Analysis
-
max time kernel
147s -
max time network
40s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 12:39
Static task
static1
Behavioral task
behavioral1
Sample
79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe
Resource
win10v20210408
General
-
Target
79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe
-
Size
207KB
-
MD5
b961eb350e94cead67efae131b3fff4c
-
SHA1
f22185fd187244b96f96184359b4f7a7ad8542b0
-
SHA256
79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea
-
SHA512
d2a1a1255f8313a1125c59218be8fecbb46604663c964477b8cd381c78381ffc0aca518f781be87d355d4d0e043dc5d773ae1bb4af2c8716b0f56f293cd4956c
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\RemoveStart.tiff 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\143001 = "143001" 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\DB577955-A70528A9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe\" -id \"DB577955-A70528A9\" -wid \"1\"" 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 396 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exepid process 1420 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe 1420 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe 1420 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
WMIC.exevssvc.exe79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exedescription pid process Token: SeIncreaseQuotaPrivilege 632 WMIC.exe Token: SeSecurityPrivilege 632 WMIC.exe Token: SeTakeOwnershipPrivilege 632 WMIC.exe Token: SeLoadDriverPrivilege 632 WMIC.exe Token: SeSystemProfilePrivilege 632 WMIC.exe Token: SeSystemtimePrivilege 632 WMIC.exe Token: SeProfSingleProcessPrivilege 632 WMIC.exe Token: SeIncBasePriorityPrivilege 632 WMIC.exe Token: SeCreatePagefilePrivilege 632 WMIC.exe Token: SeBackupPrivilege 632 WMIC.exe Token: SeRestorePrivilege 632 WMIC.exe Token: SeShutdownPrivilege 632 WMIC.exe Token: SeDebugPrivilege 632 WMIC.exe Token: SeSystemEnvironmentPrivilege 632 WMIC.exe Token: SeRemoteShutdownPrivilege 632 WMIC.exe Token: SeUndockPrivilege 632 WMIC.exe Token: SeManageVolumePrivilege 632 WMIC.exe Token: 33 632 WMIC.exe Token: 34 632 WMIC.exe Token: 35 632 WMIC.exe Token: SeBackupPrivilege 896 vssvc.exe Token: SeRestorePrivilege 896 vssvc.exe Token: SeAuditPrivilege 896 vssvc.exe Token: SeIncreaseQuotaPrivilege 632 WMIC.exe Token: SeSecurityPrivilege 632 WMIC.exe Token: SeTakeOwnershipPrivilege 632 WMIC.exe Token: SeLoadDriverPrivilege 632 WMIC.exe Token: SeSystemProfilePrivilege 632 WMIC.exe Token: SeSystemtimePrivilege 632 WMIC.exe Token: SeProfSingleProcessPrivilege 632 WMIC.exe Token: SeIncBasePriorityPrivilege 632 WMIC.exe Token: SeCreatePagefilePrivilege 632 WMIC.exe Token: SeBackupPrivilege 632 WMIC.exe Token: SeRestorePrivilege 632 WMIC.exe Token: SeShutdownPrivilege 632 WMIC.exe Token: SeDebugPrivilege 632 WMIC.exe Token: SeSystemEnvironmentPrivilege 632 WMIC.exe Token: SeRemoteShutdownPrivilege 632 WMIC.exe Token: SeUndockPrivilege 632 WMIC.exe Token: SeManageVolumePrivilege 632 WMIC.exe Token: 33 632 WMIC.exe Token: 34 632 WMIC.exe Token: 35 632 WMIC.exe Token: SeDebugPrivilege 1420 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.execmd.execmd.exedescription pid process target process PID 1420 wrote to memory of 1704 1420 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 1420 wrote to memory of 1704 1420 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 1420 wrote to memory of 1704 1420 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 1420 wrote to memory of 1704 1420 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 1420 wrote to memory of 1164 1420 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 1420 wrote to memory of 1164 1420 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 1420 wrote to memory of 1164 1420 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 1420 wrote to memory of 1164 1420 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 1420 wrote to memory of 748 1420 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 1420 wrote to memory of 748 1420 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 1420 wrote to memory of 748 1420 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 1420 wrote to memory of 748 1420 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 1704 wrote to memory of 396 1704 cmd.exe vssadmin.exe PID 1704 wrote to memory of 396 1704 cmd.exe vssadmin.exe PID 1704 wrote to memory of 396 1704 cmd.exe vssadmin.exe PID 1704 wrote to memory of 396 1704 cmd.exe vssadmin.exe PID 1420 wrote to memory of 1004 1420 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 1420 wrote to memory of 1004 1420 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 1420 wrote to memory of 1004 1420 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 1420 wrote to memory of 1004 1420 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 1420 wrote to memory of 984 1420 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 1420 wrote to memory of 984 1420 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 1420 wrote to memory of 984 1420 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 1420 wrote to memory of 984 1420 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 1420 wrote to memory of 536 1420 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 1420 wrote to memory of 536 1420 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 1420 wrote to memory of 536 1420 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 1420 wrote to memory of 536 1420 79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe cmd.exe PID 1004 wrote to memory of 632 1004 cmd.exe WMIC.exe PID 1004 wrote to memory of 632 1004 cmd.exe WMIC.exe PID 1004 wrote to memory of 632 1004 cmd.exe WMIC.exe PID 1004 wrote to memory of 632 1004 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe"C:\Users\Admin\AppData\Local\Temp\79a3ed67bbd02fdc01c1d3b11d343cf93217c9d85d6ca9dd4d275114a97435ea.sample.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "vssadmin delete shadows /all /quiet"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "wbadmin DELETE BACKUP -keepVersions:0"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "wmic SHADOWCOPY DELETE"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/396-64-0x0000000000000000-mapping.dmp
-
memory/536-67-0x0000000000000000-mapping.dmp
-
memory/632-68-0x0000000000000000-mapping.dmp
-
memory/748-63-0x0000000000000000-mapping.dmp
-
memory/984-66-0x0000000000000000-mapping.dmp
-
memory/1004-65-0x0000000000000000-mapping.dmp
-
memory/1164-62-0x0000000000000000-mapping.dmp
-
memory/1420-60-0x0000000074FB1000-0x0000000074FB3000-memory.dmpFilesize
8KB
-
memory/1704-61-0x0000000000000000-mapping.dmp