Analysis
-
max time kernel
129s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
15-04-2021 07:47
Static task
static1
Behavioral task
behavioral1
Sample
Gr_rs.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Gr_rs.exe
Resource
win10v20210410
General
-
Target
Gr_rs.exe
-
Size
678KB
-
MD5
7684408e648ed2c462817083cd61d6d5
-
SHA1
8dc1ba94b3b2996dcf45aa2b73730ff636fbed2e
-
SHA256
b0f6d7c7a168f77b93aa42d7dc22a0118f98f525c14272467ff37c34217417d9
-
SHA512
00224011cae9e86fac9f394b52b5267166f3bfc6ac6fe34594aaebd53c74f64f716bebdf1e9ad30072d0f800e22680597b766aca8dcc0d57c9f43d39092b7f55
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 852 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
Gr_rs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gr_rs.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
Gr_rs.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini Gr_rs.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Gr_rs.exedescription ioc process File opened (read-only) \??\Y: Gr_rs.exe File opened (read-only) \??\I: Gr_rs.exe File opened (read-only) \??\N: Gr_rs.exe File opened (read-only) \??\T: Gr_rs.exe File opened (read-only) \??\U: Gr_rs.exe File opened (read-only) \??\A: Gr_rs.exe File opened (read-only) \??\E: Gr_rs.exe File opened (read-only) \??\F: Gr_rs.exe File opened (read-only) \??\H: Gr_rs.exe File opened (read-only) \??\Q: Gr_rs.exe File opened (read-only) \??\S: Gr_rs.exe File opened (read-only) \??\Z: Gr_rs.exe File opened (read-only) \??\J: Gr_rs.exe File opened (read-only) \??\K: Gr_rs.exe File opened (read-only) \??\L: Gr_rs.exe File opened (read-only) \??\P: Gr_rs.exe File opened (read-only) \??\R: Gr_rs.exe File opened (read-only) \??\V: Gr_rs.exe File opened (read-only) \??\W: Gr_rs.exe File opened (read-only) \??\X: Gr_rs.exe File opened (read-only) \??\B: Gr_rs.exe File opened (read-only) \??\G: Gr_rs.exe File opened (read-only) \??\M: Gr_rs.exe File opened (read-only) \??\O: Gr_rs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 1148 vssadmin.exe 1260 vssadmin.exe 1708 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Gr_rs.exepid process 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe 1684 Gr_rs.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
vssvc.exewmic.exewmic.exewmic.exedescription pid process Token: SeBackupPrivilege 1208 vssvc.exe Token: SeRestorePrivilege 1208 vssvc.exe Token: SeAuditPrivilege 1208 vssvc.exe Token: SeIncreaseQuotaPrivilege 1940 wmic.exe Token: SeSecurityPrivilege 1940 wmic.exe Token: SeTakeOwnershipPrivilege 1940 wmic.exe Token: SeLoadDriverPrivilege 1940 wmic.exe Token: SeSystemProfilePrivilege 1940 wmic.exe Token: SeSystemtimePrivilege 1940 wmic.exe Token: SeProfSingleProcessPrivilege 1940 wmic.exe Token: SeIncBasePriorityPrivilege 1940 wmic.exe Token: SeCreatePagefilePrivilege 1940 wmic.exe Token: SeBackupPrivilege 1940 wmic.exe Token: SeRestorePrivilege 1940 wmic.exe Token: SeShutdownPrivilege 1940 wmic.exe Token: SeDebugPrivilege 1940 wmic.exe Token: SeSystemEnvironmentPrivilege 1940 wmic.exe Token: SeRemoteShutdownPrivilege 1940 wmic.exe Token: SeUndockPrivilege 1940 wmic.exe Token: SeManageVolumePrivilege 1940 wmic.exe Token: 33 1940 wmic.exe Token: 34 1940 wmic.exe Token: 35 1940 wmic.exe Token: SeIncreaseQuotaPrivilege 1540 wmic.exe Token: SeSecurityPrivilege 1540 wmic.exe Token: SeTakeOwnershipPrivilege 1540 wmic.exe Token: SeLoadDriverPrivilege 1540 wmic.exe Token: SeSystemProfilePrivilege 1540 wmic.exe Token: SeSystemtimePrivilege 1540 wmic.exe Token: SeProfSingleProcessPrivilege 1540 wmic.exe Token: SeIncBasePriorityPrivilege 1540 wmic.exe Token: SeCreatePagefilePrivilege 1540 wmic.exe Token: SeBackupPrivilege 1540 wmic.exe Token: SeRestorePrivilege 1540 wmic.exe Token: SeShutdownPrivilege 1540 wmic.exe Token: SeDebugPrivilege 1540 wmic.exe Token: SeSystemEnvironmentPrivilege 1540 wmic.exe Token: SeRemoteShutdownPrivilege 1540 wmic.exe Token: SeUndockPrivilege 1540 wmic.exe Token: SeManageVolumePrivilege 1540 wmic.exe Token: 33 1540 wmic.exe Token: 34 1540 wmic.exe Token: 35 1540 wmic.exe Token: SeIncreaseQuotaPrivilege 240 wmic.exe Token: SeSecurityPrivilege 240 wmic.exe Token: SeTakeOwnershipPrivilege 240 wmic.exe Token: SeLoadDriverPrivilege 240 wmic.exe Token: SeSystemProfilePrivilege 240 wmic.exe Token: SeSystemtimePrivilege 240 wmic.exe Token: SeProfSingleProcessPrivilege 240 wmic.exe Token: SeIncBasePriorityPrivilege 240 wmic.exe Token: SeCreatePagefilePrivilege 240 wmic.exe Token: SeBackupPrivilege 240 wmic.exe Token: SeRestorePrivilege 240 wmic.exe Token: SeShutdownPrivilege 240 wmic.exe Token: SeDebugPrivilege 240 wmic.exe Token: SeSystemEnvironmentPrivilege 240 wmic.exe Token: SeRemoteShutdownPrivilege 240 wmic.exe Token: SeUndockPrivilege 240 wmic.exe Token: SeManageVolumePrivilege 240 wmic.exe Token: 33 240 wmic.exe Token: 34 240 wmic.exe Token: 35 240 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
Gr_rs.exetaskeng.exedescription pid process target process PID 1684 wrote to memory of 1148 1684 Gr_rs.exe vssadmin.exe PID 1684 wrote to memory of 1148 1684 Gr_rs.exe vssadmin.exe PID 1684 wrote to memory of 1148 1684 Gr_rs.exe vssadmin.exe PID 1684 wrote to memory of 1148 1684 Gr_rs.exe vssadmin.exe PID 1684 wrote to memory of 1940 1684 Gr_rs.exe wmic.exe PID 1684 wrote to memory of 1940 1684 Gr_rs.exe wmic.exe PID 1684 wrote to memory of 1940 1684 Gr_rs.exe wmic.exe PID 1684 wrote to memory of 1940 1684 Gr_rs.exe wmic.exe PID 1684 wrote to memory of 1260 1684 Gr_rs.exe vssadmin.exe PID 1684 wrote to memory of 1260 1684 Gr_rs.exe vssadmin.exe PID 1684 wrote to memory of 1260 1684 Gr_rs.exe vssadmin.exe PID 1684 wrote to memory of 1260 1684 Gr_rs.exe vssadmin.exe PID 1684 wrote to memory of 1540 1684 Gr_rs.exe wmic.exe PID 1684 wrote to memory of 1540 1684 Gr_rs.exe wmic.exe PID 1684 wrote to memory of 1540 1684 Gr_rs.exe wmic.exe PID 1684 wrote to memory of 1540 1684 Gr_rs.exe wmic.exe PID 1684 wrote to memory of 1708 1684 Gr_rs.exe vssadmin.exe PID 1684 wrote to memory of 1708 1684 Gr_rs.exe vssadmin.exe PID 1684 wrote to memory of 1708 1684 Gr_rs.exe vssadmin.exe PID 1684 wrote to memory of 1708 1684 Gr_rs.exe vssadmin.exe PID 1684 wrote to memory of 240 1684 Gr_rs.exe wmic.exe PID 1684 wrote to memory of 240 1684 Gr_rs.exe wmic.exe PID 1684 wrote to memory of 240 1684 Gr_rs.exe wmic.exe PID 1684 wrote to memory of 240 1684 Gr_rs.exe wmic.exe PID 1548 wrote to memory of 852 1548 taskeng.exe svhost.exe PID 1548 wrote to memory of 852 1548 taskeng.exe svhost.exe PID 1548 wrote to memory of 852 1548 taskeng.exe svhost.exe PID 1548 wrote to memory of 852 1548 taskeng.exe svhost.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Gr_rs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Gr_rs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" Gr_rs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gr_rs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Gr_rs.exe"C:\Users\Admin\AppData\Local\Temp\Gr_rs.exe"1⤵
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {8517DFDA-A303-4973-A960-9DC820AEA7D3} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\svhost.exeMD5
7684408e648ed2c462817083cd61d6d5
SHA18dc1ba94b3b2996dcf45aa2b73730ff636fbed2e
SHA256b0f6d7c7a168f77b93aa42d7dc22a0118f98f525c14272467ff37c34217417d9
SHA51200224011cae9e86fac9f394b52b5267166f3bfc6ac6fe34594aaebd53c74f64f716bebdf1e9ad30072d0f800e22680597b766aca8dcc0d57c9f43d39092b7f55
-
C:\Users\Admin\AppData\Roaming\svhost.exeMD5
7684408e648ed2c462817083cd61d6d5
SHA18dc1ba94b3b2996dcf45aa2b73730ff636fbed2e
SHA256b0f6d7c7a168f77b93aa42d7dc22a0118f98f525c14272467ff37c34217417d9
SHA51200224011cae9e86fac9f394b52b5267166f3bfc6ac6fe34594aaebd53c74f64f716bebdf1e9ad30072d0f800e22680597b766aca8dcc0d57c9f43d39092b7f55
-
memory/240-66-0x0000000000000000-mapping.dmp
-
memory/852-68-0x0000000000000000-mapping.dmp
-
memory/1148-61-0x0000000000000000-mapping.dmp
-
memory/1260-63-0x0000000000000000-mapping.dmp
-
memory/1540-64-0x0000000000000000-mapping.dmp
-
memory/1684-60-0x0000000075B31000-0x0000000075B33000-memory.dmpFilesize
8KB
-
memory/1708-65-0x0000000000000000-mapping.dmp
-
memory/1940-62-0x0000000000000000-mapping.dmp