Analysis
-
max time kernel
143s -
max time network
172s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
21-06-2021 17:36
Static task
static1
Behavioral task
behavioral1
Sample
Encode.bin.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Encode.bin.exe
Resource
win10v20210408
General
-
Target
Encode.bin.exe
-
Size
153KB
-
MD5
5163f03f6789656605108bec4650b66f
-
SHA1
c32e012da9257780d2031f683457da1840615c9c
-
SHA256
fb3b67d7f94630f41e722de49c211d8f5c69cdec8fc9ba25996717a77f67b89b
-
SHA512
13f0a1223330676bf5b81ee6fe64c963bcbeedb5589c96759573919a3e47aaf2e3b387edf2aa99cbded1f086df320cf0e03c06ba1f88f0a06a67014e3552cece
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Encode.bin.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce Encode.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Encode.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 568 vssadmin.exe -
Modifies registry class 13 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\encrypted_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\encrypted_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\encrypted_auto_file\shell\edit rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\encrypted_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\encrypted_auto_file\shell\edit\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\encrypted_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\encrypted_auto_file\shell\open rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.encrypted rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.encrypted\ = "encrypted_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\encrypted_auto_file\shell\open\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\encrypted_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 636 vssvc.exe Token: SeRestorePrivilege 636 vssvc.exe Token: SeAuditPrivilege 636 vssvc.exe Token: SeIncreaseQuotaPrivilege 1876 WMIC.exe Token: SeSecurityPrivilege 1876 WMIC.exe Token: SeTakeOwnershipPrivilege 1876 WMIC.exe Token: SeLoadDriverPrivilege 1876 WMIC.exe Token: SeSystemProfilePrivilege 1876 WMIC.exe Token: SeSystemtimePrivilege 1876 WMIC.exe Token: SeProfSingleProcessPrivilege 1876 WMIC.exe Token: SeIncBasePriorityPrivilege 1876 WMIC.exe Token: SeCreatePagefilePrivilege 1876 WMIC.exe Token: SeBackupPrivilege 1876 WMIC.exe Token: SeRestorePrivilege 1876 WMIC.exe Token: SeShutdownPrivilege 1876 WMIC.exe Token: SeDebugPrivilege 1876 WMIC.exe Token: SeSystemEnvironmentPrivilege 1876 WMIC.exe Token: SeRemoteShutdownPrivilege 1876 WMIC.exe Token: SeUndockPrivilege 1876 WMIC.exe Token: SeManageVolumePrivilege 1876 WMIC.exe Token: 33 1876 WMIC.exe Token: 34 1876 WMIC.exe Token: 35 1876 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Encode.bin.execmd.exedescription pid process target process PID 1032 wrote to memory of 1232 1032 Encode.bin.exe cmd.exe PID 1032 wrote to memory of 1232 1032 Encode.bin.exe cmd.exe PID 1032 wrote to memory of 1232 1032 Encode.bin.exe cmd.exe PID 1032 wrote to memory of 1232 1032 Encode.bin.exe cmd.exe PID 1032 wrote to memory of 1232 1032 Encode.bin.exe cmd.exe PID 1032 wrote to memory of 1232 1032 Encode.bin.exe cmd.exe PID 1032 wrote to memory of 1232 1032 Encode.bin.exe cmd.exe PID 1232 wrote to memory of 1864 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1864 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1864 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1864 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1864 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1864 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1864 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1712 1232 cmd.exe certutil.exe PID 1232 wrote to memory of 1712 1232 cmd.exe certutil.exe PID 1232 wrote to memory of 1712 1232 cmd.exe certutil.exe PID 1232 wrote to memory of 1712 1232 cmd.exe certutil.exe PID 1232 wrote to memory of 1712 1232 cmd.exe certutil.exe PID 1232 wrote to memory of 1712 1232 cmd.exe certutil.exe PID 1232 wrote to memory of 1712 1232 cmd.exe certutil.exe PID 1232 wrote to memory of 1732 1232 cmd.exe certutil.exe PID 1232 wrote to memory of 1732 1232 cmd.exe certutil.exe PID 1232 wrote to memory of 1732 1232 cmd.exe certutil.exe PID 1232 wrote to memory of 1732 1232 cmd.exe certutil.exe PID 1232 wrote to memory of 1732 1232 cmd.exe certutil.exe PID 1232 wrote to memory of 1732 1232 cmd.exe certutil.exe PID 1232 wrote to memory of 1732 1232 cmd.exe certutil.exe PID 1232 wrote to memory of 1752 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1752 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1752 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1752 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1752 