Analysis

  • max time kernel
    108s
  • max time network
    32s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    27-04-2021 00:12

General

  • Target

    2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7.exe

  • Size

    464KB

  • MD5

    fe7bc3cd6512f31d48a58caf3e558fee

  • SHA1

    5b2e6e541ea6f47e369291396a5d91564ece2eb8

  • SHA256

    2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7

  • SHA512

    26e5d85f46afcf1434ccce85836014a5adf11728a609e79a8d19d2e6da6f84588eb4b650b5b5184b66bd255cb8d4b0a19bbfad65dc7f058928c7e5bc88f1730b

Malware Config

Signatures

  • CrypVault

    Ransomware family which makes encrypted files look like they have been quarantined by AV.

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Executes dropped EXE 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops startup file 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7.exe
    "C:\Users\Admin\AppData\Local\Temp\2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:736
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo 75BB576D00D3EF97
      2⤵
        PID:1280
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\75BB57" 7za.exe
        2⤵
          PID:520
        • C:\Users\Admin\AppData\Local\Temp\7za.exe
          "C:\Users\Admin\AppData\Local\Temp\7za.exe" e "C:\Users\Admin\AppData\Local\Temp\6D00D3EF97" -y -p6D00D3EF97
          2⤵
          • Executes dropped EXE
          PID:1676
        • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
          "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.doc"
          2⤵
          • Drops file in Windows directory
          • Modifies Internet Explorer settings
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1220
          • C:\Windows\splwow64.exe
            C:\Windows\splwow64.exe 12288
            3⤵
              PID:1564
          • C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe
            "C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe"
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2044
            • C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe
              C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe
              3⤵
              • Executes dropped EXE
              • Drops startup file
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1396
              • C:\Windows\SysWOW64\mshta.exe
                "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\VAULT.hta"
                4⤵
                • Modifies Internet Explorer settings
                PID:1428
              • C:\Windows\SysWOW64\wbem\WMIC.exe
                "C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1640
        • C:\Windows\system32\cmd.exe
          cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of WriteProcessMemory
          PID:1712
          • C:\Windows\system32\vssadmin.exe
            vssadmin.exe delete shadows /all /quiet
            2⤵
            • Interacts with shadow copies
            PID:1696
          • C:\Windows\system32\bcdedit.exe
            bcdedit.exe /set {default} recoveryenabled no
            2⤵
            • Modifies boot configuration data using bcdedit
            PID:904
          • C:\Windows\system32\bcdedit.exe
            bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
            2⤵
            • Modifies boot configuration data using bcdedit
            PID:1668
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1676

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/736-60-0x0000000075891000-0x0000000075893000-memory.dmp

          Filesize

          8KB

        • memory/1220-84-0x0000000070391000-0x0000000070393000-memory.dmp

          Filesize

          8KB

        • memory/1220-95-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

        • memory/1220-75-0x0000000072911000-0x0000000072914000-memory.dmp

          Filesize

          12KB

        • memory/1220-86-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

        • memory/1396-83-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

        • memory/1396-78-0x0000000000400000-0x0000000000E28000-memory.dmp

          Filesize

          10.2MB

        • memory/1564-94-0x000007FEFBEA1000-0x000007FEFBEA3000-memory.dmp

          Filesize

          8KB

        • memory/2044-82-0x0000000000320000-0x0000000000325000-memory.dmp

          Filesize

          20KB