Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-07-2021 13:00
Static task
static1
Behavioral task
behavioral1
Sample
06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe
Resource
win10v20210410
General
-
Target
06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe
-
Size
60KB
-
MD5
eb86699181894931833816e860ab279d
-
SHA1
e98d1319d2614debebeeabc26616d327950f699e
-
SHA256
06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21
-
SHA512
9b567fbca1cd9720c86bd848a49dc8aeda47104d06be7c4d7189a6a7ec6956c41ee5c40aac49f90067e7ab2e7b65078197b9f9d6c7a5e2c1c52b9ab971a6c714
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
Backup:binBackup.exepid process 1296 Backup:bin 832 Backup.exe -
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Backup.exedescription ioc process File renamed C:\Users\Admin\Pictures\StartSend.png => C:\Users\Admin\Pictures\StartSend.png.3ncrypt3d Backup.exe File opened for modification C:\Users\Admin\Pictures\StartSend.png.3ncrypt3d Backup.exe File created C:\Users\Admin\Pictures\LimitUnregister.png.3ncrypt3d_help Backup.exe File opened for modification C:\Users\Admin\Pictures\LimitUnregister.png.3ncrypt3d Backup.exe File opened for modification C:\Users\Admin\Pictures\PingGet.tif.3ncrypt3d Backup.exe File created C:\Users\Admin\Pictures\StartSend.png.3ncrypt3d_help Backup.exe File created C:\Users\Admin\Pictures\TraceMove.tiff.3ncrypt3d_help Backup.exe File renamed C:\Users\Admin\Pictures\TraceMove.tiff => C:\Users\Admin\Pictures\TraceMove.tiff.3ncrypt3d Backup.exe File opened for modification C:\Users\Admin\Pictures\TraceMove.tiff.3ncrypt3d Backup.exe File renamed C:\Users\Admin\Pictures\LimitUnregister.png => C:\Users\Admin\Pictures\LimitUnregister.png.3ncrypt3d Backup.exe File created C:\Users\Admin\Pictures\PingGet.tif.3ncrypt3d_help Backup.exe File renamed C:\Users\Admin\Pictures\PingGet.tif => C:\Users\Admin\Pictures\PingGet.tif.3ncrypt3d Backup.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1320 takeown.exe 1052 icacls.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1428 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exepid process 1348 06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe 1348 06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1320 takeown.exe 1052 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
Backup:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Backup.exe Backup:bin File opened for modification C:\Windows\SysWOW64\Backup.exe attrib.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2012 vssadmin.exe -
NTFS ADS 1 IoCs
Processes:
06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Backup:bin 06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 596 vssvc.exe Token: SeRestorePrivilege 596 vssvc.exe Token: SeAuditPrivilege 596 vssvc.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exeBackup:binBackup.execmd.execmd.execmd.exedescription pid process target process PID 1348 wrote to memory of 1296 1348 06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe Backup:bin PID 1348 wrote to memory of 1296 1348 06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe Backup:bin PID 1348 wrote to memory of 1296 1348 06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe Backup:bin PID 1348 wrote to memory of 1296 1348 06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe Backup:bin PID 1296 wrote to memory of 2012 1296 Backup:bin vssadmin.exe PID 1296 wrote to memory of 2012 1296 Backup:bin vssadmin.exe PID 1296 wrote to memory of 2012 1296 Backup:bin vssadmin.exe PID 1296 wrote to memory of 2012 1296 Backup:bin vssadmin.exe PID 1296 wrote to memory of 1320 1296 Backup:bin takeown.exe PID 1296 wrote to memory of 1320 1296 Backup:bin takeown.exe PID 1296 wrote to memory of 1320 1296 Backup:bin takeown.exe PID 1296 wrote to memory of 1320 1296 Backup:bin takeown.exe PID 1296 wrote to memory of 1052 1296 Backup:bin icacls.exe PID 1296 wrote to memory of 1052 1296 Backup:bin icacls.exe PID 1296 wrote to memory of 1052 1296 Backup:bin icacls.exe PID 1296 wrote to memory of 1052 1296 Backup:bin icacls.exe PID 832 wrote to memory of 1716 832 Backup.exe cmd.exe PID 832 wrote to memory of 1716 832 Backup.exe cmd.exe PID 832 wrote to memory of 1716 832 Backup.exe cmd.exe PID 832 wrote to memory of 1716 832 Backup.exe cmd.exe PID 1716 wrote to memory of 664 1716 cmd.exe choice.exe PID 1716 wrote to memory of 664 1716 cmd.exe choice.exe PID 1716 wrote to memory of 664 1716 cmd.exe choice.exe PID 1716 wrote to memory of 664 1716 cmd.exe choice.exe PID 1296 wrote to memory of 1496 1296 Backup:bin cmd.exe PID 1296 wrote to memory of 1496 1296 Backup:bin cmd.exe PID 1296 wrote to memory of 1496 1296 Backup:bin cmd.exe PID 1296 wrote to memory of 1496 1296 Backup:bin cmd.exe PID 1348 wrote to memory of 1428 1348 06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe cmd.exe PID 1348 wrote to memory of 1428 1348 06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe cmd.exe PID 1348 wrote to memory of 1428 1348 06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe cmd.exe PID 1348 wrote to memory of 1428 1348 06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe cmd.exe PID 1496 wrote to memory of 1116 1496 cmd.exe choice.exe PID 1496 wrote to memory of 1116 1496 cmd.exe choice.exe PID 1496 wrote to memory of 1116 1496 cmd.exe choice.exe PID 1496 wrote to memory of 1116 1496 cmd.exe choice.exe PID 1428 wrote to memory of 912 1428 cmd.exe choice.exe PID 1428 wrote to memory of 912 1428 cmd.exe choice.exe PID 1428 wrote to memory of 912 1428 cmd.exe choice.exe PID 1428 wrote to memory of 912 1428 cmd.exe choice.exe PID 1716 wrote to memory of 1760 1716 cmd.exe attrib.exe PID 1716 wrote to memory of 1760 1716 cmd.exe attrib.exe PID 1716 wrote to memory of 1760 1716 cmd.exe attrib.exe PID 1716 wrote to memory of 1760 1716 cmd.exe attrib.exe PID 1496 wrote to memory of 1736 1496 cmd.exe attrib.exe PID 1496 wrote to memory of 1736 1496 cmd.exe attrib.exe PID 1496 wrote to memory of 1736 1496 cmd.exe attrib.exe PID 1496 wrote to memory of 1736 1496 cmd.exe attrib.exe PID 1428 wrote to memory of 204 1428 cmd.exe attrib.exe PID 1428 wrote to memory of 204 1428 cmd.exe attrib.exe PID 1428 wrote to memory of 204 1428 cmd.exe attrib.exe PID 1428 wrote to memory of 204 1428 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 1760 attrib.exe 204 attrib.exe 1736 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe"C:\Users\Admin\AppData\Local\Temp\06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe"1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Backup:binC:\Users\Admin\AppData\Roaming\Backup:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Backup.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Backup.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /d y /t 11 & attrib -h "C:\Users\Admin\AppData\Roaming\Backup" & del "C:\Users\Admin\AppData\Roaming\Backup"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 114⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Backup"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /d y /t 11 & attrib -h "C:\Users\Admin\AppData\Local\Temp\06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe" & del "C:\Users\Admin\AppData\Local\Temp\06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 113⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Backup.exeC:\Windows\SysWOW64\Backup.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /d y /t 11 & attrib -h "C:\Windows\SysWOW64\Backup.exe" & del "C:\Windows\SysWOW64\Backup.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 113⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Backup.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Backup:binMD5
eb86699181894931833816e860ab279d
SHA1e98d1319d2614debebeeabc26616d327950f699e
SHA25606e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21
SHA5129b567fbca1cd9720c86bd848a49dc8aeda47104d06be7c4d7189a6a7ec6956c41ee5c40aac49f90067e7ab2e7b65078197b9f9d6c7a5e2c1c52b9ab971a6c714
-
C:\Users\Admin\AppData\Roaming\Backup:binMD5
eb86699181894931833816e860ab279d
SHA1e98d1319d2614debebeeabc26616d327950f699e
SHA25606e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21
SHA5129b567fbca1cd9720c86bd848a49dc8aeda47104d06be7c4d7189a6a7ec6956c41ee5c40aac49f90067e7ab2e7b65078197b9f9d6c7a5e2c1c52b9ab971a6c714
-
C:\Windows\SysWOW64\Backup.exeMD5
eb86699181894931833816e860ab279d
SHA1e98d1319d2614debebeeabc26616d327950f699e
SHA25606e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21
SHA5129b567fbca1cd9720c86bd848a49dc8aeda47104d06be7c4d7189a6a7ec6956c41ee5c40aac49f90067e7ab2e7b65078197b9f9d6c7a5e2c1c52b9ab971a6c714
-
C:\Windows\SysWOW64\Backup.exeMD5
eb86699181894931833816e860ab279d
SHA1e98d1319d2614debebeeabc26616d327950f699e
SHA25606e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21
SHA5129b567fbca1cd9720c86bd848a49dc8aeda47104d06be7c4d7189a6a7ec6956c41ee5c40aac49f90067e7ab2e7b65078197b9f9d6c7a5e2c1c52b9ab971a6c714
-
\Users\Admin\AppData\Roaming\BackupMD5
5d50b14f63b60bf136b2c4bbe28305ae
SHA1021a8fe424315ea6406351da97d722284046e556
SHA2564fee3a3b37c56d317b277f0951a5dec3dd69db965e1af2f882670907e132139b
SHA512aaa4b361f31af4eae723b73c906e2c074c2c3fd21aceecaf550a188ae35afb94d4d214d5917977b01a21628de513de3709ca43438756e034477afa1c9a347e8a
-
\Users\Admin\AppData\Roaming\BackupMD5
5d50b14f63b60bf136b2c4bbe28305ae
SHA1021a8fe424315ea6406351da97d722284046e556
SHA2564fee3a3b37c56d317b277f0951a5dec3dd69db965e1af2f882670907e132139b
SHA512aaa4b361f31af4eae723b73c906e2c074c2c3fd21aceecaf550a188ae35afb94d4d214d5917977b01a21628de513de3709ca43438756e034477afa1c9a347e8a
-
memory/204-81-0x0000000000000000-mapping.dmp
-
memory/664-74-0x0000000000000000-mapping.dmp
-
memory/912-78-0x0000000000000000-mapping.dmp
-
memory/1052-70-0x0000000000000000-mapping.dmp
-
memory/1116-77-0x0000000000000000-mapping.dmp
-
memory/1296-63-0x0000000000000000-mapping.dmp
-
memory/1320-68-0x0000000000000000-mapping.dmp
-
memory/1348-60-0x00000000762C1000-0x00000000762C3000-memory.dmpFilesize
8KB
-
memory/1428-76-0x0000000000000000-mapping.dmp
-
memory/1496-75-0x0000000000000000-mapping.dmp
-
memory/1716-73-0x0000000000000000-mapping.dmp
-
memory/1736-80-0x0000000000000000-mapping.dmp
-
memory/1760-79-0x0000000000000000-mapping.dmp
-
memory/2012-66-0x0000000000000000-mapping.dmp