Resubmissions
19-11-2020 14:39
201119-59epbrqadx 1019-11-2020 14:22
201119-ff99dc42e6 1019-11-2020 14:16
201119-298y5e8ncj 9Analysis
-
max time kernel
29s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-11-2020 14:16
Static task
static1
Behavioral task
behavioral1
Sample
f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
Resource
win10v20201028
General
-
Target
f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
-
Size
1.8MB
-
MD5
10d7151b9ee53b8da8ee6f85001ffb20
-
SHA1
76d33ef58ea7b012342d975d871db64840da9675
-
SHA256
f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093
-
SHA512
1c6d2d7f509b462b5d48db61817ee42a7204d10141c59394eb190d0dba733b831a6344bb85197dfac358939379e640c9f38732d376e28f92e187806ca574d10f
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\RemoveInstall.tiff f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe File created C:\Users\Admin\Pictures\SplitUnregister.raw.REDROMAN f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\EditRevoke.tiff f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe File created C:\Users\Admin\Pictures\EditRevoke.tiff.REDROMAN f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe File created C:\Users\Admin\Pictures\BlockTest.tiff.REDROMAN f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe File created C:\Users\Admin\Pictures\ExportRestore.tif.REDROMAN f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe File created C:\Users\Admin\Pictures\ConfirmInstall.crw.REDROMAN f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe File created C:\Users\Admin\Pictures\RemoveInstall.tiff.REDROMAN f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe File created C:\Users\Admin\Pictures\GroupReceive.crw.REDROMAN f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\BlockTest.tiff f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe -
Drops startup file 1 IoCs
Processes:
f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPENTHIS.html f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 4156 vssadmin.exe 4388 vssadmin.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings powershell.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 2768 powershell.exe 2768 powershell.exe 2768 powershell.exe 3972 powershell.exe 3972 powershell.exe 3972 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 2768 powershell.exe Token: SeDebugPrivilege 3972 powershell.exe Token: SeBackupPrivilege 4244 vssvc.exe Token: SeRestorePrivilege 4244 vssvc.exe Token: SeAuditPrivilege 4244 vssvc.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exepowershell.execmd.exenet.exenet.exedescription pid process target process PID 3980 wrote to memory of 2768 3980 f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe powershell.exe PID 3980 wrote to memory of 2768 3980 f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe powershell.exe PID 3980 wrote to memory of 3972 3980 f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe powershell.exe PID 3980 wrote to memory of 3972 3980 f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe powershell.exe PID 3972 wrote to memory of 1504 3972 powershell.exe cmd.exe PID 3972 wrote to memory of 1504 3972 powershell.exe cmd.exe PID 1504 wrote to memory of 4156 1504 cmd.exe vssadmin.exe PID 1504 wrote to memory of 4156 1504 cmd.exe vssadmin.exe PID 1504 wrote to memory of 4388 1504 cmd.exe vssadmin.exe PID 1504 wrote to memory of 4388 1504 cmd.exe vssadmin.exe PID 1504 wrote to memory of 4420 1504 cmd.exe net.exe PID 1504 wrote to memory of 4420 1504 cmd.exe net.exe PID 4420 wrote to memory of 4440 4420 net.exe net1.exe PID 4420 wrote to memory of 4440 4420 net.exe net1.exe PID 1504 wrote to memory of 4464 1504 cmd.exe net.exe PID 1504 wrote to memory of 4464 1504 cmd.exe net.exe PID 4464 wrote to memory of 4480 4464 net.exe net1.exe PID 4464 wrote to memory of 4480 4464 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -WindowStyle Hidden get-wmiobject win32_computersystem | "fl model"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Process C:\ProgramData\amdkey.bat -Verb runas2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\ProgramData\amdkey.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB4⤵
- Interacts with shadow copies
-
C:\Windows\system32\net.exenet user /add RedROMAN p4zzaub71h4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /add RedROMAN p4zzaub71h5⤵
-
C:\Windows\system32\net.exenet localgroup administrators RedROMAN /add4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators RedROMAN /add5⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\amdkey.batMD5
e1ccfa2c9fccc3306d6a2beafee97e88
SHA1769a6f5692364611fb1c97b7f8909e305df46b0c
SHA2568c6a13f418d0c11640ea15a0c42a4edc9f4175c4c924573c35b86929a7d25aaf
SHA512f5ecf42ded57faa60cd98f7e43438c7b7158afb7061b836805469840880ae6b980dfe99f66bce8b52f2fa27eb0d07a48631da8f8fb82a3f12754a2024d70460c
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
8a313b70fd641fc4e6fffb40391d0b4d
SHA122684fe19ecd7943ac18e622db0d7f161db500e8
SHA256bd33eb064e32cf8d9af160e3304d3f0e1b90bdc9ab5116c16ba87d9a14060911
SHA5125b72cd7e301ad3825bf1465840f52abb885c2481700df5dfa299c30aa6b61613dac8fc1386895cffec48b8229cba77085f672a80e42d7fd07c73eafd962e1246
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
769b9090275dbfc6ccfe5497dbddcf83
SHA1974269a492394ec6fb9990990b01aefd6bb88247
SHA256eeec5d3a1d83e84b995ec9827d1cd2242fedfcbff1c9778b31cdede0879f515a
SHA5123c53d3557f51be12c6446971644569ebf7f0f43e66f8a778e0a0682c9c9abccb5c01e956c11ef67e071d70e7dda95374da89b439de31ca18594aff8e04303cbc
-
memory/1504-12-0x0000000000000000-mapping.dmp
-
memory/2768-4-0x00000236EC530000-0x00000236EC531000-memory.dmpFilesize
4KB
-
memory/2768-3-0x00000236E9A00000-0x00000236E9A01000-memory.dmpFilesize
4KB
-
memory/2768-2-0x00007FFF6D540000-0x00007FFF6DF2C000-memory.dmpFilesize
9.9MB
-
memory/2768-1-0x0000000000000000-mapping.dmp
-
memory/3972-5-0x0000000000000000-mapping.dmp
-
memory/3972-7-0x00007FFF6D540000-0x00007FFF6DF2C000-memory.dmpFilesize
9.9MB
-
memory/3980-0-0x00007FF66EB10000-0x00007FF66ECE1000-memory.dmpFilesize
1.8MB
-
memory/4156-13-0x0000000000000000-mapping.dmp
-
memory/4388-14-0x0000000000000000-mapping.dmp
-
memory/4420-15-0x0000000000000000-mapping.dmp
-
memory/4440-16-0x0000000000000000-mapping.dmp
-
memory/4464-17-0x0000000000000000-mapping.dmp
-
memory/4480-18-0x0000000000000000-mapping.dmp