG\desktop.ini powershell.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZMLBLRQ7\desktop.ini powershell.exe File opened for modification C:\Users\Admin\Music\desktop.ini powershell.exe File opened for modification C:\Users\Admin\Searches\desktop.ini powershell.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini powershell.exe File opened for modification C:\Users\Public\Pictures\desktop.ini powershell.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
powershell.exedescription ioc process File opened (read-only) \??\K: powershell.exe File opened (read-only) \??\Z: powershell.exe File opened (read-only) \??\U: powershell.exe File opened (read-only) \??\P: powershell.exe File opened (read-only) \??\H: powershell.exe File opened (read-only) \??\S: powershell.exe File opened (read-only) \??\L: powershell.exe File opened (read-only) \??\V: powershell.exe File opened (read-only) \??\Q: powershell.exe File opened (read-only) \??\W: powershell.exe File opened (read-only) \??\E: powershell.exe File opened (read-only) \??\G: powershell.exe File opened (read-only) \??\J: powershell.exe File opened (read-only) \??\X: powershell.exe File opened (read-only) \??\B: powershell.exe File opened (read-only) \??\Y: powershell.exe File opened (read-only) \??\I: powershell.exe File opened (read-only) \??\O: powershell.exe File opened (read-only) \??\F: powershell.exe File opened (read-only) \??\N: powershell.exe File opened (read-only) \??\M: powershell.exe File opened (read-only) \??\R: powershell.exe File opened (read-only) \??\T: powershell.exe File opened (read-only) \??\A: powershell.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exepid process 1588 powershell.exe 1588 powershell.exe 1988 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1588 powershell.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeBackupPrivilege 1184 vssvc.exe Token: SeRestorePrivilege 1184 vssvc.exe Token: SeAuditPrivilege 1184 vssvc.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
powershell.execsc.exepowershell.execsc.exedescription pid process target process PID 1588 wrote to memory of 1596 1588 powershell.exe csc.exe PID 1588 wrote to memory of 1596 1588 powershell.exe csc.exe PID 1588 wrote to memory of 1596 1588 powershell.exe csc.exe PID 1596 wrote to memory of 1532 1596 csc.exe cvtres.exe PID 1596 wrote to memory of 1532 1596 csc.exe cvtres.exe PID 1596 wrote to memory of 1532 1596 csc.exe cvtres.exe PID 1588 wrote to memory of 1988 1588 powershell.exe powershell.exe PID 1588 wrote to memory of 1988 1588 powershell.exe powershell.exe PID 1588 wrote to memory of 1988 1588 powershell.exe powershell.exe PID 1588 wrote to memory of 1988 1588 powershell.exe powershell.exe PID 1988 wrote to memory of 1484 1988 powershell.exe csc.exe PID 1988 wrote to memory of 1484 1988 powershell.exe csc.exe PID 1988 wrote to memory of 1484 1988 powershell.exe csc.exe PID 1988 wrote to memory of 1484 1988 powershell.exe csc.exe PID 1484 wrote to memory of 1376 1484 csc.exe cvtres.exe PID 1484 wrote to memory of 1376 1484 csc.exe cvtres.exe PID 1484 wrote to memory of 1376 1484 csc.exe cvtres.exe PID 1484 wrote to memory of 1376 1484 csc.exe cvtres.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bvehgn3m\bvehgn3m.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A14.tmp" "c:\Users\Admin\AppData\Local\Temp\bvehgn3m\CSC56FDA1B0416C46DD8AEABF87D0ACF5C6.TMP"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps1"2⤵
