Analysis
-
max time kernel
79s -
max time network
57s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
05-12-2021 07:55
Static task
static1
Behavioral task
behavioral1
Sample
SysLogsService.exe
Resource
win7-en-20211014
General
-
Target
SysLogsService.exe
-
Size
7.7MB
-
MD5
0b97fa8b682939e55df2bcfe3d17dba5
-
SHA1
9d0101a59a1f705d55ab5acb0577ea9a967a6bab
-
SHA256
ef7fefcb41d79c824c429819fbe73e6d0186c0586bc5f031debf553cd43edce4
-
SHA512
1d4e414a9abd9b4f317f4ea37fc2a76ee8d3057b5079f654c142ef0b938433d0c52f8620526375eed4b9ac0adceda26484ebad9e63b7c4df5aef272d07620e68
Malware Config
Extracted
C:\Users\Admin\Desktop\CRYPTiNFO.TXT
t1000rn@404.city
https://www.bestchange.net
http://kwk62hefhey3zh4ki332d7uluww5oilm4c6t5tnhb4g5hrf7a2szvlqd.onion/chat
Signatures
-
DMA Locker
Ransomware family with some advanced features, like encryption of unmapped network shares.
-
suricata: ET MALWARE BigLock Ransomware CnC Activity (ext)
suricata: ET MALWARE BigLock Ransomware CnC Activity (ext)
-
suricata: ET MALWARE BigLock Ransomware CnC Activity (gen)
suricata: ET MALWARE BigLock Ransomware CnC Activity (gen)
-
suricata: ET MALWARE BigLock Ransomware CnC Activity (info)
suricata: ET MALWARE BigLock Ransomware CnC Activity (info)
-
suricata: ET MALWARE BigLock Ransomware CnC Activity (name)
suricata: ET MALWARE BigLock Ransomware CnC Activity (name)
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1400 bcdedit.exe 1372 bcdedit.exe -
Processes:
wbadmin.exepid process 1348 wbadmin.exe -
Modifies extensions of user files 20 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
SysLogsService.exedescription ioc process File created C:\Users\Admin\Pictures\ApproveInstall.tiff.t1000 SysLogsService.exe File created C:\Users\Admin\Pictures\DismountCopy.crw.t1000 SysLogsService.exe File opened for modification C:\Users\Admin\Pictures\DismountCopy.crw.t1000 SysLogsService.exe File opened for modification C:\Users\Admin\Pictures\ResolveDisconnect.raw.t1000 SysLogsService.exe File created C:\Users\Admin\Pictures\UnblockRegister.crw.t1000 SysLogsService.exe File opened for modification C:\Users\Admin\Pictures\UninstallClear.tiff.t1000 SysLogsService.exe File opened for modification C:\Users\Admin\Pictures\WatchUnregister.png.t1000 SysLogsService.exe File opened for modification C:\Users\Admin\Pictures\ApproveInstall.tiff.t1000 SysLogsService.exe File opened for modification C:\Users\Admin\Pictures\FindRevoke.tiff.t1000 SysLogsService.exe File created C:\Users\Admin\Pictures\ResolveClose.tiff.t1000 SysLogsService.exe File created C:\Users\Admin\Pictures\ShowLock.png.t1000 SysLogsService.exe File opened for modification C:\Users\Admin\Pictures\ShowLock.png.t1000 SysLogsService.exe File created C:\Users\Admin\Pictures\UninstallClear.tiff.t1000 SysLogsService.exe File created C:\Users\Admin\Pictures\FindRevoke.tiff.t1000 SysLogsService.exe File opened for modification C:\Users\Admin\Pictures\ResolveClose.tiff.t1000 SysLogsService.exe File created C:\Users\Admin\Pictures\ResolveDisconnect.raw.t1000 SysLogsService.exe File created C:\Users\Admin\Pictures\WatchUnregister.png.t1000 SysLogsService.exe File created C:\Users\Admin\Pictures\CopyImport.raw.t1000 SysLogsService.exe File opened for modification C:\Users\Admin\Pictures\CopyImport.raw.t1000 SysLogsService.exe File opened for modification C:\Users\Admin\Pictures\UnblockRegister.crw.t1000 SysLogsService.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
SysLogsService.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SysLogsService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SysLogsService.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/776-55-0x000000013F660000-0x000000013FE18000-memory.dmp themida -
Processes:
SysLogsService.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SysLogsService.exe -
