Analysis
-
max time kernel
17s -
max time network
125s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
26-07-2021 13:00
Static task
static1
Behavioral task
behavioral1
Sample
06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe
Resource
win10v20210410
General
-
Target
06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe
-
Size
60KB
-
MD5
eb86699181894931833816e860ab279d
-
SHA1
e98d1319d2614debebeeabc26616d327950f699e
-
SHA256
06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21
-
SHA512
9b567fbca1cd9720c86bd848a49dc8aeda47104d06be7c4d7189a6a7ec6956c41ee5c40aac49f90067e7ab2e7b65078197b9f9d6c7a5e2c1c52b9ab971a6c714
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
Early:binEarly.exepid process 1792 Early:bin 184 Early.exe -
Modifies extensions of user files 15 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Early.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConvertFromUpdate.raw => C:\Users\Admin\Pictures\ConvertFromUpdate.raw.3ncrypt3d Early.exe File created C:\Users\Admin\Pictures\SaveRequest.raw.3ncrypt3d_help Early.exe File renamed C:\Users\Admin\Pictures\StartUninstall.tiff => C:\Users\Admin\Pictures\StartUninstall.tiff.3ncrypt3d Early.exe File created C:\Users\Admin\Pictures\ConvertFromUpdate.raw.3ncrypt3d_help Early.exe File opened for modification C:\Users\Admin\Pictures\MountEdit.tif.3ncrypt3d Early.exe File created C:\Users\Admin\Pictures\MountRead.tif.3ncrypt3d_help Early.exe File opened for modification C:\Users\Admin\Pictures\MountRead.tif.3ncrypt3d Early.exe File created C:\Users\Admin\Pictures\StartUninstall.tiff.3ncrypt3d_help Early.exe File opened for modification C:\Users\Admin\Pictures\StartUninstall.tiff.3ncrypt3d Early.exe File renamed C:\Users\Admin\Pictures\SaveRequest.raw => C:\Users\Admin\Pictures\SaveRequest.raw.3ncrypt3d Early.exe File opened for modification C:\Users\Admin\Pictures\SaveRequest.raw.3ncrypt3d Early.exe File opened for modification C:\Users\Admin\Pictures\ConvertFromUpdate.raw.3ncrypt3d Early.exe File created C:\Users\Admin\Pictures\MountEdit.tif.3ncrypt3d_help Early.exe File renamed C:\Users\Admin\Pictures\MountEdit.tif => C:\Users\Admin\Pictures\MountEdit.tif.3ncrypt3d Early.exe File renamed C:\Users\Admin\Pictures\MountRead.tif => C:\Users\Admin\Pictures\MountRead.tif.3ncrypt3d Early.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 3600 takeown.exe 736 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 3600 takeown.exe 736 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
Early:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Early.exe Early:bin File opened for modification C:\Windows\SysWOW64\Early.exe attrib.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1664 vssadmin.exe -
NTFS ADS 1 IoCs
Processes:
06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Early:bin 06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2364 vssvc.exe Token: SeRestorePrivilege 2364 vssvc.exe Token: SeAuditPrivilege 2364 vssvc.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exeEarly:binEarly.execmd.execmd.execmd.exedescription pid process target process PID 3980 wrote to memory of 1792 3980 06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe Early:bin PID 3980 wrote to memory of 1792 3980 06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe Early:bin PID 3980 wrote to memory of 1792 3980 06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe Early:bin PID 1792 wrote to memory of 1664 1792 Early:bin vssadmin.exe PID 1792 wrote to memory of 1664 1792 Early:bin vssadmin.exe PID 1792 wrote to memory of 3600 1792 Early:bin takeown.exe PID 1792 wrote to memory of 3600 1792 Early:bin takeown.exe PID 1792 wrote to memory of 3600 1792 Early:bin takeown.exe PID 1792 wrote to memory of 736 1792 Early:bin icacls.exe PID 1792 wrote to memory of 736 1792 Early:bin icacls.exe PID 1792 wrote to memory of 736 1792 Early:bin icacls.exe PID 184 wrote to memory of 500 184 Early.exe cmd.exe PID 184 wrote to memory of 500 184 Early.exe cmd.exe PID 184 wrote to memory of 500 184 Early.exe cmd.exe PID 500 wrote to memory of 1880 500 cmd.exe choice.exe PID 500 wrote to memory of 1880 500 cmd.exe choice.exe PID 500 wrote to memory of 1880 500 cmd.exe choice.exe PID 1792 wrote to memory of 732 1792 Early:bin cmd.exe PID 1792 wrote to memory of 732 1792 Early:bin cmd.exe PID 1792 wrote to memory of 732 1792 Early:bin cmd.exe PID 3980 wrote to memory of 2884 3980 06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe