aa438f22db488466ed39153b302b4f7557ca4bcc44ba35f83ad2dc8a04903398

Analysis

max time kernel
33s
max time network
135s
platform
windows10_x64
resource
win10v20210408
submitted
22/08/2021, 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Privacy By Design - Training Module.exe
Size

724KB
MD5

82126e6a1d3b1bb5b1d1c3ddbb256b0e
SHA1

2259e9b89fcfd3e01d2e1554b32b478fc0f6396c
SHA256

aa438f22db488466ed39153b302b4f7557ca4bcc44ba35f83ad2dc8a04903398
SHA512

6795d4872554840c5a1bb4ed415c3d948c3384348ea8c18e30d74c8d800d554956003a048a4d7bceac9b670f7fd350c1a2aaa8d07725cce3138cf1fa036ac4f9

Score

9^/10

evasion ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
476	bcdedit.exe
3128	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3712	wbadmin.exe

Executes dropped EXE 1 IoCs

pid	Process
3968	Privacy By Design - Training Module.exe

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\UnlockTest.png => C:\Users\Admin\Pictures\UnlockTest.png.89i5	Privacy By Design - Training Module.exe
File renamed	C:\Users\Admin\Pictures\WaitPop.tif => C:\Users\Admin\Pictures\WaitPop.tif.kuuh	Privacy By Design - Training Module.exe
File renamed	C:\Users\Admin\Pictures\ClearConvertFrom.tif => C:\Users\Admin\Pictures\ClearConvertFrom.tif.bkxv	Privacy By Design - Training Module.exe
File renamed	C:\Users\Admin\Pictures\CompareRevoke.tif => C:\Users\Admin\Pictures\CompareRevoke.tif.vu3l	Privacy By Design - Training Module.exe
File renamed	C:\Users\Admin\Pictures\MergeTrace.raw => C:\Users\Admin\Pictures\MergeTrace.raw.zav7	Privacy By Design - Training Module.exe
File renamed	C:\Users\Admin\Pictures\OptimizeApprove.png => C:\Users\Admin\Pictures\OptimizeApprove.png.eco3	Privacy By Design - Training Module.exe
File renamed	C:\Users\Admin\Pictures\ShowDisconnect.tif => C:\Users\Admin\Pictures\ShowDisconnect.tif.btwj	Privacy By Design - Training Module.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Privacy By Design - Training Module.url	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Privacy By Design - Training Module.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READ TO UN-HACK	Privacy By Design - Training Module.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Privacy By Design - Training Module.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	Privacy By Design - Training Module.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\r9v9uzjuu.jpg"	Privacy By Design - Training Module.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2108	vssadmin.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	Privacy By Design - Training Module.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3968	Privacy By Design - Training Module.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
640	Privacy By Design - Training Module.exe
640	Privacy By Design - Training Module.exe
640	Privacy By Design - Training Module.exe
640	Privacy By Design - Training Module.exe
640	Privacy By Design - Training Module.exe
640	Privacy By Design - Training Module.exe
640	Privacy By Design - Training Module.exe
640	Privacy By Design - Training Module.exe
640	Privacy By Design - Training Module.exe
640	Privacy By Design - Training Module.exe
640	Privacy By Design - Training Module.exe
640	Privacy By Design - Training Module.exe
640	Privacy By Design - Training Module.exe
3968	Privacy By Design - Training Module.exe
3968	Privacy By Design - Training Module.exe
3968	Privacy By Design - Training Module.exe
3968	Privacy By Design - Training Module.exe
3968	Privacy By Design - Training Module.exe
3968	Privacy By Design - Training Module.exe
3968	Privacy By Design - Training Module.exe
3968	Privacy By Design - Training Module.exe
3968	Privacy By Design - Training Module.exe
3968	Privacy By Design - Training Module.exe
3968	Privacy By Design - Training Module.exe
3968	Privacy By Design - Training Module.exe
3968	Privacy By Design - Training Module.exe
3968	Privacy By Design - Training Module.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	640	Privacy By Design - Training Module.exe
Token: SeDebugPrivilege	3968	Privacy By Design - Training Module.exe
Token: SeBackupPrivilege	3960	vssvc.exe
Token: SeRestorePrivilege	3960	vssvc.exe
