Analysis
-
max time kernel
77s -
max time network
66s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
05-12-2021 07:55
Static task
static1
Behavioral task
behavioral1
Sample
SysLogsService.exe
Resource
win7-en-20211014
General
-
Target
SysLogsService.exe
-
Size
7.7MB
-
MD5
0b97fa8b682939e55df2bcfe3d17dba5
-
SHA1
9d0101a59a1f705d55ab5acb0577ea9a967a6bab
-
SHA256
ef7fefcb41d79c824c429819fbe73e6d0186c0586bc5f031debf553cd43edce4
-
SHA512
1d4e414a9abd9b4f317f4ea37fc2a76ee8d3057b5079f654c142ef0b938433d0c52f8620526375eed4b9ac0adceda26484ebad9e63b7c4df5aef272d07620e68
Malware Config
Signatures
-
DMA Locker
Ransomware family with some advanced features, like encryption of unmapped network shares.
-
suricata: ET MALWARE BigLock Ransomware CnC Activity (ext)
suricata: ET MALWARE BigLock Ransomware CnC Activity (ext)
-
suricata: ET MALWARE BigLock Ransomware CnC Activity (gen)
suricata: ET MALWARE BigLock Ransomware CnC Activity (gen)
-
suricata: ET MALWARE BigLock Ransomware CnC Activity (info)
suricata: ET MALWARE BigLock Ransomware CnC Activity (info)
-
suricata: ET MALWARE BigLock Ransomware CnC Activity (name)
suricata: ET MALWARE BigLock Ransomware CnC Activity (name)
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 744 bcdedit.exe 64 bcdedit.exe -
Processes:
wbadmin.exepid process 2320 wbadmin.exe -
Modifies extensions of user files 14 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
SysLogsService.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\InitializeOut.png.t1000 SysLogsService.exe File opened for modification C:\Users\Admin\Pictures\MoveTrace.tif.t1000 SysLogsService.exe File opened for modification C:\Users\Admin\Pictures\RevokeCompare.raw.t1000 SysLogsService.exe File opened for modification C:\Users\Admin\Pictures\ExportConvert.tiff.t1000 SysLogsService.exe File opened for modification C:\Users\Admin\Pictures\ResizeTrace.raw.t1000 SysLogsService.exe File created C:\Users\Admin\Pictures\RevokeCompare.raw.t1000 SysLogsService.exe File created C:\Users\Admin\Pictures\SetClear.png.t1000 SysLogsService.exe File opened for modification C:\Users\Admin\Pictures\SetClear.png.t1000 SysLogsService.exe File created C:\Users\Admin\Pictures\WaitFormat.raw.t1000 SysLogsService.exe File opened for modification C:\Users\Admin\Pictures\WaitFormat.raw.t1000 SysLogsService.exe File created C:\Users\Admin\Pictures\ResizeTrace.raw.t1000 SysLogsService.exe File created C:\Users\Admin\Pictures\ExportConvert.tiff.t1000 SysLogsService.exe File created C:\Users\Admin\Pictures\InitializeOut.png.t1000 SysLogsService.exe File created C:\Users\Admin\Pictures\MoveTrace.tif.t1000 SysLogsService.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
SysLogsService.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SysLogsService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SysLogsService.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/2776-115-0x00007FF7DF4C0000-0x00007FF7DFC78000-memory.dmp themida -
Processes:
SysLogsService.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SysLogsService.exe -
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exevssadmin.exevssadmin.exeSysLogsService.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\W: SysLogsService.exe File opened (read-only) \??\Q: SysLogsService.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\A: SysLogsService.exe File opened (read-only) \??\P: SysLogsService.exe File opened (read-only) \??\X: SysLogsService.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\H: SysLogsService.exe File opened (read-only) \??\M: SysLogsService.exe File opened (read-only) \??\S: SysLogsService.exe File opened (read-only) \??\T: SysLogsService.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\E: SysLogsService.exe File opened (read-only) \??\L: SysLogsService.exe File opened (read-only) \??\R: SysLogsService.exe File opened (read-only) \??\Z: SysLogsService.exe File opened (read-only) \??\K: SysLogsService.exe File opened (read-only) \??\O: SysLogsService.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\B: SysLogsService.exe File opened (read-only) \??\G: SysLogsService.exe File opened (read-only) \??\I: SysLogsService.exe File opened (read-only) \??\U: SysLogsService.exe File opened (read-only) \??\Y: SysLogsService.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\N: SysLogsService.exe File opened (read-only) \??\F: SysLogsService.exe File opened (read-only) \??\J: SysLogsService.exe File opened (read-only) \??\V: SysLogsService.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
SysLogsService.exepid process 2776 SysLogsService.exe -
Drops file in Windows directory 3 IoCs
Processes:
wbadmin.exedescription ioc process File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 13 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 2820 vssadmin.exe 364 vssadmin.exe 360 vssadmin.exe 2360 vssadmin.exe 1400 vssadmin.exe 1060 vssadmin.exe 1872 vssadmin.exe 3548 vssadmin.exe 856 vssadmin.exe 1424 vssadmin.exe 3108 vssadmin.exe 3852 vssadmin.exe 3064 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
SysLogsService.exepid process 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe 2776 SysLogsService.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
vssvc.exewmic.exedescription pid process Token: SeBackupPrivilege 1576 vssvc.exe Token: SeRestorePrivilege 1576 vssvc.exe Token: SeAuditPrivilege 1576 vssvc.exe Token: SeIncreaseQuotaPrivilege 3592 wmic.exe Token: SeSecurityPrivilege 3592 wmic.exe Token: SeTakeOwnershipPrivilege 3592 wmic.exe Token: SeLoadDriverPrivilege 3592 wmic.exe Token: SeSystemProfilePrivilege 3592 wmic.exe Token: SeSystemtimePrivilege 3592 wmic.exe Token: SeProfSingleProcessPrivilege 3592 wmic.exe Token: SeIncBasePriorityPrivilege 3592 wmic.exe Token: SeCreatePagefilePrivilege 3592 wmic.exe Token: SeBackupPrivilege 3592 wmic.exe Token: SeRestorePrivilege 3592 wmic.exe Token: SeShutdownPrivilege 3592 wmic.exe Token: SeDebugPrivilege 3592 wmic.exe Token: SeSystemEnvironmentPrivilege 3592 wmic.exe Token: SeRemoteShutdownPrivilege 3592 wmic.exe Token: SeUndockPrivilege 3592 wmic.exe Token: SeManageVolumePrivilege 3592 wmic.exe Token: 33 3592 wmic.exe Token: 34 3592 wmic.exe Token: 35 3592 wmic.exe Token: 36 3592 wmic.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
SysLogsService.exedescription pid process target process PID 2776 wrote to memory of 856 2776 SysLogsService.exe vssadmin.exe PID 2776 wrote to memory of 856 2776 SysLogsService.exe vssadmin.exe PID 2776 wrote to memory of 2820 2776 SysLogsService.exe vssadmin.exe PID 2776 wrote to memory of 2820 2776 SysLogsService.exe vssadmin.exe PID 2776 wrote to memory of 1424 2776 SysLogsService.exe vssadmin.exe PID 2776 wrote to memory of 1424 2776 SysLogsService.exe vssadmin.exe PID 2776 wrote to memory of 364 2776 SysLogsService.exe vssadmin.exe PID 2776 wrote to memory of 364 2776 SysLogsService.exe vssadmin.exe PID 2776 wrote to memory of 3108 2776 SysLogsService.exe vssadmin.exe PID 2776 wrote to memory of 3108 2776 SysLogsService.exe vssadmin.exe PID 2776 wrote to memory of 360 2776 SysLogsService.exe vssadmin.exe PID 2776 wrote to memory of 360 2776 SysLogsService.exe vssadmin.exe PID 2776 wrote to memory of 2360 2776 SysLogsService.exe vssadmin.exe PID 2776 wrote to memory of 2360 2776 SysLogsService.exe vssadmin.exe PID 2776 wrote to memory of 1400 2776 SysLogsService.exe vssadmin.exe PID 2776 wrote to memory of 1400 2776 SysLogsService.exe vssadmin.exe PID 2776 wrote to memory of 1060 2776 SysLogsService.exe vssadmin.exe PID 2776 wrote to memory of 1060 2776 SysLogsService.exe vssadmin.exe PID 2776 wrote to memory of 1872 2776 SysLogsService.exe vssadmin.exe PID 2776 wrote to memory of 1872 2776 SysLogsService.exe vssadmin.exe PID 2776 wrote to memory of 3852 2776 SysLogsService.exe vssadmin.exe PID 2776 wrote to memory of 3852 2776 SysLogsService.exe vssadmin.exe PID 2776 wrote to memory of 3064 2776 SysLogsService.exe vssadmin.exe PID 2776 wrote to memory of 3064 2776 SysLogsService.exe vssadmin.exe PID 2776 wrote to memory of 3548 2776 SysLogsService.exe vssadmin.exe PID 2776 wrote to memory of 3548 2776 SysLogsService.exe vssadmin.exe PID 2776 wrote to memory of 744 2776 SysLogsService.exe bcdedit.exe PID 2776 wrote to memory of 744 2776 SysLogsService.exe bcdedit.exe PID 2776 wrote to memory of 64 2776 SysLogsService.exe bcdedit.exe PID 2776 wrote to memory of 64 2776 SysLogsService.exe bcdedit.exe PID 2776 wrote to memory of 2320 2776 SysLogsService.exe wbadmin.exe PID 2776 wrote to memory of 2320 2776 SysLogsService.exe wbadmin.exe PID 2776 wrote to memory of 3592 2776 SysLogsService.exe wmic.exe PID 2776 wrote to memory of 3592 2776 SysLogsService.exe wmic.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
SysLogsService.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" SysLogsService.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SysLogsService.exe"C:\Users\Admin\AppData\Local\Temp\SysLogsService.exe"1⤵
- Modifies extensions of user files
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled No2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP2⤵
- Deletes System State backups
- Drops file in Windows directory
-
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/64-130-0x0000000000000000-mapping.dmp
-
memory/360-121-0x0000000000000000-mapping.dmp
-
memory/364-119-0x0000000000000000-mapping.dmp
-
memory/744-129-0x0000000000000000-mapping.dmp
-
memory/856-116-0x0000000000000000-mapping.dmp
-
memory/1060-124-0x0000000000000000-mapping.dmp
-
memory/1400-123-0x0000000000000000-mapping.dmp
-
memory/1424-118-0x0000000000000000-mapping.dmp
-
memory/1872-125-0x0000000000000000-mapping.dmp
-
memory/2320-131-0x0000000000000000-mapping.dmp
-
memory/2360-122-0x0000000000000000-mapping.dmp
-
memory/2776-115-0x00007FF7DF4C0000-0x00007FF7DFC78000-memory.dmpFilesize
7.7MB
-
memory/2820-117-0x0000000000000000-mapping.dmp
-
memory/3064-127-0x0000000000000000-mapping.dmp
-
memory/3108-120-0x0000000000000000-mapping.dmp
-
memory/3548-128-0x0000000000000000-mapping.dmp
-
memory/3592-132-0x0000000000000000-mapping.dmp
-
memory/3852-126-0x0000000000000000-mapping.dmp