Analysis
-
max time kernel
122s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-04-2021 00:12
General
-
Target
2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7.exe
-
Size
464KB
-
MD5
fe7bc3cd6512f31d48a58caf3e558fee
-
SHA1
5b2e6e541ea6f47e369291396a5d91564ece2eb8
-
SHA256
2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7
-
SHA512
26e5d85f46afcf1434ccce85836014a5adf11728a609e79a8d19d2e6da6f84588eb4b650b5b5184b66bd255cb8d4b0a19bbfad65dc7f058928c7e5bc88f1730b
Malware Config
Signatures
-
CrypVault
Ransomware family which makes encrypted files look like they have been quarantined by AV.
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops startup file 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 37 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7.exe"C:\Users\Admin\AppData\Local\Temp\2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo 75BB576D00D3EF972⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\75BB57" 7za.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7za.exe"C:\Users\Admin\AppData\Local\Temp\7za.exe" e "C:\Users\Admin\AppData\Local\Temp\6D00D3EF97" -y -p6D00D3EF972⤵
- Executes dropped EXE
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe"C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exeC:\Users\Admin\AppData\Local\Temp\6D00D3EF97.exe3⤵
- Executes dropped EXE
- Drops startup file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\VAULT.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}4⤵
-
-
C:\Windows\SysWOW64\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\cmd.execmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a82e6e7bdd70c5dfee83d81cc058ff2f
SHA1bf8b01db4438f47496d3a0d7ece317010d6043db
SHA256d815ad574ddf564e04b4cce7033769151d5f6b81f18c7d05d948c2c312b87abb
SHA512ccfaa80d5621243e9367ffa23afaac11314c88e9f51e5bae98b67cdef0388e713ee40a9550af5347bbc9b17d41ba8471d17ed9748a167adf30d7dc325cad7620
-
MD5
efcd0a5ec6bb1d981333bf9dea7a72ee
SHA1b9ca0a20adcf6c69dd626e0de86468e4a5514fe3
SHA256718e07ae563bcf629616ac3f056930e804af88e38377b98629ba60257f666699
SHA512dd41d489164891a5c8c2c582f77f6b8c8b54360849ec38b7af0fec4b28137172a4ef9cc2fe6eb10726431152751f3affbc1dd19671bff841742404d809180457
-
MD5
2e884f5dbeadeed885ec040e239fb7b1
SHA15ad96bbedd9260ed0d14b914713d58e7bfd09b97
SHA2564b366fbf4ab85d6007d9edee1a8a4ded620797599cf81c05638e221e21cc8cd4
SHA5122e22ef1d67aab58ec9159dbf56817ff989c53d3572ab229833f52b9fbf1a08f18671fdda8ff6064d80aa2d9a3f45717e42e71958bcb24d2ba6975317aa1420de
-
MD5
2e884f5dbeadeed885ec040e239fb7b1
SHA15ad96bbedd9260ed0d14b914713d58e7bfd09b97
SHA2564b366fbf4ab85d6007d9edee1a8a4ded620797599cf81c05638e221e21cc8cd4
SHA5122e22ef1d67aab58ec9159dbf56817ff989c53d3572ab229833f52b9fbf1a08f18671fdda8ff6064d80aa2d9a3f45717e42e71958bcb24d2ba6975317aa1420de
-
MD5
2e884f5dbeadeed885ec040e239fb7b1
SHA15ad96bbedd9260ed0d14b914713d58e7bfd09b97
SHA2564b366fbf4ab85d6007d9edee1a8a4ded620797599cf81c05638e221e21cc8cd4
SHA5122e22ef1d67aab58ec9159dbf56817ff989c53d3572ab229833f52b9fbf1a08f18671fdda8ff6064d80aa2d9a3f45717e42e71958bcb24d2ba6975317aa1420de
-
MD5
42badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
MD5
42badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
MD5
1cf60361078e1c2f1219d27c4b3e760c
SHA108d350d205da687672b13e22b253932dd1708e75
SHA256c2d9c1bd8bb434dffd5ebbd0e8020ee73123f2e8134b19cbde4b6458f0d05a43
SHA51290f973c08c663dc7ca8575196ca2d6939bbeb9e1943268e8c8bae3b5cd895e85f654726924c86a0f1ffca4830f05c75ac6e80b44d4adeff345e9ff2cacaacccb
-
-
-
-
Filesize
31.0MB
-
Filesize
43.1MB
-
Filesize
16.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
-
-
Filesize
20KB
-
-
Filesize
104KB
-
-
Filesize
10.2MB
-
-
-
-