Token: SeAuditPrivilege	3960	vssvc.exe
Token: SeIncreaseQuotaPrivilege	656	WMIC.exe
Token: SeSecurityPrivilege	656	WMIC.exe
Token: SeTakeOwnershipPrivilege	656	WMIC.exe
Token: SeLoadDriverPrivilege	656	WMIC.exe
Token: SeSystemProfilePrivilege	656	WMIC.exe
Token: SeSystemtimePrivilege	656	WMIC.exe
Token: SeProfSingleProcessPrivilege	656	WMIC.exe
Token: SeIncBasePriorityPrivilege	656	WMIC.exe
Token: SeCreatePagefilePrivilege	656	WMIC.exe
Token: SeBackupPrivilege	656	WMIC.exe
Token: SeRestorePrivilege	656	WMIC.exe
Token: SeShutdownPrivilege	656	WMIC.exe
Token: SeDebugPrivilege	656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	656	WMIC.exe
Token: SeRemoteShutdownPrivilege	656	WMIC.exe
Token: SeUndockPrivilege	656	WMIC.exe
Token: SeManageVolumePrivilege	656	WMIC.exe
Token: 33	656	WMIC.exe
Token: 34	656	WMIC.exe
Token: 35	656	WMIC.exe
Token: 36	656	WMIC.exe
Token: SeIncreaseQuotaPrivilege	656	WMIC.exe
Token: SeSecurityPrivilege	656	WMIC.exe
Token: SeTakeOwnershipPrivilege	656	WMIC.exe
Token: SeLoadDriverPrivilege	656	WMIC.exe
Token: SeSystemProfilePrivilege	656	WMIC.exe
Token: SeSystemtimePrivilege	656	WMIC.exe
Token: SeProfSingleProcessPrivilege	656	WMIC.exe
Token: SeIncBasePriorityPrivilege	656	WMIC.exe
Token: SeCreatePagefilePrivilege	656	WMIC.exe
Token: SeBackupPrivilege	656	WMIC.exe
Token: SeRestorePrivilege	656	WMIC.exe
Token: SeShutdownPrivilege	656	WMIC.exe
Token: SeDebugPrivilege	656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	656	WMIC.exe
Token: SeRemoteShutdownPrivilege	656	WMIC.exe
Token: SeUndockPrivilege	656	WMIC.exe
Token: SeManageVolumePrivilege	656	WMIC.exe
Token: 33	656	WMIC.exe
Token: 34	656	WMIC.exe
Token: 35	656	WMIC.exe
Token: 36	656	WMIC.exe
Token: SeBackupPrivilege	1360	wbengine.exe
Token: SeRestorePrivilege	1360	wbengine.exe
Token: SeSecurityPrivilege	1360	wbengine.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1284	OpenWith.exe
1468	OpenWith.exe
1468	OpenWith.exe
1468	OpenWith.exe
1228	OpenWith.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 3968	640	Privacy By Design - Training Module.exe	74
PID 640 wrote to memory of 3968	640	Privacy By Design - Training Module.exe	74
PID 3968 wrote to memory of 3744	3968	Privacy By Design - Training Module.exe	80
PID 3968 wrote to memory of 3744	3968	Privacy By Design - Training Module.exe	80
PID 3968 wrote to memory of 2372	3968	Privacy By Design - Training Module.exe	87
PID 3968 wrote to memory of 2372	3968	Privacy By Design - Training Module.exe	87
PID 2372 wrote to memory of 476	2372	cmd.exe	89
PID 2372 wrote to memory of 476	2372	cmd.exe	89
PID 2372 wrote to memory of 3128	2372	cmd.exe	90
PID 2372 wrote to memory of 3128	2372	cmd.exe	90
PID 3968 wrote to memory of 732	3968	Privacy By Design - Training Module.exe	91
PID 3968 wrote to memory of 732	3968	Privacy By Design - Training Module.exe	91
PID 732 wrote to memory of 3712	732	cmd.exe	93
PID 732 wrote to memory of 3712	732	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\Privacy By Design - Training Module.exe
"C:\Users\Admin\AppData\Local\Temp\Privacy By Design - Training Module.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640
- C:\Users\Admin\AppData\Roaming\Privacy By Design - Training Module.exe
  "C:\Users\Admin\AppData\Roaming\Privacy By Design - Training Module.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Drops startup file
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    PID:3744
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2108
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:656
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:476
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3128
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:732
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:3712

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1284

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:276

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:2172

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1468

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/640-114-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/3968-122-0x0000000001220000-0x0000000001222000-memory.dmp

Filesize
8KB

Download