Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    08-05-2021 13:01

General

  • Target

    AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe

  • Size

    444KB

  • MD5

    fd442753c3895d868eed72f7854e2fba

  • SHA1

    477dc12f213dd05a15b61207926b478d3a0d04c7

  • SHA256

    aadde71205336ccdd048f0b5029becbbcd03e741045f406b2fa819b909809202

  • SHA512

    1a7ff91196019abe9dfa93bfaca299ecd87693ef173560951b4d55f9d0c66355535bef724de26865205419e7638e57c762e332d7eff85187e9695f0a92e1d0c2

Malware Config

Signatures

  • CrypVault

    Ransomware family which makes encrypted files look like they have been quarantined by AV.

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Executes dropped EXE 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops startup file 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe
    "C:\Users\Admin\AppData\Local\Temp\AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo 2D4F861D8DCF8C8F
      2⤵
        PID:1704
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\CF8C8F" 7za.exe
        2⤵
          PID:608
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c echo 2D4F861D8DCF8C8F
          2⤵
            PID:1652
          • C:\Users\Admin\AppData\Local\Temp\7za.exe
            "C:\Users\Admin\AppData\Local\Temp\7za.exe" e "C:\Users\Admin\AppData\Local\Temp\2D4F861D8D" -y -p2D4F861D8D
            2⤵
            • Executes dropped EXE
            PID:1688
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c echo 2D4F861D8DCF8C8F
            2⤵
              PID:1312
            • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
              "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2D4F861D8D.doc"
              2⤵
              • Drops file in Windows directory
              • Modifies Internet Explorer settings
              • Suspicious behavior: AddClipboardFormatListener
              • Suspicious use of SetWindowsHookEx
              PID:384
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c echo 2D4F861D8DCF8C8F
              2⤵
                PID:616
              • C:\Users\Admin\AppData\Local\Temp\2D4F861D8D.exe
                "C:\Users\Admin\AppData\Local\Temp\2D4F861D8D.exe"
                2⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1476
                • C:\Users\Admin\AppData\Local\Temp\2D4F861D8D.exe
                  "C:\Users\Admin\AppData\Local\Temp\2D4F861D8D.exe"
                  3⤵
                  • Executes dropped EXE
                  • Drops startup file
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1728
                  • C:\Windows\SysWOW64\mshta.exe
                    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\VAULT.hta"
                    4⤵
                    • Modifies Internet Explorer settings
                    PID:1592
                  • C:\Windows\SysWOW64\wbem\WMIC.exe
                    "C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
                    4⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:324
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c echo 2D4F861D8DCF8C8F
                2⤵
                  PID:816
              • C:\Windows\system32\cmd.exe
                cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                1⤵
                • Process spawned unexpected child process
                • Suspicious use of WriteProcessMemory
                PID:1080
                • C:\Windows\system32\vssadmin.exe
                  vssadmin.exe delete shadows /all /quiet
                  2⤵
                  • Loads dropped DLL
                  • Suspicious use of SetThreadContext
                  • Interacts with shadow copies
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:1476
                • C:\Windows\system32\bcdedit.exe
                  bcdedit.exe /set {default} recoveryenabled no
                  2⤵
                  • Modifies boot configuration data using bcdedit
                  PID:988
                • C:\Windows\system32\bcdedit.exe
                  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                  2⤵
                  • Modifies boot configuration data using bcdedit
                  PID:212
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1328

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Documents and Settings\Admin\AppData\Local\Temp\~$4F861D8D.doc

                MD5

                0d71756d71d650cd42fcf4ab2bbda4b6

                SHA1

                1e70029a39eaf97becc86adff1092d016e0f2542

                SHA256

                dd6da51ab136eec3f2fac7570bddff39d11b3bbef6f791c9a6e898520a9f4c1f

                SHA512

                112bd91aa6573f80100d8c1b5804d1faaf7b1d78afb79d8f42ebec5d71512ffb8102d58b9b73b9b2d2a13331c611d822543ff08caca0288720e7520972864bde

              • C:\Users\Admin\AppData\Local\Temp\2D4F861D8D

                MD5

                efe5c5a45d6b6746daa3272d09e175d7

                SHA1

                80a805c3e5a73a121ecbc2c2aed0b2e846890477

                SHA256

                5f0156b73d2b9f5d0a999734812ca0d0881fe683a331737df9ded5d24a145271

                SHA512

                410553b0c58e699fb83557815cdc4e22dec1b14e870326f62dd09c2e26bd8d5c8a1fde66470a55f1cfa4b076be66747595f83cfa71070d38c6d7f01846b70a75

              • C:\Users\Admin\AppData\Local\Temp\2D4F861D8D.doc

                MD5

                efcd0a5ec6bb1d981333bf9dea7a72ee

                SHA1

                b9ca0a20adcf6c69dd626e0de86468e4a5514fe3

                SHA256

                718e07ae563bcf629616ac3f056930e804af88e38377b98629ba60257f666699

                SHA512

                dd41d489164891a5c8c2c582f77f6b8c8b54360849ec38b7af0fec4b28137172a4ef9cc2fe6eb10726431152751f3affbc1dd19671bff841742404d809180457

              • C:\Users\Admin\AppData\Local\Temp\2D4F861D8D.exe

                MD5

                810f74773b1d921274c3766df5c00445

                SHA1

                90d547916e077dbb6fe56b215df4bc86b936a6f6

                SHA256

                55eee544f1210a27540b418936b2e1240dcf6818fb4023374596621a91f6438f

                SHA512

                e4d8d6ae1629021e28a55e459e1e8835142a19c3c9c97b195a523e2487cac6f46e366b3c0c39ef504e1943d7c74c76d461c963d0153dca1fadf3452c499f7388

              • C:\Users\Admin\AppData\Local\Temp\2D4F861D8D.exe

                MD5

                810f74773b1d921274c3766df5c00445

                SHA1

                90d547916e077dbb6fe56b215df4bc86b936a6f6

                SHA256

                55eee544f1210a27540b418936b2e1240dcf6818fb4023374596621a91f6438f

                SHA512

                e4d8d6ae1629021e28a55e459e1e8835142a19c3c9c97b195a523e2487cac6f46e366b3c0c39ef504e1943d7c74c76d461c963d0153dca1fadf3452c499f7388

              • C:\Users\Admin\AppData\Local\Temp\2D4F861D8D.exe

                MD5

                810f74773b1d921274c3766df5c00445

                SHA1

                90d547916e077dbb6fe56b215df4bc86b936a6f6

                SHA256

                55eee544f1210a27540b418936b2e1240dcf6818fb4023374596621a91f6438f

                SHA512

                e4d8d6ae1629021e28a55e459e1e8835142a19c3c9c97b195a523e2487cac6f46e366b3c0c39ef504e1943d7c74c76d461c963d0153dca1fadf3452c499f7388

              • C:\Users\Admin\AppData\Local\Temp\7za.exe

                MD5

                42badc1d2f03a8b1e4875740d3d49336

                SHA1

                cee178da1fb05f99af7a3547093122893bd1eb46

                SHA256

                c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

                SHA512

                6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

              • C:\Users\Admin\AppData\Local\Temp\CF8C8F

                MD5

                42badc1d2f03a8b1e4875740d3d49336

                SHA1

                cee178da1fb05f99af7a3547093122893bd1eb46

                SHA256

                c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

                SHA512

                6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

              • C:\Users\Admin\Desktop\VAULT.hta

                MD5

                1cf60361078e1c2f1219d27c4b3e760c

                SHA1

                08d350d205da687672b13e22b253932dd1708e75

                SHA256

                c2d9c1bd8bb434dffd5ebbd0e8020ee73123f2e8134b19cbde4b6458f0d05a43

                SHA512

                90f973c08c663dc7ca8575196ca2d6939bbeb9e1943268e8c8bae3b5cd895e85f654726924c86a0f1ffca4830f05c75ac6e80b44d4adeff345e9ff2cacaacccb

              • \Users\Admin\AppData\Local\Temp\2D4F861D8D.exe

                MD5

                810f74773b1d921274c3766df5c00445

                SHA1

                90d547916e077dbb6fe56b215df4bc86b936a6f6

                SHA256

                55eee544f1210a27540b418936b2e1240dcf6818fb4023374596621a91f6438f

                SHA512

                e4d8d6ae1629021e28a55e459e1e8835142a19c3c9c97b195a523e2487cac6f46e366b3c0c39ef504e1943d7c74c76d461c963d0153dca1fadf3452c499f7388

              • \Users\Admin\AppData\Local\Temp\2D4F861D8D.exe

                MD5

                810f74773b1d921274c3766df5c00445

                SHA1

                90d547916e077dbb6fe56b215df4bc86b936a6f6

                SHA256

                55eee544f1210a27540b418936b2e1240dcf6818fb4023374596621a91f6438f

                SHA512

                e4d8d6ae1629021e28a55e459e1e8835142a19c3c9c97b195a523e2487cac6f46e366b3c0c39ef504e1943d7c74c76d461c963d0153dca1fadf3452c499f7388

              • \Users\Admin\AppData\Local\Temp\2D4F861D8D.exe

                MD5

                810f74773b1d921274c3766df5c00445

                SHA1

                90d547916e077dbb6fe56b215df4bc86b936a6f6

                SHA256

                55eee544f1210a27540b418936b2e1240dcf6818fb4023374596621a91f6438f

                SHA512

                e4d8d6ae1629021e28a55e459e1e8835142a19c3c9c97b195a523e2487cac6f46e366b3c0c39ef504e1943d7c74c76d461c963d0153dca1fadf3452c499f7388

              • \Users\Admin\AppData\Local\Temp\7za.exe

                MD5

                42badc1d2f03a8b1e4875740d3d49336

                SHA1

                cee178da1fb05f99af7a3547093122893bd1eb46

                SHA256

                c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

                SHA512

                6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

              • \Users\Admin\AppData\Local\Temp\7za.exe

                MD5

                42badc1d2f03a8b1e4875740d3d49336

                SHA1

                cee178da1fb05f99af7a3547093122893bd1eb46

                SHA256

                c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

                SHA512

                6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

              • memory/212-96-0x0000000000000000-mapping.dmp

              • memory/324-93-0x0000000000000000-mapping.dmp

              • memory/384-70-0x0000000000000000-mapping.dmp

              • memory/384-78-0x00000000716F1000-0x00000000716F4000-memory.dmp

                Filesize

                12KB

              • memory/384-79-0x000000006F171000-0x000000006F173000-memory.dmp

                Filesize

                8KB

              • memory/384-80-0x000000005FFF0000-0x0000000060000000-memory.dmp

                Filesize

                64KB

              • memory/608-61-0x0000000000000000-mapping.dmp

              • memory/616-71-0x0000000000000000-mapping.dmp

              • memory/816-77-0x0000000000000000-mapping.dmp

              • memory/988-95-0x0000000000000000-mapping.dmp

              • memory/1088-59-0x0000000075281000-0x0000000075283000-memory.dmp

                Filesize

                8KB

              • memory/1312-69-0x0000000000000000-mapping.dmp

              • memory/1476-75-0x0000000000000000-mapping.dmp

              • memory/1476-88-0x0000000000380000-0x0000000000385000-memory.dmp

                Filesize

                20KB

              • memory/1476-94-0x0000000000000000-mapping.dmp

              • memory/1592-91-0x0000000000000000-mapping.dmp

              • memory/1652-63-0x0000000000000000-mapping.dmp

              • memory/1688-66-0x0000000000000000-mapping.dmp

              • memory/1704-60-0x0000000000000000-mapping.dmp

              • memory/1728-89-0x0000000000400000-0x000000000041A000-memory.dmp

                Filesize

                104KB

              • memory/1728-84-0x0000000000400000-0x0000000000E28000-memory.dmp

                Filesize

                10.2MB

              • memory/1728-85-0x0000000000418C90-mapping.dmp