Analysis

  • max time kernel
    115s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    26-04-2021 15:07

General

  • Target

    2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7.exe

  • Size

    464KB

  • MD5

    fe7bc3cd6512f31d48a58caf3e558fee

  • SHA1

    5b2e6e541ea6f47e369291396a5d91564ece2eb8

  • SHA256

    2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7

  • SHA512

    26e5d85f46afcf1434ccce85836014a5adf11728a609e79a8d19d2e6da6f84588eb4b650b5b5184b66bd255cb8d4b0a19bbfad65dc7f058928c7e5bc88f1730b

Malware Config

Signatures

  • CrypVault

    Ransomware family which makes encrypted files look like they have been quarantined by AV.

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Executes dropped EXE 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7.exe
    "C:\Users\Admin\AppData\Local\Temp\2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1456
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo 75BB576D00D3EF97
      2⤵
        PID:3220
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\75BB57" 7za.exe
        2⤵
          PID:1220
        • C:\Users\Admin\AppData\Local\Temp\7za.exe
          "C:\Users\Admin\AppData\Local\Temp\7za.exe" e "C:\Users\Admin\AppData\Local\Temp\6D00D3EF97" -y -p6D00D3EF97
          2⤵
          • Executes dropped EXE
          PID:576
        • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
          "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.doc" /o ""
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of SetWindowsHookEx
          PID:3168
        • C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe
          "C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:844
          • C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe
            C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe
            3⤵
            • Executes dropped EXE
            • Drops startup file
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3428
            • C:\Windows\SysWOW64\mshta.exe
              "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\VAULT.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
              4⤵
                PID:1128
              • C:\Windows\SysWOW64\wbem\WMIC.exe
                "C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1188
        • C:\Windows\system32\cmd.exe
          cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of WriteProcessMemory
          PID:2132
          • C:\Windows\system32\vssadmin.exe
            vssadmin.exe delete shadows /all /quiet
            2⤵
            • Interacts with shadow copies
            PID:1544
          • C:\Windows\system32\bcdedit.exe
            bcdedit.exe /set {default} recoveryenabled no
            2⤵
            • Modifies boot configuration data using bcdedit
            PID:3292
          • C:\Windows\system32\bcdedit.exe
            bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
            2⤵
            • Modifies boot configuration data using bcdedit
            PID:796
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2136

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/844-128-0x00000000009E0000-0x00000000009E5000-memory.dmp

          Filesize

          20KB

        • memory/3168-134-0x00007FF8A3000000-0x00007FF8A5B23000-memory.dmp

          Filesize

          43.1MB

        • memory/3168-132-0x00007FF882460000-0x00007FF882470000-memory.dmp

          Filesize

          64KB

        • memory/3168-133-0x00007FF882460000-0x00007FF882470000-memory.dmp

          Filesize

          64KB

        • memory/3168-135-0x00007FF882460000-0x00007FF882470000-memory.dmp

          Filesize

          64KB

        • memory/3168-130-0x00007FF882460000-0x00007FF882470000-memory.dmp

          Filesize

          64KB

        • memory/3168-143-0x00007FF89BB20000-0x00007FF89DA15000-memory.dmp

          Filesize

          31.0MB

        • memory/3168-131-0x00007FF882460000-0x00007FF882470000-memory.dmp

          Filesize

          64KB

        • memory/3168-141-0x00007FF89DD70000-0x00007FF89EE5E000-memory.dmp

          Filesize

          16.9MB

        • memory/3428-125-0x0000000000400000-0x0000000000E28000-memory.dmp

          Filesize

          10.2MB

        • memory/3428-129-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB