Analysis
-
max time kernel
15s -
max time network
117s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-04-2021 11:26
Static task
static1
Behavioral task
behavioral1
Sample
c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
Resource
win10v20201028
General
-
Target
c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe
-
Size
840KB
-
MD5
6490aefbaf3e6a708269d771d8fd4136
-
SHA1
2ae6c5f0ec0faca746bf6ba3f5c7682a454de78c
-
SHA256
c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132
-
SHA512
6ef2fdfaae7db2dfc82c1600de2818c86b1be42bab42682aa27c37fd853a97e3316ac71081075994b3fa29a52c6f94cc29445dc2e5248d3e37ae31275f1e16f6
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies file permissions 1 TTPs 1 IoCs
-
Drops desktop.ini file(s) 26 IoCs
Processes:
c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exedescription ioc process File opened for modification C:\Users\Admin\Links\desktop.ini c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe File opened for modification C:\Users\Admin\Videos\desktop.ini c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe File opened for modification C:\Users\Admin\Searches\desktop.ini c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe File opened for modification C:\Users\Public\Downloads\desktop.ini c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe File opened for modification C:\Users\Public\Videos\desktop.ini c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe File opened for modification C:\Users\Admin\Music\desktop.ini c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe File opened for modification C:\Users\Public\Documents\desktop.ini c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe File opened for modification C:\Users\Public\desktop.ini c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe File opened for modification C:\Users\Admin\Documents\desktop.ini c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe File opened for modification C:\Users\Public\Desktop\desktop.ini c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe File opened for modification C:\Users\Public\Libraries\desktop.ini c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe File opened for modification C:\Users\Public\Music\desktop.ini c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe File created C:\Users\Admin\AppData\Local\Temp\desktop.ini c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\desktop.ini c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe File opened for modification C:\Users\Public\Pictures\desktop.ini c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4492 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
WMIC.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1856 WMIC.exe Token: SeSecurityPrivilege 1856 WMIC.exe Token: SeTakeOwnershipPrivilege 1856 WMIC.exe Token: SeLoadDriverPrivilege 1856 WMIC.exe Token: SeSystemProfilePrivilege 1856 WMIC.exe Token: SeSystemtimePrivilege 1856 WMIC.exe Token: SeProfSingleProcessPrivilege 1856 WMIC.exe Token: SeIncBasePriorityPrivilege 1856 WMIC.exe Token: SeCreatePagefilePrivilege 1856 WMIC.exe Token: SeBackupPrivilege 1856 WMIC.exe Token: SeRestorePrivilege 1856 WMIC.exe Token: SeShutdownPrivilege 1856 WMIC.exe Token: SeDebugPrivilege 1856 WMIC.exe Token: SeSystemEnvironmentPrivilege 1856 WMIC.exe Token: SeRemoteShutdownPrivilege 1856 WMIC.exe Token: SeUndockPrivilege 1856 WMIC.exe Token: SeManageVolumePrivilege 1856 WMIC.exe Token: 33 1856 WMIC.exe Token: 34 1856 WMIC.exe Token: 35 1856 WMIC.exe Token: 36 1856 WMIC.exe Token: SeBackupPrivilege 4580 vssvc.exe Token: SeRestorePrivilege 4580 vssvc.exe Token: SeAuditPrivilege 4580 vssvc.exe Token: SeIncreaseQuotaPrivilege 1856 WMIC.exe Token: SeSecurityPrivilege 1856 WMIC.exe Token: SeTakeOwnershipPrivilege 1856 WMIC.exe Token: SeLoadDriverPrivilege 1856 WMIC.exe Token: SeSystemProfilePrivilege 1856 WMIC.exe Token: SeSystemtimePrivilege 1856 WMIC.exe Token: SeProfSingleProcessPrivilege 1856 WMIC.exe Token: SeIncBasePriorityPrivilege 1856 WMIC.exe Token: SeCreatePagefilePrivilege 1856 WMIC.exe Token: SeBackupPrivilege 1856 WMIC.exe Token: SeRestorePrivilege 1856 WMIC.exe Token: SeShutdownPrivilege 1856 WMIC.exe Token: SeDebugPrivilege 1856 WMIC.exe Token: SeSystemEnvironmentPrivilege 1856 WMIC.exe Token: SeRemoteShutdownPrivilege 1856 WMIC.exe Token: SeUndockPrivilege 1856 WMIC.exe Token: SeManageVolumePrivilege 1856 WMIC.exe Token: 33 1856 WMIC.exe Token: 34 1856 WMIC.exe Token: 35 1856 WMIC.exe Token: 36 1856 WMIC.