Analysis
-
max time kernel
154s -
max time network
131s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-11-2020 15:33
General
-
Target
f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe
-
Size
212KB
-
MD5
723825ad69a5d55a1e5ed3d1ee831f0d
-
SHA1
7e082df63c3de0f8bf9d38edf72ba5268078275a
-
SHA256
f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb
-
SHA512
dbd1fd80c8e1224c79ecea419919df3590186c95bfd2f606d6573d759374bc54db8331478207e3b543114431c2ed8eede83b7eca74d4313e7dee16bd527c2c78
Malware Config
Extracted
C:\RECOVERY DATA INFORMATION.TXT
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies service 2 TTPs 4 IoCs
-
Drops file in Program Files directory 9273 IoCs
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 87 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe"C:\Users\Admin\AppData\Local\Temp\f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb.bin.exe"1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
94b4ad73963959e339923ddcabf6b331
SHA1aa2c6af08dd5478d326c90ef2146c3ee2a7b55b2
SHA2568945240c6d037d35d6124ac4b9815a8d74d785fa30c2c4b2fd54ed2fb68f58f4
SHA512aefafb7d184e5564bdc65311e52619950f603fb89259de2af3b8f9fa05c346bf9e3f33b9cbe05a01389ef97642c7e37299ce8b9b4f3cb9f6d4e9a6877c537126
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
3208da0c038576623565b095fcea4ad1
SHA1bc421f8eb4b9c6100aa444edece988c01dd63b26
SHA25616ca708624c0f83871bbb8349e31fba20e5591f298ee91ddf08faf2919041f4b
SHA51217fd810bdb400ce06167d6009a23cbdafdeb5eb0cb5c18456ec3a833546ad050429b003bdec753aa591d5b370cbb1290633abc1cc71f3ae29e81d58c56b8408c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
c6f27d5d1ee450d3400bf13e0804fce6
SHA12d0505f90eca6a49ca15b742aa5ef9ef01c7af41
SHA2562c01ba329cfb39b6141b3c98d662ba24eb458e051fb7de79f975e681e8b4327a
SHA51275687ddffd7021a033d19049f0cc05bbccd97a1433c06738a04590ed660996f669838514fe9f3b7c4b2eb494cf8a594f54bab1446cc915da4a042c3a327adc3d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
42ec4a7f1c20eacdf7f35679a47e8687
SHA1f3e80c0b7adc162787f7acca32436f589758a34a
SHA256baa429e7608442e29ec79669922b9864d4a26a316dfc4f0a30482adfdd76d39a
SHA512d5356ad18e2cc077d09eb721939487314b5fb7ec0291dab499b74ffd6ba58625959635829ca0fa8d3eb69f5c2faa481c87edea4e22b93ad25180f5a9d626093a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
1179e475f6b4917142345837c10bfec2
SHA156456206cf924d22cff8e531d29db838c5e2d0e8
SHA25670a8e634f9a6e24c5fad195c47f23a5bbef4879ec541e1dbcc54dc9970c9235a
SHA5128bcb0f80187225ade21a0a3e8bf53f97c35a7db81db4c8530140f40377d177b6bf546235038051dd8aaceba75666959703332f3209c50259516468777d3a3da2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
9c697b6f7bb8bca34650e0bc13fd8cf2
SHA141d956cc1f485162bf917c0d4bfac8a46adcdacd
SHA2564a6c36b8e522db6c536aae4e632761150d48d1fa613a3f692678bc42f8fc8214
SHA512bd0dffdc8d55e29226390d8340d8f43e4ec78c472159b43517ca81924aa0c8beacb4ca46c1b68bfb78cd343b35ed15b562b38fc08c52010857c65cddd9c55e9f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\DNQPS1KB.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\FJFVXWXG.htmMD5
8615e70875c2cc0b9db16027b9adf11d
SHA14ed62cf405311c0ff562a3c59334a15ddc4f1bf9
SHA256da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d
SHA512cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
78215698f8f9dc7941c9c287642bd02c
SHA1633cd0a6c76f080cdb6e0c98034b0b5dd7283a47
SHA256dc94e21e80522b2cee097064c31a7720d70a02d0c55f290d59030fd0c995cac5
SHA512c0a05f8cc400855c40b8e8eb3e7f027b06553cc592eb2ab6ad0a8c33ed2d196c7eda358977edc3f34ce1fdbff30efe288725eb10ea463e622ee9eb8085e48f7d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
723825ad69a5d55a1e5ed3d1ee831f0d
SHA17e082df63c3de0f8bf9d38edf72ba5268078275a
SHA256f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb
SHA512dbd1fd80c8e1224c79ecea419919df3590186c95bfd2f606d6573d759374bc54db8331478207e3b543114431c2ed8eede83b7eca74d4313e7dee16bd527c2c78
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
723825ad69a5d55a1e5ed3d1ee831f0d
SHA17e082df63c3de0f8bf9d38edf72ba5268078275a
SHA256f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb
SHA512dbd1fd80c8e1224c79ecea419919df3590186c95bfd2f606d6573d759374bc54db8331478207e3b543114431c2ed8eede83b7eca74d4313e7dee16bd527c2c78
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
723825ad69a5d55a1e5ed3d1ee831f0d
SHA17e082df63c3de0f8bf9d38edf72ba5268078275a
SHA256f247ae6db52989c9a598c3c7fbc1ae2db54f5c65be862880e11578b8583731cb
SHA512dbd1fd80c8e1224c79ecea419919df3590186c95bfd2f606d6573d759374bc54db8331478207e3b543114431c2ed8eede83b7eca74d4313e7dee16bd527c2c78
-
memory/636-23-0x0000000000000000-mapping.dmp
-
memory/640-21-0x0000000000000000-mapping.dmp
-
memory/672-20-0x0000000000000000-mapping.dmp
-
memory/1304-17-0x0000000000000000-mapping.dmp
-
memory/2716-13-0x0000000000000000-mapping.dmp
-
memory/2740-0-0x0000000000000000-mapping.dmp
-
memory/2772-14-0x0000000000000000-mapping.dmp
-
memory/3160-22-0x0000000000000000-mapping.dmp
-
memory/3396-15-0x0000000000000000-mapping.dmp
-
memory/3476-16-0x0000000000000000-mapping.dmp
-
memory/3748-11-0x0000000000000000-mapping.dmp
-
memory/4088-12-0x0000000000000000-mapping.dmp