- Blacklisted process makes network request
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g1nrnwn5\g1nrnwn5.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56A8.tmp" "c:\Users\Admin\AppData\Local\Temp\g1nrnwn5\CSC6E1FD697DD4B431B843A58F8EAFD5D4.TMP"4⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
21215953575820289a959e33c7099940
SHA10a20f40e3d2792fd7c8709391288e7991a513758
SHA256afb16c997347f2d10e443c8a2e4f99590859a388590d8a2df094066046c817cd
SHA5126bf3dde536ec8861fac00e27f7c919b41245cb03c664f8de08de1b5c4a684fc6a4c6b4f1e2fce1a05b8cedea4ee2c2a0e08b15c0635c595116dedb85e189752f
-
C:\Users\Admin\AppData\Local\Temp\RES3A14.tmpMD5
d5a17dab73bfacd3ee9335eac321c062
SHA18992c75337d830dd70baa1af85812c7239d9bc61
SHA256afbf9b66413f9a58a3e557aae2c66d9eedb714068b2adff09dd0634a3f7ec6d1
SHA512e85af0aa847ef53aeda37038f0df5d57d4d4cc00967e6a59d80a338741a76a1795b26c7f4cd5c0891cf33ceb17d95cbdd1c105097196784aa84d594c9e7f8af9
-
C:\Users\Admin\AppData\Local\Temp\RES56A8.tmpMD5
48a936a5d03bac512c78b482bc6e7a26
SHA1423a201ab07b0281ee6b81c43d16734854aa1e08
SHA25697d8e3d24fc7b7d1eaa2b155773073992379eb7a1dcb8d9785f51878a7a540f2
SHA5120118c290ee753eab0ebe712af2f92c0462afae9ad33d0ae6036a9c8cfc86e8f43dd64ab08b191f0285b2baa144b2721e6876f39629a7d93f03fa09571255d6ef
-
C:\Users\Admin\AppData\Local\Temp\bvehgn3m\bvehgn3m.dllMD5
5a3b22bc45cf8b1af2a0e93205946026
SHA1c16974ce0708d8bf74def64c37072ad4b4e396b9
SHA256a19c80ee4b60967f36a304e47357f2b03ecd5b07846cc16f97b2876f036f4b77
SHA512157659367f205368d125b6740d414f1945fe2697f14e888191d723cfafb8c98f57031d920e20c75615317d2d96fc03a6a57bf1bc503c43643215dc6afc17cccd
-
C:\Users\Admin\AppData\Local\Temp\g1nrnwn5\g1nrnwn5.dllMD5
0f6d6faa8416a832c764eb04416098a1
SHA17906af553448f7ee4dca88178d05eedd6ae7a428
SHA2560c0f4fc7024234ac40c0d9b1a669d9f3dfd32f4a2afca85e0c5f0b649195d0f9
SHA51235c6c823629d22c0a0e20a6ecc3f4bef7e6be1c3c7ba42d9cd46555d74530c6c98c83a3d81482350235bc76d28083e3890e7c19c6b0109d6f06590bc53e82fa2
-
\??\c:\Users\Admin\AppData\Local\Temp\bvehgn3m\CSC56FDA1B0416C46DD8AEABF87D0ACF5C6.TMPMD5
34989d9d7296e063fabdc6208c9edade
SHA1269749eb6d3513b4726c0a0a941ffcf4d0bd270b
SHA256cd7d89165c81335051d18192478270c82dc7a20e39f70d1f48b2d2ca4428b475
SHA512827c902f216a665603be59a23a3407a472941952399e5ba81265822c050dc6fd3cd510d53abdc1c18abbcdc689f2229bf3090ddb3cc1bbcc62ab8ba8e9e6ec7b
-
\??\c:\Users\Admin\AppData\Local\Temp\bvehgn3m\bvehgn3m.0.csMD5
caf98c9f9cc2c02cdc79eb3409a36bc5
SHA1aae6131763eaace982ee93fb15ee0eff45a034d2
SHA256dc072944363d6db027de28c9412f96e4655e460989789c99e3a1992daded7499
SHA51274845d305b1de1a0decaca325bc98de0cebaee677b6a70d492a0ba3ade21e9f9f0e145687a1f6ff89ada6657f77c47a8f140bf1d610c661738a2c64ada3a132f
-
\??\c:\Users\Admin\AppData\Local\Temp\bvehgn3m\bvehgn3m.cmdlineMD5
c498bf5a6c07852023930b44040d6419
SHA1a99f60e258b3ac26ed153382829a867365713e14
SHA2568761b478b4dad44fefef01eb41c03adb4a5f894679cc0732cf7ac6d276c094ef
SHA5123757ef4736dcbbccf09bae8ec0c9a2bd9866822b50c65a159e831bf1a847911c3edba231958811d5345e90792cfcf63c2d4f4ce2e78fcdf87854547a43e029ae
-
\??\c:\Users\Admin\AppData\Local\Temp\g1nrnwn5\CSC6E1FD697DD4B431B843A58F8EAFD5D4.TMPMD5
d5b4f33aa7d442e08b95ef9d98edf150
SHA1ea5bce7ccccb4500ae11cc750c904f7d44c69109
SHA2569ff80c802a55ad6142760e60d68cf28035712d82d9867fa51e71bcef3f948388
SHA5124382d1c6ff44b17f3096e291d67bded42119debd4570dc869bf39c3738ff207b713b3aff3231382451c360e53168917d06632053db77ec8f53c63ced35ebec49
-
\??\c:\Users\Admin\AppData\Local\Temp\g1nrnwn5\g1nrnwn5.0.csMD5
caf98c9f9cc2c02cdc79eb3409a36bc5
SHA1aae6131763eaace982ee93fb15ee0eff45a034d2
SHA256dc072944363d6db027de28c9412f96e4655e460989789c99e3a1992daded7499
SHA51274845d305b1de1a0decaca325bc98de0cebaee677b6a70d492a0ba3ade21e9f9f0e145687a1f6ff89ada6657f77c47a8f140bf1d610c661738a2c64ada3a132f
-
\??\c:\Users\Admin\AppData\Local\Temp\g1nrnwn5\g1nrnwn5.cmdlineMD5
ccea24f816e0c0767b9b4ea0a8be08ed
SHA10e262511106de511d2f0f5e916fefd061a1444d7
SHA2563d25943de22c2b53b26e1d53266f2bcd69e907a234a9ae9b1d56dcec27fcd58a
SHA512cc37ddc439d2b18b311686ad32411d546cdf34346cc05798bb8b4260eeb73cd98c0a93169196744d101d2e10a9cd53406644a58e1029f4826951e73714b268fe
-
memory/1376-47-0x0000000000000000-mapping.dmp
-
memory/1484-44-0x0000000000000000-mapping.dmp
-
memory/1532-9-0x0000000000000000-mapping.dmp
-
memory/1588-0-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmpFilesize
9.9MB
-
memory/1588-1-0x00000000023C0000-0x00000000023C1000-memory.dmpFilesize
4KB
-
memory/1588-2-0x000000001AD60000-0x000000001AD61000-memory.dmpFilesize
4KB
-
memory/1588-3-0x0000000001E60000-0x0000000001E61000-memory.dmpFilesize
4KB
-
memory/1588-4-0x0000000001DC0000-0x0000000001DC1000-memory.dmpFilesize
4KB
-
memory/1588-13-0x0000000002330000-0x0000000002331000-memory.dmpFilesize
4KB
-
memory/1588-5-0x000000001C5B0000-0x000000001C5B1000-memory.dmpFilesize
4KB
-
memory/1596-6-0x0000000000000000-mapping.dmp
-
memory/1788-54-0x000007FEF8040000-0x000007FEF82BA000-memory.dmpFilesize
2.5MB
-
memory/1988-19-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/1988-18-0x00000000024D0000-0x00000000024D1000-memory.dmpFilesize
4KB
-
memory/1988-41-0x00000000065D0000-0x00000000065D1000-memory.dmpFilesize
4KB
-
memory/1988-33-0x00000000064B0000-0x00000000064B1000-memory.dmpFilesize
4KB
-
memory/1988-32-0x0000000006210000-0x0000000006211000-memory.dmpFilesize
4KB
-
memory/1988-27-0x00000000061A0000-0x00000000061A1000-memory.dmpFilesize
4KB
-
memory/1988-14-0x0000000000000000-mapping.dmp
-
memory/1988-40-0x0000000006420000-0x0000000006421000-memory.dmpFilesize
4KB
-
memory/1988-17-0x0000000004870000-0x0000000004871000-memory.dmpFilesize
4KB
-
memory/1988-16-0x0000000002090000-0x0000000002091000-memory.dmpFilesize
4KB
-
memory/1988-51-0x0000000006460000-0x0000000006461000-memory.dmpFilesize
4KB
-
memory/1988-52-0x00000000068E0000-0x000000000690E000-memory.dmpFilesize
184KB
-
memory/1988-15-0x0000000073680000-0x0000000073D6E000-memory.dmpFilesize
6.9MB
-
memory/1988-56-0x00000000061F0000-0x00000000061F1000-memory.dmpFilesize
4KB