Overview

overview

10

Static

static

10

fcc2921020...le.exe

windows7_x64

9

fcc2921020...le.exe

windows10_x64

9

Resubmissions

23-09-2021 15:15

210923-sm8bysege5 10

26-07-2021 12:41

210726-mpfkjgshnx 10

Analysis

  • max time kernel
    144s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    23-09-2021 15:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fcc2921020690a58c60eba35df885e575669e9803212f7791d7e1956f9bf8020.sample.exe

  • Size

    21KB

  • MD5

    ce3cd1dab67814f5f153bccdaf502f4c

  • SHA1

    f246984193c927414e543d936d1fb643a2dff77b

  • SHA256

    fcc2921020690a58c60eba35df885e575669e9803212f7791d7e1956f9bf8020

  • SHA512

    015a9c54e65888cd0bf6e74ec26ddf42ba860b48ca56024a8f822be0cd56ed04fb80891ef21857f5ac65c97f6ecb050a1f1c33d1c5e9afddfcab0c59517a95e4

Score
9/10
persistenceransomware

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 29 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 53 IoCs
  • Suspicious use of SendNotifyMessage 28 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fcc2921020690a58c60eba35df885e575669e9803212f7791d7e1956f9bf8020.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\fcc2921020690a58c60eba35df885e575669e9803212f7791d7e1956f9bf8020.sample.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious use of WriteProcessMemory
    PID:4648
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wmic shadowcopy delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3436
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3032
  • C:\Windows\system32\werfault.exe
    werfault.exe /h /shared Global\8816f1cf04304bd9918f6d03a64b4f2a /t 3052 /p 3048
    1⤵
      PID:4716
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4744
    • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
      "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4988
    • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
      1⤵
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:5040
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
        PID:1128

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\god.jpg
        MD5

        33896eb870aa83e739da899514c280f1

        SHA1

        2415b17969ac8a664b0465b1c9c45b265f157c44

        SHA256

        0efe67384f049fdc59fd71b06e9931902b1d509bb37af8a4cfcc591fa52f42f0

        SHA512

        499e5fe46528dc009cb6afa9297579165ff47088b149094a422a7fe1b7060c9fc8bb9e86fb88025684f15db7ec370363b0ba8922581da4cbe1c2c8fab2b1d7d7

        Download Submit

      • memory/3032-115-0x0000000000000000-mapping.dmp

        Download

      • memory/3436-114-0x0000000000000000-mapping.dmp

        Download

      • memory/4744-126-0x0000000005E60000-0x0000000005E70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4744-128-0x0000000005E60000-0x0000000005E70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4744-118-0x0000000005E60000-0x0000000005E70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4744-120-0x0000000005E60000-0x0000000005E70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4744-121-0x0000000005E60000-0x0000000005E70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4744-122-0x0000000005E60000-0x0000000005E70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4744-123-0x0000000005E60000-0x0000000005E70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4744-124-0x0000000005E60000-0x0000000005E70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4744-125-0x0000000006DB0000-0x0000000006DC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4744-117-0x0000000004760000-0x0000000004770000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4744-127-0x0000000005E60000-0x0000000005E70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4744-119-0x0000000005E70000-0x0000000005E80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4744-129-0x0000000005E60000-0x0000000005E70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4744-130-0x0000000005E60000-0x0000000005E70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4744-131-0x0000000005E60000-0x0000000005E70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4744-133-0x0000000005E60000-0x0000000005E70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4744-134-0x0000000005E60000-0x0000000005E70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4744-132-0x0000000004790000-0x00000000047A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4744-135-0x0000000005E60000-0x0000000005E70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4744-136-0x0000000005E60000-0x0000000005E70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4744-116-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

        Filesize

        4KB

        Download