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1752 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1752 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1692 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1692 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1692 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1692 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1692 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1692 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1692 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1404 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1404 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1404 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1404 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1404 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1404 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1404 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1308 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1308 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1308 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1308 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1308 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1308 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 1308 1232 cmd.exe cmd.exe PID 1232 wrote to memory of 844 1232 cmd.exe certutil.exe PID 1232 wrote to memory of 844 1232 cmd.exe certutil.exe PID 1232 wrote to memory of 844 1232 cmd.exe certutil.exe PID 1232 wrote to memory of 844 1232 cmd.exe certutil.exe PID 1232 wrote to memory of 844 1232 cmd.exe certutil.exe PID 1232 wrote to memory of 844 1232 cmd.exe certutil.exe PID 1232 wrote to memory of 844 1232 cmd.exe certutil.exe PID 1232 wrote to memory of 1596 1232 cmd.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Encode.bin.exe"C:\Users\Admin\AppData\Local\Temp\Encode.bin.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c "Encode.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /s *.txt3⤵
-
C:\Windows\SysWOW64\certutil.execertutil -encode "C:\Users\Admin\Desktop\ALL-YOUR-FILES-ARE-ENCRYPTED.txt" "C:\Users\Admin\Desktop\ALL-YOUR-FILES-ARE-ENCRYPTED.txt.encrypted"3⤵
-
C:\Windows\SysWOW64\certutil.execertutil -encode "C:\Users\Admin\Desktop\UpdateConvertTo.txt" "C:\Users\Admin\Desktop\UpdateConvertTo.txt.encrypted"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /s *.doc3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /s *.bat3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /s *.vbs3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /s *.cmd3⤵
-
C:\Windows\SysWOW64\certutil.execertutil -encode "C:\Users\Admin\Desktop\AddExport.cmd" "C:\Users\Admin\Desktop\AddExport.cmd.encrypted"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /s *.html3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /s *.rtf3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /s *.txt3⤵
-
C:\Windows\SysWOW64\certutil.execertutil -encode "C:\Users\Admin\Downloads\ALL-YOUR-FILES-ARE-ENCRYPTED.txt" "C:\Users\Admin\Downloads\ALL-YOUR-FILES-ARE-ENCRYPTED.txt.encrypted"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /s *.doc3⤵
-
C:\Windows\SysWOW64\certutil.execertutil -encode "C:\Users\Admin\Downloads\ConvertToDisconnect.doc" "C:\Users\Admin\Downloads\ConvertToDisconnect.doc.encrypted"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /s *.bat3⤵
-
C:\Windows\SysWOW64\certutil.execertutil -encode "C:\Users\Admin\Downloads\OutShow.bat" "C:\Users\Admin\Downloads\OutShow.bat.encrypted"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /s *.vbs3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /s *.cmd3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /s *.html3⤵
-
C:\Windows\SysWOW64\certutil.execertutil -encode "C:\Users\Admin\Downloads\ImportUpdate.html" "C:\Users\Admin\Downloads\ImportUpdate.html.encrypted"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /s *.rtf3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /s *.txt3⤵
-
C:\Windows\SysWOW64\certutil.execertutil -encode "C:\Users\Admin\Documents\ALL-YOUR-FILES-ARE-ENCRYPTED.txt" "C:\Users\Admin\Documents\ALL-YOUR-FILES-ARE-ENCRYPTED.txt.encrypted"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /s *.doc3⤵
-
C:\Windows\SysWOW64\certutil.execertutil -encode "C:\Users\Admin\Documents\Are.docx" "C:\Users\Admin\Documents\Are.docx.encrypted"3⤵
-
C:\Windows\SysWOW64\certutil.execertutil -encode "C:\Users\Admin\Documents\Files.docx" "C:\Users\Admin\Documents\Files.docx.encrypted"3⤵
-
C:\Windows\SysWOW64\certutil.execertutil -encode "C:\Users\Admin\Documents\Opened.docx" "C:\Users\Admin\Documents\Opened.docx.encrypted"3⤵
-