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exevssadmin.exevssadmin.exeSysLogsService.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\K: SysLogsService.exe File opened (read-only) \??\X: SysLogsService.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\Z: SysLogsService.exe File opened (read-only) \??\L: SysLogsService.exe File opened (read-only) \??\M: SysLogsService.exe File opened (read-only) \??\A: SysLogsService.exe File opened (read-only) \??\B: SysLogsService.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\T: SysLogsService.exe File opened (read-only) \??\U: SysLogsService.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\O: SysLogsService.exe File opened (read-only) \??\W: SysLogsService.exe File opened (read-only) \??\Y: SysLogsService.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\H: SysLogsService.exe File opened (read-only) \??\I: SysLogsService.exe File opened (read-only) \??\P: SysLogsService.exe File opened (read-only) \??\Q: SysLogsService.exe File opened (read-only) \??\R: SysLogsService.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\G: SysLogsService.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\E: SysLogsService.exe File opened (read-only) \??\F: SysLogsService.exe File opened (read-only) \??\S: SysLogsService.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\V: SysLogsService.exe File opened (read-only) \??\J: SysLogsService.exe File opened (read-only) \??\N: SysLogsService.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
SysLogsService.exepid process 776 SysLogsService.exe -
Drops file in Windows directory 3 IoCs
Processes:
wbadmin.exedescription ioc process File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 13 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 1528 vssadmin.exe 936 vssadmin.exe 696 vssadmin.exe 1096 vssadmin.exe 1940 vssadmin.exe 1072 vssadmin.exe 1832 vssadmin.exe 1708 vssadmin.exe 2032 vssadmin.exe 852 vssadmin.exe 1624 vssadmin.exe 440 vssadmin.exe 1260 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1120 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
SysLogsService.exepid process 776 SysLogsService.exe 776 SysLogsService.exe 776 SysLogsService.exe 776 SysLogsService.exe 776 SysLogsService.exe 776 SysLogsService.exe 776 SysLogsService.exe 776 SysLogsService.exe 776 SysLogsService.exe 776 SysLogsService.exe 776 SysLogsService.exe 776 SysLogsService.exe 776 SysLogsService.exe 776 SysLogsService.exe 776 SysLogsService.exe 776 SysLogsService.exe 776 SysLogsService.exe 776 SysLogsService.exe 776 SysLogsService.exe 776 SysLogsService.exe 776 SysLogsService.exe 776 SysLogsService.exe 776 SysLogsService.exe 776 SysLogsService.exe 776 SysLogsService.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
vssvc.exewmic.exedescription pid process Token: SeBackupPrivilege 1828 vssvc.exe Token: SeRestorePrivilege 1828 vssvc.exe Token: SeAuditPrivilege 1828 vssvc.exe Token: SeIncreaseQuotaPrivilege 1800 wmic.exe Token: SeSecurityPrivilege 1800 wmic.exe Token: SeTakeOwnershipPrivilege 1800 wmic.exe Token: SeLoadDriverPrivilege 1800 wmic.exe Token: SeSystemProfilePrivilege 1800 wmic.exe Token: SeSystemtimePrivilege 1800 wmic.exe Token: SeProfSingleProcessPrivilege 1800 wmic.exe Token: SeIncBasePriorityPrivilege 1800 wmic.exe Token: SeCreatePagefilePrivilege 1800 wmic.exe Token: SeBackupPrivilege 1800 wmic.exe Token: SeRestorePrivilege 1800 wmic.exe Token: SeShutdownPrivilege 1800 wmic.exe Token: SeDebugPrivilege 1800 wmic.exe Token: SeSystemEnvironmentPrivilege 1800 wmic.exe Token: SeRemoteShutdownPrivilege 1800 wmic.exe Token: SeUndockPrivilege 1800 wmic.exe Token: SeManageVolumePrivilege 1800 wmic.exe Token: 33 1800 wmic.exe Token: 34 1800 wmic.exe Token: 35 1800 wmic.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
SysLogsService.exedescription pid process target process PID 776 wrote to memory of 1528 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 1528 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 1528 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 1072 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 1072 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 1072 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 1832 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 1832 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 1832 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 1708 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 1708 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 1708 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 