cmd.exe PID 3980 wrote to memory of 2884 3980 06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe cmd.exe PID 3980 wrote to memory of 2884 3980 06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe cmd.exe PID 732 wrote to memory of 1856 732 cmd.exe choice.exe PID 732 wrote to memory of 1856 732 cmd.exe choice.exe PID 732 wrote to memory of 1856 732 cmd.exe choice.exe PID 2884 wrote to memory of 1220 2884 cmd.exe choice.exe PID 2884 wrote to memory of 1220 2884 cmd.exe choice.exe PID 2884 wrote to memory of 1220 2884 cmd.exe choice.exe PID 500 wrote to memory of 256 500 cmd.exe attrib.exe PID 500 wrote to memory of 256 500 cmd.exe attrib.exe PID 500 wrote to memory of 256 500 cmd.exe attrib.exe PID 732 wrote to memory of 276 732 cmd.exe attrib.exe PID 732 wrote to memory of 276 732 cmd.exe attrib.exe PID 732 wrote to memory of 276 732 cmd.exe attrib.exe PID 2884 wrote to memory of 1600 2884 cmd.exe attrib.exe PID 2884 wrote to memory of 1600 2884 cmd.exe attrib.exe PID 2884 wrote to memory of 1600 2884 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 256 attrib.exe 276 attrib.exe 1600 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe"C:\Users\Admin\AppData\Local\Temp\06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe"1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Early:binC:\Users\Admin\AppData\Roaming\Early:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Early.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Early.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /d y /t 11 & attrib -h "C:\Users\Admin\AppData\Roaming\Early" & del "C:\Users\Admin\AppData\Roaming\Early"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 114⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Early"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /d y /t 11 & attrib -h "C:\Users\Admin\AppData\Local\Temp\06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe" & del "C:\Users\Admin\AppData\Local\Temp\06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 113⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\06e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21.sample.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Early.exeC:\Windows\SysWOW64\Early.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /d y /t 11 & attrib -h "C:\Windows\SysWOW64\Early.exe" & del "C:\Windows\SysWOW64\Early.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 113⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Early.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Early:binMD5
eb86699181894931833816e860ab279d
SHA1e98d1319d2614debebeeabc26616d327950f699e
SHA25606e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21
SHA5129b567fbca1cd9720c86bd848a49dc8aeda47104d06be7c4d7189a6a7ec6956c41ee5c40aac49f90067e7ab2e7b65078197b9f9d6c7a5e2c1c52b9ab971a6c714
-
C:\Users\Admin\AppData\Roaming\Early:binMD5
eb86699181894931833816e860ab279d
SHA1e98d1319d2614debebeeabc26616d327950f699e
SHA25606e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21
SHA5129b567fbca1cd9720c86bd848a49dc8aeda47104d06be7c4d7189a6a7ec6956c41ee5c40aac49f90067e7ab2e7b65078197b9f9d6c7a5e2c1c52b9ab971a6c714
-
C:\Windows\SysWOW64\Early.exeMD5
eb86699181894931833816e860ab279d
SHA1e98d1319d2614debebeeabc26616d327950f699e
SHA25606e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21
SHA5129b567fbca1cd9720c86bd848a49dc8aeda47104d06be7c4d7189a6a7ec6956c41ee5c40aac49f90067e7ab2e7b65078197b9f9d6c7a5e2c1c52b9ab971a6c714
-
C:\Windows\SysWOW64\Early.exeMD5
eb86699181894931833816e860ab279d
SHA1e98d1319d2614debebeeabc26616d327950f699e
SHA25606e3e56153ca25cb9790495f0768e9b615e088f9241ac7f3b974f2e9cd97bd21
SHA5129b567fbca1cd9720c86bd848a49dc8aeda47104d06be7c4d7189a6a7ec6956c41ee5c40aac49f90067e7ab2e7b65078197b9f9d6c7a5e2c1c52b9ab971a6c714
-
memory/256-128-0x0000000000000000-mapping.dmp
-
memory/276-129-0x0000000000000000-mapping.dmp
-
memory/500-122-0x0000000000000000-mapping.dmp
-
memory/732-124-0x0000000000000000-mapping.dmp
-
memory/736-120-0x0000000000000000-mapping.dmp
-
memory/1220-127-0x0000000000000000-mapping.dmp
-
memory/1600-130-0x0000000000000000-mapping.dmp
-
memory/1664-117-0x0000000000000000-mapping.dmp
-
memory/1792-114-0x0000000000000000-mapping.dmp
-
memory/1856-126-0x0000000000000000-mapping.dmp
-
memory/1880-123-0x0000000000000000-mapping.dmp
-
memory/2884-125-0x0000000000000000-mapping.dmp
-
memory/3600-118-0x0000000000000000-mapping.dmp