Analysis
-
max time kernel
139s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
21/01/2021, 10:50
Static task
static1
Behavioral task
behavioral1
Sample
f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe
Resource
win10v20201028
General
-
Target
f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe
-
Size
17KB
-
MD5
c5d712f82d5d37bb284acd4468ab3533
-
SHA1
3426e8dcb104d9b01874498fb44c6e460228a9a0
-
SHA256
f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8
-
SHA512
be69319e023ccd23557edc3178a3b6775a771927a0e6d34f409b8d26cbe09fb27ff4bf92abdb0c344100404029b4e3f38963a0c27bd7a4ae35e5de2e779c6649
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Kills process with taskkill 3 IoCs
pid Process 4044 taskkill.exe 2680 taskkill.exe 1096 taskkill.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4044 taskkill.exe Token: SeDebugPrivilege 2680 taskkill.exe Token: SeDebugPrivilege 1096 taskkill.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3108 wrote to memory of 1544 3108 f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe 74 PID 3108 wrote to memory of 1544 3108 f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe 74 PID 1544 wrote to memory of 2844 1544 cmd.exe 76 PID 1544 wrote to memory of 2844 1544 cmd.exe 76 PID 2844 wrote to memory of 3084 2844 net.exe 77 PID 2844 wrote to memory of 3084 2844 net.exe 77 PID 1544 wrote to memory of 4024 1544 cmd.exe 79 PID 1544 wrote to memory of 4024 1544 cmd.exe 79 PID 4024 wrote to memory of 3388 4024 net.exe 80 PID 4024 wrote to memory of 3388 4024 net.exe 80 PID 1544 wrote to memory of 2644 1544 cmd.exe 81 PID 1544 wrote to memory of 2644 1544 cmd.exe 81 PID 1544 wrote to memory of 4020 1544 cmd.exe 82 PID 1544 wrote to memory of 4020 1544 cmd.exe 82 PID 1544 wrote to memory of 216 1544 cmd.exe 83 PID 1544 wrote to memory of 216 1544 cmd.exe 83 PID 1544 wrote to memory of 208 1544 cmd.exe 84 PID 1544 wrote to memory of 208 1544 cmd.exe 84 PID 1544 wrote to memory of 4044 1544 cmd.exe 85 PID 1544 wrote to memory of 4044 1544 cmd.exe 85 PID 1544 wrote to memory of 2680 1544 cmd.exe 87 PID 1544 wrote to memory of 2680 1544 cmd.exe 87 PID 1544 wrote to memory of 1096 1544 cmd.exe 88 PID 1544 wrote to memory of 1096 1544 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kill.bat" "C:\Users\Admin\AppData\Local\Temp\f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe""2⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\system32\net.exenet stop BMR Boot Service /y3⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y4⤵PID:3084
-
-
-
C:\Windows\system32\net.exenet stop NetBackup BMR MTFTP Service /y3⤵
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y4⤵PID:3388
-
-
-
C:\Windows\system32\sc.exesc config SQLTELEMETRY start= disabled3⤵PID:2644
-
-
C:\Windows\system32\sc.exesc config SQLTELEMETRY$ECWDB2 start= disabled3⤵PID:4020
-
-
C:\Windows\system32\sc.exesc config SQLWriter start= disabled3⤵PID:216
-
-
C:\Windows\system32\sc.exesc config SstpSvc start= disabled3⤵PID:208
-
-
C:\Windows\system32\taskkill.exetaskkill /IM mspub.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4044
-
-
C:\Windows\system32\taskkill.exetaskkill /IM mydesktopqos.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\Windows\system32\taskkill.exetaskkill /IM mydesktopservice.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
-