Analysis
-
max time kernel
33s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-08-2021 04:11
Static task
static1
Behavioral task
behavioral1
Sample
Privacy By Design - Training Module.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Privacy By Design - Training Module.exe
Resource
win10v20210408
General
-
Target
Privacy By Design - Training Module.exe
-
Size
724KB
-
MD5
82126e6a1d3b1bb5b1d1c3ddbb256b0e
-
SHA1
2259e9b89fcfd3e01d2e1554b32b478fc0f6396c
-
SHA256
aa438f22db488466ed39153b302b4f7557ca4bcc44ba35f83ad2dc8a04903398
-
SHA512
6795d4872554840c5a1bb4ed415c3d948c3384348ea8c18e30d74c8d800d554956003a048a4d7bceac9b670f7fd350c1a2aaa8d07725cce3138cf1fa036ac4f9
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 476 bcdedit.exe 3128 bcdedit.exe -
Processes:
wbadmin.exepid process 3712 wbadmin.exe -
Executes dropped EXE 1 IoCs
Processes:
Privacy By Design - Training Module.exepid process 3968 Privacy By Design - Training Module.exe -
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Privacy By Design - Training Module.exedescription ioc process File renamed C:\Users\Admin\Pictures\UnlockTest.png => C:\Users\Admin\Pictures\UnlockTest.png.89i5 Privacy By Design - Training Module.exe File renamed C:\Users\Admin\Pictures\WaitPop.tif => C:\Users\Admin\Pictures\WaitPop.tif.kuuh Privacy By Design - Training Module.exe File renamed C:\Users\Admin\Pictures\ClearConvertFrom.tif => C:\Users\Admin\Pictures\ClearConvertFrom.tif.bkxv Privacy By Design - Training Module.exe File renamed C:\Users\Admin\Pictures\CompareRevoke.tif => C:\Users\Admin\Pictures\CompareRevoke.tif.vu3l Privacy By Design - Training Module.exe File renamed C:\Users\Admin\Pictures\MergeTrace.raw => C:\Users\Admin\Pictures\MergeTrace.raw.zav7 Privacy By Design - Training Module.exe File renamed C:\Users\Admin\Pictures\OptimizeApprove.png => C:\Users\Admin\Pictures\OptimizeApprove.png.eco3 Privacy By Design - Training Module.exe File renamed C:\Users\Admin\Pictures\ShowDisconnect.tif => C:\Users\Admin\Pictures\ShowDisconnect.tif.btwj Privacy By Design - Training Module.exe -
Drops startup file 3 IoCs
Processes:
Privacy By Design - Training Module.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Privacy By Design - Training Module.url Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Privacy By Design - Training Module.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READ TO UN-HACK Privacy By Design - Training Module.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
Processes:
Privacy By Design - Training Module.exedescription ioc process File opened for modification C:\Users\Admin\Documents\desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Public\Documents\desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Public\Pictures\desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\Music\desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\Videos\desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Public\Music\desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Public\Videos\desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\Searches\desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Public\Desktop\desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\Links\desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini Privacy By Design - Training Module.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini Privacy By Design - Training Module.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Privacy By Design - Training Module.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\r9v9uzjuu.jpg" Privacy By Design - Training Module.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2108 vssadmin.exe -
