Analysis

  • max time kernel
    139s
  • max time network
    139s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    21/01/2021, 10:50

General

  • Target

    f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe

  • Size

    17KB

  • MD5

    c5d712f82d5d37bb284acd4468ab3533

  • SHA1

    3426e8dcb104d9b01874498fb44c6e460228a9a0

  • SHA256

    f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8

  • SHA512

    be69319e023ccd23557edc3178a3b6775a771927a0e6d34f409b8d26cbe09fb27ff4bf92abdb0c344100404029b4e3f38963a0c27bd7a4ae35e5de2e779c6649

Score
5/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Kills process with taskkill 3 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3108
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kill.bat" "C:\Users\Admin\AppData\Local\Temp\f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8.bin.sample.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1544
      • C:\Windows\system32\net.exe
        net stop BMR Boot Service /y
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop BMR Boot Service /y
          4⤵
            PID:3084
        • C:\Windows\system32\net.exe
          net stop NetBackup BMR MTFTP Service /y
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4024
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
            4⤵
              PID:3388
          • C:\Windows\system32\sc.exe
            sc config SQLTELEMETRY start= disabled
            3⤵
              PID:2644
            • C:\Windows\system32\sc.exe
              sc config SQLTELEMETRY$ECWDB2 start= disabled
              3⤵
                PID:4020
              • C:\Windows\system32\sc.exe
                sc config SQLWriter start= disabled
                3⤵
                  PID:216
                • C:\Windows\system32\sc.exe
                  sc config SstpSvc start= disabled
                  3⤵
                    PID:208
                  • C:\Windows\system32\taskkill.exe
                    taskkill /IM mspub.exe /F
                    3⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4044
                  • C:\Windows\system32\taskkill.exe
                    taskkill /IM mydesktopqos.exe /F
                    3⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2680
                  • C:\Windows\system32\taskkill.exe
                    taskkill /IM mydesktopservice.exe /F
                    3⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1096

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/3108-3-0x0000000000310000-0x0000000000311000-memory.dmp

                Filesize

                4KB

              • memory/3108-2-0x00007FFFD26D0000-0x00007FFFD30BC000-memory.dmp

                Filesize

                9.9MB