Overview

overview

10

Static

static

6

f0fbd0654d...le.exe

windows7_x64

10

f0fbd0654d...le.exe

windows10_x64

9

Resubmissions

19/11/2020, 14:39

201119-59epbrqadx 10

19/11/2020, 14:22

201119-ff99dc42e6 10

19/11/2020, 14:16

201119-298y5e8ncj 9

Analysis

  • max time kernel
    32s
  • max time network
    106s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    19/11/2020, 14:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe

  • Size

    1.8MB

  • MD5

    10d7151b9ee53b8da8ee6f85001ffb20

  • SHA1

    76d33ef58ea7b012342d975d871db64840da9675

  • SHA256

    f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093

  • SHA512

    1c6d2d7f509b462b5d48db61817ee42a7204d10141c59394eb190d0dba733b831a6344bb85197dfac358939379e640c9f38732d376e28f92e187806ca574d10f

Score
9/10
persistenceransomware

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:1160
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -WindowStyle Hidden get-wmiobject win32_computersystem | "fl model"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1364
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Start-Process C:\ProgramData\amdkey.bat -Verb runas
      2⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:184
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\amdkey.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3492
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          4⤵
          • Interacts with shadow copies
          PID:4360
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB
          4⤵
          • Interacts with shadow copies
          PID:4596
        • C:\Windows\system32\net.exe
          net user /add RedROMAN p4zzaub71h
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4628
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 user /add RedROMAN p4zzaub71h
            5⤵
              PID:4648
          • C:\Windows\system32\net.exe
            net localgroup administrators RedROMAN /add
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4672
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 localgroup administrators RedROMAN /add
              5⤵
                PID:4692
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Modifies service
        • Suspicious use of AdjustPrivilegeToken
        PID:4496

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/184-7-0x00007FFE21970000-0x00007FFE2235C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1160-0-0x00007FF6A06A0000-0x00007FF6A0871000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/1364-4-0x000001DA7B280000-0x000001DA7B281000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1364-3-0x000001DA7B0D0000-0x000001DA7B0D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1364-2-0x00007FFE21970000-0x00007FFE2235C000-memory.dmp

        Filesize

        9.9MB

        Download