3b60577fe6abb4637b2d1bee5b3d47f70f7230ace340d712a9c7fb1a642688b4

Analysis

max time kernel
45s
max time network
112s
platform
windows10_x64
resource
win10v20210408
submitted
21/06/2021, 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Encode.bin.exe
Size

153KB
MD5

5163f03f6789656605108bec4650b66f
SHA1

c32e012da9257780d2031f683457da1840615c9c
SHA256

fb3b67d7f94630f41e722de49c211d8f5c69cdec8fc9ba25996717a77f67b89b
SHA512

13f0a1223330676bf5b81ee6fe64c963bcbeedb5589c96759573919a3e47aaf2e3b387edf2aa99cbded1f086df320cf0e03c06ba1f88f0a06a67014e3552cece

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Encode.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Encode.bin.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2084	vssadmin.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\encrypted_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\.encrypted	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\.encrypted\ = "encrypted_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\encrypted_auto_file\shell\edit\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\encrypted_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\encrypted_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\encrypted_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\encrypted_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\encrypted_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\encrypted_auto_file\shell\edit	OpenWith.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3988	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeBackupPrivilege	3836	vssvc.exe
Token: SeRestorePrivilege	3836	vssvc.exe
Token: SeAuditPrivilege	3836	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2716	WMIC.exe
Token: SeSecurityPrivilege	2716	WMIC.exe
Token: SeTakeOwnershipPrivilege	2716	WMIC.exe
Token: SeLoadDriverPrivilege	2716	WMIC.exe
Token: SeSystemProfilePrivilege	2716	WMIC.exe
Token: SeSystemtimePrivilege	2716	WMIC.exe
Token: SeProfSingleProcessPrivilege	2716	WMIC.exe
Token: SeIncBasePriorityPrivilege	2716	WMIC.exe
Token: SeCreatePagefilePrivilege	2716	WMIC.exe
Token: SeBackupPrivilege	2716	WMIC.exe
Token: SeRestorePrivilege	2716	WMIC.exe
Token: SeShutdownPrivilege	2716	WMIC.exe
Token: SeDebugPrivilege	2716	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2716	WMIC.exe
Token: SeRemoteShutdownPrivilege	2716	WMIC.exe
Token: SeUndockPrivilege	2716	WMIC.exe
Token: SeManageVolumePrivilege	2716	WMIC.exe
Token: 33	2716	WMIC.exe
Token: 34	2716	WMIC.exe
Token: 35	2716	WMIC.exe
Token: 36	2716	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2464	NOTEPAD.EXE

