Analysis
-
max time kernel
145s -
max time network
10s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-04-2021 07:43
Static task
static1
Behavioral task
behavioral1
Sample
lsass.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
lsass.exe
Resource
win10v20201028
General
-
Target
lsass.exe
-
Size
115KB
-
MD5
5a73d01f81ff11ec92dbc2233c05e15f
-
SHA1
1a05f691f72406155136ecfdf5ddee8e9bfa20ce
-
SHA256
68ea179770a48ab47976303c9b6db79df2a5213b505fa913201ee6ceabf63a76
-
SHA512
b58097ddc44ef98d7db107634c1fc8db18b0e1828096e8304aa5864bc14fda3fdc82d69c631c8af39cfbc32a23d6795b3a9d4b717f99860fa7b6bb048fcaecf1
Malware Config
Extracted
C:\Users\Admin\Desktop\DecryptGuide.txt
ha7medtit@tutanota.com
araujosantos@protonmail.com
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
lsass.exedescription ioc process File renamed C:\Users\Admin\Pictures\MergeFormat.raw => C:\Users\Admin\Pictures\MergeFormat.raw.beaf lsass.exe File renamed C:\Users\Admin\Pictures\UpdateGrant.crw => C:\Users\Admin\Pictures\UpdateGrant.crw.beaf lsass.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 1 IoCs
Processes:
lsass.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI lsass.exe -
Drops file in Program Files directory 64 IoCs
Processes:
lsass.exedescription ioc process File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe lsass.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png lsass.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_rgb6.wmv lsass.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImage.jpg lsass.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG.wmv lsass.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Origin.xml lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21548_.GIF lsass.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_cloudy.png lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.security lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\conticon.gif lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\DADSHIRT.HTM lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285792.WMF lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONFLICT.ICO lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMIMEE.CFG lsass.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_dot.png lsass.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmod_plugin.dll lsass.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml lsass.exe File opened for modification C:\Program Files\Java\jre7\bin\verify.dll lsass.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\ECHO.ELM lsass.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\sound.properties lsass.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsamplerate_plugin.dll lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01639_.WMF lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106958.WMF lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00737_.WMF lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Waveform.xml lsass.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Helsinki lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01126_.WMF lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grid.xml lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\REPTWIZ.POC lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\derby_common.bat lsass.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_right.png lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_left.gif lsass.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\webcompat@mozilla.org.xpi lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCHKBRD.XML lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB6.BDR lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115841.GIF lsass.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_m.png lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanPhotoAlbum.potx lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_ja_4.4.0.v20140623020002.jar lsass.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe lsass.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar lsass.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+8 lsass.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00098_.WMF lsass.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml lsass.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libdrawable_plugin.dll lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.ssl_1.0.0.v20140827-1444.jar lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7ES.LEX lsass.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Abstractions.dll lsass.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscene_plugin.dll lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pitcairn lsass.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png lsass.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)redStateIcon.png lsass.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\vlc.mo lsass.exe File opened for modification C:\Program Files\StartSave.cmd lsass.exe File opened for modification C:\Program Files\Windows Journal\jnwppr.dll lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02041_.WMF lsass.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1200 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1776 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
lsass.exepid process 1904 lsass.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 316 vssvc.exe Token: SeRestorePrivilege 316 vssvc.exe Token: SeAuditPrivilege 316 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
lsass.exedescription pid process target process PID 1904 wrote to memory of 1200 1904 lsass.exe vssadmin.exe PID 1904 wrote to memory of 1200 1904 lsass.exe vssadmin.exe PID 1904 wrote to memory of 1200 1904 lsass.exe vssadmin.exe PID 1904 wrote to memory of 1200 1904 lsass.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lsass.exe"C:\Users\Admin\AppData\Local\Temp\lsass.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DecryptGuide.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\DecryptGuide.txtMD5
d599019c35bcad72f7b8694d4eeafcc9
SHA14e641bcdc69cdf65e7f0f6ce715068580f743a3d
SHA256904b1783e38a288962e7d10f1d242c88250ca0843925abefc8d8f4851f4d96dc
SHA51245176b6c7f00ad3f9e7dde74ed856289f49f74a13589e7f2dc5e966ca0c1007eb144a0d39d9f090f161e138e02f37b637abc9a522500858e58e1f3e7a1501f6d
-
memory/932-7-0x000007FEF63D0000-0x000007FEF664A000-memory.dmpFilesize
2.5MB
-
memory/1192-4-0x000007FEFBDE1000-0x000007FEFBDE3000-memory.dmpFilesize
8KB
-
memory/1200-3-0x0000000000000000-mapping.dmp
-
memory/1904-2-0x00000000766F1000-0x00000000766F3000-memory.dmpFilesize
8KB