C:\Windows\SysWOW64\certutil.execertutil -encode "C:\Users\Admin\Documents\Recently.docx" "C:\Users\Admin\Documents\Recently.docx.encrypted"3⤵
-
C:\Windows\SysWOW64\certutil.execertutil -encode "C:\Users\Admin\Documents\These.docx" "C:\Users\Admin\Documents\These.docx.encrypted"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /s *.bat3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /s *.vbs3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /s *.cmd3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /s *.html3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir /b /s *.rtf3⤵
-
C:\Windows\SysWOW64\certutil.execertutil -encode "C:\Users\Admin\Documents\DisconnectNew.rtf" "C:\Users\Admin\Documents\DisconnectNew.rtf.encrypted"3⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\ALL-YOUR-FILES-ARE-ENCRYPTED.txt.encrypted1⤵
- Modifies registry class
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\ALL-YOUR-FILES-ARE-ENCRYPTED.txt.encrypted2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Encode.batMD5
32c894f2e4b05e4f95fded0e24fc0766
SHA1bf3cb912816989a30a6de15388d5724d217c30aa
SHA256b88022b7806a7b7e9ff01a4b106eff554d43729991249b1795bdb0b0eaa96955
SHA512cd7869c7456e1742842b0eaf8efe2755fa740638ed56ff621a4bb52e924f15bb4d4a21595da85e05bf36434060b0018e918cfd95cd0c87fb33bf03d944332529
-
C:\Users\Admin\Desktop\ALL-YOUR-FILES-ARE-ENCRYPTED.txtMD5
72c1626115909c7f77d3bf9c4d23102f
SHA13500ae5a375aa0e561d675c388830791abf0dcd9
SHA256d4c5cbc1f36d4c74d1de30676d8bc5a61d7ced607a293ab659c7f4507e22787b
SHA512ec71515cccdffe4f1e80bf8cafcfe72ff1ed5070525f2abb7ddffc2b9b530e380fea4b45f74ae1f05c55f93cd7bcf95309d338c29a3a38e15d7830024644a404
-
C:\Users\Admin\Documents\ALL-YOUR-FILES-ARE-ENCRYPTED.txtMD5
72c1626115909c7f77d3bf9c4d23102f
SHA13500ae5a375aa0e561d675c388830791abf0dcd9
SHA256d4c5cbc1f36d4c74d1de30676d8bc5a61d7ced607a293ab659c7f4507e22787b
SHA512ec71515cccdffe4f1e80bf8cafcfe72ff1ed5070525f2abb7ddffc2b9b530e380fea4b45f74ae1f05c55f93cd7bcf95309d338c29a3a38e15d7830024644a404
-
C:\Users\Admin\Documents\ALL-YOUR-FILES-ARE-ENCRYPTED.txt.encryptedMD5
f0e10ec2c2fc8de94738338dda195eb0
SHA17130dcd18e4df464dc2952a62b0d6870b3bd0f44
SHA256849c3bee965112d973a9ba4802d48835255ef704046d3e8c3b6b74584c693455
SHA5124f25eb82e15161d5ef67a75d7c23f4f5d298b601029882c61457ec88556c07eed2f7d6cdb2ff1400890c92ed031c5a96b2a1e0e2d4cf2c476f157dc0420d5c42
-
C:\Users\Admin\Downloads\ALL-YOUR-FILES-ARE-ENCRYPTED.txtMD5
72c1626115909c7f77d3bf9c4d23102f
SHA13500ae5a375aa0e561d675c388830791abf0dcd9
SHA256d4c5cbc1f36d4c74d1de30676d8bc5a61d7ced607a293ab659c7f4507e22787b
SHA512ec71515cccdffe4f1e80bf8cafcfe72ff1ed5070525f2abb7ddffc2b9b530e380fea4b45f74ae1f05c55f93cd7bcf95309d338c29a3a38e15d7830024644a404
-
memory/320-90-0x0000000000000000-mapping.dmp
-
memory/456-108-0x0000000000000000-mapping.dmp
-
memory/524-92-0x0000000000000000-mapping.dmp
-
memory/568-137-0x0000000000000000-mapping.dmp
-
memory/608-133-0x0000000000000000-mapping.dmp
-
memory/620-104-0x0000000000000000-mapping.dmp
-
memory/660-113-0x0000000000000000-mapping.dmp
-
memory/748-119-0x0000000000000000-mapping.dmp
-
memory/804-100-0x0000000000000000-mapping.dmp
-
memory/844-79-0x0000000000000000-mapping.dmp
-
memory/956-117-0x0000000000000000-mapping.dmp
-
memory/1032-60-0x0000000075591000-0x0000000075593000-memory.dmpFilesize
8KB
-
memory/1036-94-0x0000000000000000-mapping.dmp
-
memory/1040-110-0x0000000000000000-mapping.dmp
-
memory/1232-61-0x0000000000000000-mapping.dmp
-
memory/1248-142-0x0000000000000000-mapping.dmp
-
memory/1284-135-0x0000000000000000-mapping.dmp
-
memory/1296-129-0x0000000000000000-mapping.dmp
-
memory/1308-77-0x0000000000000000-mapping.dmp
-
memory/1320-106-0x0000000000000000-mapping.dmp
-
memory/1404-75-0x0000000000000000-mapping.dmp
-
memory/1468-83-0x0000000000000000-mapping.dmp
-
memory/1500-131-0x0000000000000000-mapping.dmp
-
memory/1516-96-0x0000000000000000-mapping.dmp
-
memory/1532-85-0x0000000000000000-mapping.dmp
-
memory/1552-115-0x0000000000000000-mapping.dmp
-
memory/1584-98-0x0000000000000000-mapping.dmp
-
memory/1596-81-0x0000000000000000-mapping.dmp
-
memory/1612-121-0x0000000000000000-mapping.dmp
-
memory/1632-87-0x0000000000000000-mapping.dmp
-
memory/1688-141-0x000007FEFB991000-0x000007FEFB993000-memory.dmpFilesize
8KB
-
memory/1692-73-0x0000000000000000-mapping.dmp
-
memory/1712-66-0x0000000000000000-mapping.dmp
-
memory/1732-69-0x0000000000000000-mapping.dmp
-
memory/1752-71-0x0000000000000000-mapping.dmp
-
memory/1764-127-0x0000000000000000-mapping.dmp
-
memory/1864-64-0x0000000000000000-mapping.dmp
-
memory/1864-125-0x0000000000000000-mapping.dmp
-
memory/1876-139-0x0000000000000000-mapping.dmp
-
memory/1876-102-0x0000000000000000-mapping.dmp
-
memory/1960-123-0x0000000000000000-mapping.dmp