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
960	OpenWith.exe
2736	OpenWith.exe
3988	OpenWith.exe
3988	OpenWith.exe
3988	OpenWith.exe
3988	OpenWith.exe
3988	OpenWith.exe
3988	OpenWith.exe
3988	OpenWith.exe
3988	OpenWith.exe
3988	OpenWith.exe
3988	OpenWith.exe
3988	OpenWith.exe
3988	OpenWith.exe
3988	OpenWith.exe
3988	OpenWith.exe
3988	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 2660	1832	Encode.bin.exe	75
PID 1832 wrote to memory of 2660	1832	Encode.bin.exe	75
PID 1832 wrote to memory of 2660	1832	Encode.bin.exe	75
PID 2660 wrote to memory of 2848	2660	cmd.exe	77
PID 2660 wrote to memory of 2848	2660	cmd.exe	77
PID 2660 wrote to memory of 2848	2660	cmd.exe	77
PID 2660 wrote to memory of 2840	2660	cmd.exe	78
PID 2660 wrote to memory of 2840	2660	cmd.exe	78
PID 2660 wrote to memory of 2840	2660	cmd.exe	78
PID 2660 wrote to memory of 2316	2660	cmd.exe	79
PID 2660 wrote to memory of 2316	2660	cmd.exe	79
PID 2660 wrote to memory of 2316	2660	cmd.exe	79
PID 2660 wrote to memory of 2016	2660	cmd.exe	80
PID 2660 wrote to memory of 2016	2660	cmd.exe	80
PID 2660 wrote to memory of 2016	2660	cmd.exe	80
PID 2660 wrote to memory of 2128	2660	cmd.exe	81
PID 2660 wrote to memory of 2128	2660	cmd.exe	81
PID 2660 wrote to memory of 2128	2660	cmd.exe	81
PID 2660 wrote to memory of 1904	2660	cmd.exe	82
PID 2660 wrote to memory of 1904	2660	cmd.exe	82
PID 2660 wrote to memory of 1904	2660	cmd.exe	82
PID 2660 wrote to memory of 2584	2660	cmd.exe	83
PID 2660 wrote to memory of 2584	2660	cmd.exe	83
PID 2660 wrote to memory of 2584	2660	cmd.exe	83
PID 2660 wrote to memory of 3420	2660	cmd.exe	84
PID 2660 wrote to memory of 3420	2660	cmd.exe	84
PID 2660 wrote to memory of 3420	2660	cmd.exe	84
PID 2660 wrote to memory of 3600	2660	cmd.exe	85
PID 2660 wrote to memory of 3600	2660	cmd.exe	85
PID 2660 wrote to memory of 3600	2660	cmd.exe	85
PID 2660 wrote to memory of 708	2660	cmd.exe	86
PID 2660 wrote to memory of 708	2660	cmd.exe	86
PID 2660 wrote to memory of 708	2660	cmd.exe	86
PID 2660 wrote to memory of 1348	2660	cmd.exe	87
PID 2660 wrote to memory of 1348	2660	cmd.exe	87
PID 2660 wrote to memory of 1348	2660	cmd.exe	87
PID 2660 wrote to memory of 2148	2660	cmd.exe	88
PID 2660 wrote to memory of 2148	2660	cmd.exe	88
PID 2660 wrote to memory of 2148	2660	cmd.exe	88
PID 2660 wrote to memory of 2792	2660	cmd.exe	89
PID 2660 wrote to memory of 2792	2660	cmd.exe	89
PID 2660 wrote to memory of 2792	2660	cmd.exe	89
PID 2660 wrote to memory of 2084	2660	cmd.exe	90
PID 2660 wrote to memory of 2084	2660	cmd.exe	90
PID 2660 wrote to memory of 2084	2660	cmd.exe	90
PID 2660 wrote to memory of 3940	2660	cmd.exe	91
PID 2660 wrote to memory of 3940	2660	cmd.exe	91
PID 2660 wrote to memory of 3940	2660	cmd.exe	91
PID 2660 wrote to memory of 3964	2660	cmd.exe	92
PID 2660 wrote to memory of 3964	2660	cmd.exe	92
PID 2660 wrote to memory of 3964	2660	cmd.exe	92
PID 2660 wrote to memory of 3836	2660	cmd.exe	93
PID 2660 wrote to memory of 3836	2660	cmd.exe	93
PID 2660 wrote to memory of 3836	2660	cmd.exe	93
PID 2660 wrote to memory of 3924	2660	cmd.exe	94
PID 2660 wrote to memory of 3924	2660	cmd.exe	94
PID 2660 wrote to memory of 3924	2660	cmd.exe	94
PID 2660 wrote to memory of 2324	2660	cmd.exe	95
PID 2660 wrote to memory of 2324	2660	cmd.exe	95
PID 2660 wrote to memory of 2324	2660	cmd.exe	95
PID 2660 wrote to memory of 2348	2660	cmd.exe	96
PID 2660 wrote to memory of 2348	2660	cmd.exe	96
PID 2660 wrote to memory of 2348	2660	cmd.exe	96
PID 2660 wrote to memory of 3532	2660	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\Encode.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Encode.bin.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "Encode.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.txt
    3⤵
    PID:2848
- - C:\Windows\SysWOW64\certutil.exe
    certutil -encode "C:\Users\Admin\Desktop\ALL-YOUR-FILES-ARE-ENCRYPTED.txt" "C:\Users\Admin\Desktop\ALL-YOUR-FILES-ARE-ENCRYPTED.txt.encrypted"
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.doc
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.bat
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.vbs
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.cmd
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.html
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.rtf
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.txt
    3⤵
    PID:3600
- - C:\Windows\SysWOW64\certutil.exe
    certutil -encode "C:\Users\Admin\Downloads\ALL-YOUR-FILES-ARE-ENCRYPTED.txt" "C:\Users\Admin\Downloads\ALL-YOUR-FILES-ARE-ENCRYPTED.txt.encrypted"
    3⤵
    PID:708
- - C:\Windows\SysWOW64\certutil.exe
    certutil -encode "C:\Users\Admin\Downloads\DenyWrite.txt" "C:\Users\Admin\Downloads\DenyWrite.txt.encrypted"
    3⤵
    PID:1348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.doc
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.bat
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.vbs
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.cmd
    3⤵
    PID:3940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.html
    3⤵
    PID:3964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.rtf
    3⤵
    PID:3836
- - C:\Windows\SysWOW64\certutil.exe
    certutil -encode "C:\Users\Admin\Downloads\LockRequest.rtf" "C:\Users\Admin\Downloads\LockRequest.rtf.encrypted"
    3⤵
    PID:3924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.txt
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\certutil.exe
    certutil -encode "C:\Users\Admin\Documents\ALL-YOUR-FILES-ARE-ENCRYPTED.txt" "C:\Users\Admin\Documents\ALL-YOUR-FILES-ARE-ENCRYPTED.txt.encrypted"
    3⤵
    PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.doc
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\certutil.exe
    certutil -encode "C:\Users\Admin\Documents\Are.docx" "C:\Users\Admin\Documents\Are.docx.encrypted"
    3⤵
    PID:2848
- - C:\Windows\SysWOW64\certutil.exe
    certutil -encode "C:\Users\Admin\Documents\Files.docx" "C:\Users\Admin\Documents\Files.docx.encrypted"
    3⤵
    PID:3404
- - C:\Windows\SysWOW64\certutil.exe
    certutil -encode "C:\Users\Admin\Documents\Opened.docx" "C:\Users\Admin\Documents\Opened.docx.encrypted"
    3⤵
    PID:184
- - C:\Windows\SysWOW64\certutil.exe
    certutil -encode "C:\Users\Admin\Documents\Recently.docx" "C:\Users\Admin\Documents\Recently.docx.encrypted"
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\certutil.exe
    certutil -encode "C:\Users\Admin\Documents\These.docx" "C:\Users\Admin\Documents\These.docx.encrypted"
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.bat
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.vbs
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.cmd
    3⤵
    PID:4084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.html
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /b /s *.rtf
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2084
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic.exe SHADOWCOPY /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:960

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2736

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3988
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ALL-YOUR-FILES-ARE-ENCRYPTED.txt.encrypted
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads