Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    26-07-2021 12:58

General

  • Target

    4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe

  • Size

    423KB

  • MD5

    055c2fba242d03ae153be4a796c55ae2

  • SHA1

    be71b94e30d5465d8b72e1fc7c0137024f97baee

  • SHA256

    4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024

  • SHA512

    20b31f6db488d26c1f7564106e455a77461e8a9934718e72c6c917e3ec688a9a597a05f1b93584fd88d3e867f09a470eb90094e27c2525939894973d31498890

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Disables Task Manager via registry modification
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 18 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 14 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 3 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe"
    1⤵
    • Modifies extensions of user files
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:740
    • C:\Windows\SYSTEM32\net.exe
      "net.exe" stop avpsus /y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4048
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop avpsus /y
        3⤵
          PID:3888
      • C:\Windows\SYSTEM32\net.exe
        "net.exe" stop McAfeeDLPAgentService /y
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:496
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
          3⤵
            PID:3148
        • C:\Windows\SYSTEM32\net.exe
          "net.exe" stop mfewc /y
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:192
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 stop mfewc /y
            3⤵
              PID:2272
          • C:\Windows\SYSTEM32\net.exe
            "net.exe" stop BMR Boot Service /y
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3700
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 stop BMR Boot Service /y
              3⤵
                PID:3380
            • C:\Windows\SYSTEM32\net.exe
              "net.exe" stop NetBackup BMR MTFTP Service /y
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3140
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
                3⤵
                  PID:2212
              • C:\Windows\SYSTEM32\sc.exe
                "sc.exe" config SQLTELEMETRY start= disabled
                2⤵
                  PID:2164
                • C:\Windows\SYSTEM32\sc.exe
                  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
                  2⤵
                    PID:3872
                  • C:\Windows\SYSTEM32\sc.exe
                    "sc.exe" config SQLWriter start= disabled
                    2⤵
                      PID:1208
                    • C:\Windows\SYSTEM32\sc.exe
                      "sc.exe" config SstpSvc start= disabled
                      2⤵
                        PID:3976
                      • C:\Windows\SYSTEM32\taskkill.exe
                        "taskkill.exe" /IM mspub.exe /F
                        2⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3160
                      • C:\Windows\SYSTEM32\taskkill.exe
                        "taskkill.exe" /IM mydesktopqos.exe /F
                        2⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2952
                      • C:\Windows\SYSTEM32\taskkill.exe
                        "taskkill.exe" /IM mydesktopservice.exe /F
                        2⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3772
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        "vssadmin.exe" Delete Shadows /all /quiet
                        2⤵
                        • Interacts with shadow copies
                        PID:2788
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
                        2⤵
                        • Interacts with shadow copies
                        PID:1328
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
                        2⤵
                        • Interacts with shadow copies
                        PID:2216
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:2064
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:2136
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1000
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:3744
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:580
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:908
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:196
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:1140
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:2212
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
                        2⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:3524
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        "vssadmin.exe" Delete Shadows /all /quiet
                        2⤵
                        • Interacts with shadow copies
                        PID:3948
                    • C:\Windows\system32\vssvc.exe
                      C:\Windows\system32\vssvc.exe
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3148

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/192-121-0x0000000000000000-mapping.dmp

                    • memory/196-143-0x0000000000000000-mapping.dmp

                    • memory/496-119-0x0000000000000000-mapping.dmp

                    • memory/580-141-0x0000000000000000-mapping.dmp

                    • memory/740-114-0x00000000008E0000-0x00000000008E1000-memory.dmp

                      Filesize

                      4KB

                    • memory/740-118-0x0000000002C10000-0x0000000002C12000-memory.dmp

                      Filesize

                      8KB

                    • memory/908-142-0x0000000000000000-mapping.dmp

                    • memory/1000-139-0x0000000000000000-mapping.dmp

                    • memory/1140-144-0x0000000000000000-mapping.dmp

                    • memory/1208-129-0x0000000000000000-mapping.dmp

                    • memory/1328-135-0x0000000000000000-mapping.dmp

                    • memory/2064-137-0x0000000000000000-mapping.dmp

                    • memory/2136-138-0x0000000000000000-mapping.dmp

                    • memory/2164-127-0x0000000000000000-mapping.dmp

                    • memory/2212-126-0x0000000000000000-mapping.dmp

                    • memory/2212-145-0x0000000000000000-mapping.dmp

                    • memory/2216-136-0x0000000000000000-mapping.dmp

                    • memory/2272-122-0x0000000000000000-mapping.dmp

                    • memory/2788-134-0x0000000000000000-mapping.dmp

                    • memory/2952-132-0x0000000000000000-mapping.dmp

                    • memory/3140-125-0x0000000000000000-mapping.dmp

                    • memory/3148-120-0x0000000000000000-mapping.dmp

                    • memory/3160-131-0x0000000000000000-mapping.dmp

                    • memory/3380-124-0x0000000000000000-mapping.dmp

                    • memory/3524-146-0x0000000000000000-mapping.dmp

                    • memory/3700-123-0x0000000000000000-mapping.dmp

                    • memory/3744-140-0x0000000000000000-mapping.dmp

                    • memory/3772-133-0x0000000000000000-mapping.dmp

                    • memory/3872-128-0x0000000000000000-mapping.dmp

                    • memory/3888-117-0x0000000000000000-mapping.dmp

                    • memory/3948-147-0x0000000000000000-mapping.dmp

                    • memory/3976-130-0x0000000000000000-mapping.dmp

                    • memory/4048-116-0x0000000000000000-mapping.dmp