936 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 936 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 936 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 2032 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 2032 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 2032 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 696 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 696 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 696 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 1096 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 1096 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 1096 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 852 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 852 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 852 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 1624 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 1624 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 1624 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 1940 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 1940 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 1940 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 440 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 440 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 440 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 1260 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 1260 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 1260 776 SysLogsService.exe vssadmin.exe PID 776 wrote to memory of 1400 776 SysLogsService.exe bcdedit.exe PID 776 wrote to memory of 1400 776 SysLogsService.exe bcdedit.exe PID 776 wrote to memory of 1400 776 SysLogsService.exe bcdedit.exe PID 776 wrote to memory of 1372 776 SysLogsService.exe bcdedit.exe PID 776 wrote to memory of 1372 776 SysLogsService.exe bcdedit.exe PID 776 wrote to memory of 1372 776 SysLogsService.exe bcdedit.exe PID 776 wrote to memory of 1348 776 SysLogsService.exe wbadmin.exe PID 776 wrote to memory of 1348 776 SysLogsService.exe wbadmin.exe PID 776 wrote to memory of 1348 776 SysLogsService.exe wbadmin.exe PID 776 wrote to memory of 1800 776 SysLogsService.exe wmic.exe PID 776 wrote to memory of 1800 776 SysLogsService.exe wmic.exe PID 776 wrote to memory of 1800 776 SysLogsService.exe wmic.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
SysLogsService.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" SysLogsService.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SysLogsService.exe"C:\Users\Admin\AppData\Local\Temp\SysLogsService.exe"1⤵
- Modifies extensions of user files
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP2⤵
- Deletes System State backups
- Drops file in Windows directory
-
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\CRYPTiNFO.TXT1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\CRYPTiNFO.TXTMD5
c0bf73d9c9e80e47b40584cd812268f0
SHA139617bc2e360645fe8724e5799fec1e6c4c877b3
SHA256be06e14ca6a51d92b7b54e08f2c1cc34fe0d70906fc42cc4e3a27f176a306b53
SHA5123249b800f33e5df7ae2e838fcd4a8cbd27abf88dcece92ac477a041d8476ddba4917a695ea449e33b3489b9b4d8cb3c4f0416df122388cd3ad4f30198317d8ff
-
memory/440-68-0x0000000000000000-mapping.dmp
-
memory/696-63-0x0000000000000000-mapping.dmp
-
memory/776-56-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmpFilesize
8KB
-
memory/776-55-0x000000013F660000-0x000000013FE18000-memory.dmpFilesize
7.7MB
-
memory/852-65-0x0000000000000000-mapping.dmp
-
memory/936-61-0x0000000000000000-mapping.dmp
-
memory/1072-58-0x0000000000000000-mapping.dmp
-
memory/1096-64-0x0000000000000000-mapping.dmp
-
memory/1260-69-0x0000000000000000-mapping.dmp
-
memory/1348-72-0x0000000000000000-mapping.dmp
-
memory/1372-71-0x0000000000000000-mapping.dmp
-
memory/1400-70-0x0000000000000000-mapping.dmp
-
memory/1528-57-0x0000000000000000-mapping.dmp
-
memory/1624-66-0x0000000000000000-mapping.dmp
-
memory/1708-60-0x0000000000000000-mapping.dmp
-
memory/1800-74-0x0000000000000000-mapping.dmp
-
memory/1832-59-0x0000000000000000-mapping.dmp
-
memory/1940-67-0x0000000000000000-mapping.dmp
-
memory/2032-62-0x0000000000000000-mapping.dmp