Modifies registry class 4 IoCs
Processes:
OpenWith.exePrivacy By Design - Training Module.exeOpenWith.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings Privacy By Design - Training Module.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Privacy By Design - Training Module.exepid process 3968 Privacy By Design - Training Module.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
Privacy By Design - Training Module.exePrivacy By Design - Training Module.exepid process 640 Privacy By Design - Training Module.exe 640 Privacy By Design - Training Module.exe 640 Privacy By Design - Training Module.exe 640 Privacy By Design - Training Module.exe 640 Privacy By Design - Training Module.exe 640 Privacy By Design - Training Module.exe 640 Privacy By Design - Training Module.exe 640 Privacy By Design - Training Module.exe 640 Privacy By Design - Training Module.exe 640 Privacy By Design - Training Module.exe 640 Privacy By Design - Training Module.exe 640 Privacy By Design - Training Module.exe 640 Privacy By Design - Training Module.exe 3968 Privacy By Design - Training Module.exe 3968 Privacy By Design - Training Module.exe 3968 Privacy By Design - Training Module.exe 3968 Privacy By Design - Training Module.exe 3968 Privacy By Design - Training Module.exe 3968 Privacy By Design - Training Module.exe 3968 Privacy By Design - Training Module.exe 3968 Privacy By Design - Training Module.exe 3968 Privacy By Design - Training Module.exe 3968 Privacy By Design - Training Module.exe 3968 Privacy By Design - Training Module.exe 3968 Privacy By Design - Training Module.exe 3968 Privacy By Design - Training Module.exe 3968 Privacy By Design - Training Module.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
Privacy By Design - Training Module.exePrivacy By Design - Training Module.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeDebugPrivilege 640 Privacy By Design - Training Module.exe Token: SeDebugPrivilege 3968 Privacy By Design - Training Module.exe Token: SeBackupPrivilege 3960 vssvc.exe Token: SeRestorePrivilege 3960 vssvc.exe Token: SeAuditPrivilege 3960 vssvc.exe Token: SeIncreaseQuotaPrivilege 656 WMIC.exe Token: SeSecurityPrivilege 656 WMIC.exe Token: SeTakeOwnershipPrivilege 656 WMIC.exe Token: SeLoadDriverPrivilege 656 WMIC.exe Token: SeSystemProfilePrivilege 656 WMIC.exe Token: SeSystemtimePrivilege 656 WMIC.exe Token: SeProfSingleProcessPrivilege 656 WMIC.exe Token: SeIncBasePriorityPrivilege 656 WMIC.exe Token: SeCreatePagefilePrivilege 656 WMIC.exe Token: SeBackupPrivilege 656 WMIC.exe Token: SeRestorePrivilege 656 WMIC.exe Token: SeShutdownPrivilege 656 WMIC.exe Token: SeDebugPrivilege 656 WMIC.exe Token: SeSystemEnvironmentPrivilege 656 WMIC.exe Token: SeRemoteShutdownPrivilege 656 WMIC.exe Token: SeUndockPrivilege 656 WMIC.exe Token: SeManageVolumePrivilege 656 WMIC.exe Token: 33 656 WMIC.exe Token: 34 656 WMIC.exe Token: 35 656 WMIC.exe Token: 36 656 WMIC.exe Token: SeIncreaseQuotaPrivilege 656 WMIC.exe Token: SeSecurityPrivilege 656 WMIC.exe Token: SeTakeOwnershipPrivilege 656 WMIC.exe Token: SeLoadDriverPrivilege 656 WMIC.exe Token: SeSystemProfilePrivilege 656 WMIC.exe Token: SeSystemtimePrivilege 656 WMIC.exe Token: SeProfSingleProcessPrivilege 656 WMIC.exe Token: SeIncBasePriorityPrivilege 656 WMIC.exe Token: SeCreatePagefilePrivilege 656 WMIC.exe Token: SeBackupPrivilege 656 WMIC.exe Token: SeRestorePrivilege 656 WMIC.exe Token: SeShutdownPrivilege 656 WMIC.exe Token: SeDebugPrivilege 656 WMIC.exe Token: SeSystemEnvironmentPrivilege 656 WMIC.exe Token: SeRemoteShutdownPrivilege 656 WMIC.exe Token: SeUndockPrivilege 656 WMIC.exe Token: SeManageVolumePrivilege 656 WMIC.exe Token: 33 656 WMIC.exe Token: 34 656 WMIC.exe Token: 35 656 WMIC.exe Token: 36 656 WMIC.exe Token: SeBackupPrivilege 1360 wbengine.exe Token: SeRestorePrivilege 1360 wbengine.exe Token: SeSecurityPrivilege 1360 wbengine.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