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.execmd.execmd.execmd.exedescription pid process target process PID 4776 wrote to memory of 3908 4776 c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe cmd.exe PID 4776 wrote to memory of 3908 4776 c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe cmd.exe PID 4776 wrote to memory of 3908 4776 c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe cmd.exe PID 3908 wrote to memory of 3388 3908 cmd.exe icacls.exe PID 3908 wrote to memory of 3388 3908 cmd.exe icacls.exe PID 3908 wrote to memory of 3388 3908 cmd.exe icacls.exe PID 4776 wrote to memory of 4168 4776 c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe cmd.exe PID 4776 wrote to memory of 4168 4776 c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe cmd.exe PID 4776 wrote to memory of 4168 4776 c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe cmd.exe PID 4776 wrote to memory of 4192 4776 c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe cmd.exe PID 4776 wrote to memory of 4192 4776 c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe cmd.exe PID 4776 wrote to memory of 4192 4776 c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe cmd.exe PID 4776 wrote to memory of 3256 4776 c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe cmd.exe PID 4776 wrote to memory of 3256 4776 c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe cmd.exe PID 4776 wrote to memory of 3256 4776 c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe cmd.exe PID 4776 wrote to memory of 3336 4776 c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe cmd.exe PID 4776 wrote to memory of 3336 4776 c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe cmd.exe PID 4776 wrote to memory of 3336 4776 c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe cmd.exe PID 4776 wrote to memory of 4008 4776 c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe cmd.exe PID 4776 wrote to memory of 4008 4776 c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe cmd.exe PID 4776 wrote to memory of 4008 4776 c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe cmd.exe PID 3336 wrote to memory of 1856 3336 cmd.exe WMIC.exe PID 3336 wrote to memory of 1856 3336 cmd.exe WMIC.exe PID 3336 wrote to memory of 1856 3336 cmd.exe WMIC.exe PID 4008 wrote to memory of 4492 4008 cmd.exe vssadmin.exe PID 4008 wrote to memory of 4492 4008 cmd.exe vssadmin.exe PID 4008 wrote to memory of 4492 4008 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe"C:\Users\Admin\AppData\Local\Temp\c64bf1a1e4d47232d1966ec0515f7d80503a001f42b8dd3c99459f94dc0b3132.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C "icacls . /grant Everyone:F /T /C /Q"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd.exe /C "wbadmin delete catalog - quiet"2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C "bcdedit /set { default } bootstatuspolicy ignoreallfailures"2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C "bcdedit /set { default } recoveryenabled no"2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C "wmic shadowcopy delete"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /C "vssadmin delete shadows /All /Quiet"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1856-121-0x0000000000000000-mapping.dmp
-
memory/3256-118-0x0000000000000000-mapping.dmp
-
memory/3336-119-0x0000000000000000-mapping.dmp
-
memory/3388-115-0x0000000000000000-mapping.dmp
-
memory/3908-114-0x0000000000000000-mapping.dmp
-
memory/4008-120-0x0000000000000000-mapping.dmp
-
memory/4168-116-0x0000000000000000-mapping.dmp
-
memory/4192-117-0x0000000000000000-mapping.dmp
-
memory/4492-122-0x0000000000000000-mapping.dmp