OpenWith.exeOpenWith.exeOpenWith.exepid process 1284 OpenWith.exe 1468 OpenWith.exe 1468 OpenWith.exe 1468 OpenWith.exe 1228 OpenWith.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Privacy By Design - Training Module.exePrivacy By Design - Training Module.execmd.execmd.exedescription pid process target process PID 640 wrote to memory of 3968 640 Privacy By Design - Training Module.exe Privacy By Design - Training Module.exe PID 640 wrote to memory of 3968 640 Privacy By Design - Training Module.exe Privacy By Design - Training Module.exe PID 3968 wrote to memory of 3744 3968 Privacy By Design - Training Module.exe cmd.exe PID 3968 wrote to memory of 3744 3968 Privacy By Design - Training Module.exe cmd.exe PID 3968 wrote to memory of 2372 3968 Privacy By Design - Training Module.exe cmd.exe PID 3968 wrote to memory of 2372 3968 Privacy By Design - Training Module.exe cmd.exe PID 2372 wrote to memory of 476 2372 cmd.exe bcdedit.exe PID 2372 wrote to memory of 476 2372 cmd.exe bcdedit.exe PID 2372 wrote to memory of 3128 2372 cmd.exe bcdedit.exe PID 2372 wrote to memory of 3128 2372 cmd.exe bcdedit.exe PID 3968 wrote to memory of 732 3968 Privacy By Design - Training Module.exe cmd.exe PID 3968 wrote to memory of 732 3968 Privacy By Design - Training Module.exe cmd.exe PID 732 wrote to memory of 3712 732 cmd.exe wbadmin.exe PID 732 wrote to memory of 3712 732 cmd.exe wbadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Privacy By Design - Training Module.exe"C:\Users\Admin\AppData\Local\Temp\Privacy By Design - Training Module.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Privacy By Design - Training Module.exe"C:\Users\Admin\AppData\Roaming\Privacy By Design - Training Module.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Privacy By Design - Training Module.exe.logMD5
d78293ab15ad25b5d6e8740fe5fd3872
SHA151b70837f90f2bff910daee706e6be8d62a3550e
SHA2564d64746f8d24ec321b1a6c3a743946b66d8317cbc6bac6fed675a4bf6fa181f3
SHA5121127435ef462f52677e1ef4d3b8cfdf9f5d95c832b4c9f41526b7448d315f25d96d3d5454108569b76d66d78d07ea5ba4a1ba8baee108e8c1b452ba19cc04925
-
C:\Users\Admin\AppData\Roaming\Privacy By Design - Training Module.exeMD5
82126e6a1d3b1bb5b1d1c3ddbb256b0e
SHA12259e9b89fcfd3e01d2e1554b32b478fc0f6396c
SHA256aa438f22db488466ed39153b302b4f7557ca4bcc44ba35f83ad2dc8a04903398
SHA5126795d4872554840c5a1bb4ed415c3d948c3384348ea8c18e30d74c8d800d554956003a048a4d7bceac9b670f7fd350c1a2aaa8d07725cce3138cf1fa036ac4f9
-
C:\Users\Admin\AppData\Roaming\Privacy By Design - Training Module.exeMD5
82126e6a1d3b1bb5b1d1c3ddbb256b0e
SHA12259e9b89fcfd3e01d2e1554b32b478fc0f6396c
SHA256aa438f22db488466ed39153b302b4f7557ca4bcc44ba35f83ad2dc8a04903398
SHA5126795d4872554840c5a1bb4ed415c3d948c3384348ea8c18e30d74c8d800d554956003a048a4d7bceac9b670f7fd350c1a2aaa8d07725cce3138cf1fa036ac4f9
-
memory/476-125-0x0000000000000000-mapping.dmp
-
memory/640-114-0x0000000000900000-0x0000000000901000-memory.dmpFilesize
4KB
-
memory/732-127-0x0000000000000000-mapping.dmp
-
memory/2372-124-0x0000000000000000-mapping.dmp
-
memory/3128-126-0x0000000000000000-mapping.dmp
-
memory/3712-128-0x0000000000000000-mapping.dmp
-
memory/3744-123-0x0000000000000000-mapping.dmp
-
memory/3968-116-0x0000000000000000-mapping.dmp
-
memory/3968-122-0x0000000001220000-0x0000000001222000-memory.dmpFilesize
8KB