Analysis
-
max time kernel
87s -
max time network
89s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
19-12-2021 01:40
Static task
static1
Behavioral task
behavioral1
Sample
TimeTime.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
TimeTime.exe
Resource
win10-en-20211208
General
-
Target
TimeTime.exe
-
Size
19KB
-
MD5
8345d2b0dc8fd2134d12856557b15181
-
SHA1
a4c5ea013f8fc27d4079b5cd9f710bdbca02011f
-
SHA256
5ee8500fe1a2f22029908d4e2b32e7fb85aec03ffea714f3b5e82ebb2bc10f21
-
SHA512
bdfc9573df999957269f5bef22f7f20e75eae37765b9013f1971b4507d2f5420d591898aa4a535bc5158ab6367921dbf597378225aa02dd1a25f42b60624397e
Malware Config
Extracted
C:\Users\Admin\.oracle_jre_usage\@__RECOVER_YOUR_FILES__@.txt
https://paysafecard.com
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 4 IoCs
Processes:
svchost.exesvchost.exesvchost.exesvchost.exepid process 364 svchost.exe 2784 svchost.exe 2752 svchost.exe 1140 svchost.exe -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
TimeTime.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExportComplete.raw => C:\Users\Admin\Pictures\ExportComplete.raw.timetime TimeTime.exe File renamed C:\Users\Admin\Pictures\MountComplete.tif => C:\Users\Admin\Pictures\MountComplete.tif.timetime TimeTime.exe File renamed C:\Users\Admin\Pictures\UnblockConvert.crw => C:\Users\Admin\Pictures\UnblockConvert.crw.timetime TimeTime.exe File renamed C:\Users\Admin\Pictures\UseRedo.crw => C:\Users\Admin\Pictures\UseRedo.crw.timetime TimeTime.exe -
Drops desktop.ini file(s) 48 IoCs
Processes:
TimeTime.exedescription ioc process File opened for modification C:\Users\Admin\Saved Games\desktop.ini TimeTime.exe File created C:\Users\Public\desktop.ini TimeTime.exe File opened for modification C:\Users\Public\Libraries\desktop.ini TimeTime.exe File created C:\Users\Public\Music\desktop.ini TimeTime.exe File opened for modification C:\Users\Public\Pictures\desktop.ini TimeTime.exe File opened for modification C:\Users\Public\Videos\desktop.ini TimeTime.exe File created C:\Users\Public\Videos\desktop.ini TimeTime.exe File created C:\Users\Admin\Contacts\desktop.ini TimeTime.exe File created C:\Users\Admin\OneDrive\desktop.ini TimeTime.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini TimeTime.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini TimeTime.exe File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini TimeTime.exe File created C:\Users\Admin\Searches\desktop.ini TimeTime.exe File created C:\Users\Public\Pictures\desktop.ini TimeTime.exe File created C:\Users\Admin\Favorites\Links\desktop.ini TimeTime.exe File opened for modification C:\Users\Admin\Links\desktop.ini TimeTime.exe File created C:\Users\Public\Documents\desktop.ini TimeTime.exe File created C:\Users\Admin\Desktop\desktop.ini TimeTime.exe File opened for modification C:\Users\Admin\Documents\desktop.ini TimeTime.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini TimeTime.exe File created C:\Users\Admin\Saved Games\desktop.ini TimeTime.exe File created C:\Users\Public\Desktop\desktop.ini TimeTime.exe File created C:\Users\Public\Libraries\desktop.ini TimeTime.exe File created C:\Users\Admin\Videos\desktop.ini TimeTime.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini TimeTime.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini TimeTime.exe File created C:\Users\Admin\Downloads\desktop.ini TimeTime.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini TimeTime.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini TimeTime.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini TimeTime.exe File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini TimeTime.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini TimeTime.exe File created C:\Users\Admin\Favorites\desktop.ini TimeTime.exe File created C:\Users\Admin\Links\desktop.ini TimeTime.exe File opened for modification C:\Users\Admin\Videos\desktop.ini TimeTime.exe File created C:\Users\Public\Downloads\desktop.ini TimeTime.exe File created C:\Users\Admin\Documents\desktop.ini TimeTime.exe File created C:\Users\Admin\Music\desktop.ini TimeTime.exe File created C:\Users\Admin\Pictures\desktop.ini TimeTime.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini TimeTime.exe File created C:\Users\Public\AccountPictures\desktop.ini TimeTime.exe File opened for modification C:\Users\Public\Documents\desktop.ini TimeTime.exe File opened for modification C:\Users\Admin\Music\desktop.ini TimeTime.exe File opened for modification C:\Users\Admin\Searches\desktop.ini TimeTime.exe File opened for modification C:\Users\Public\desktop.ini TimeTime.exe File opened for modification C:\Users\Public\Desktop\desktop.ini TimeTime.exe File opened for modification C:\Users\Public\Downloads\desktop.ini TimeTime.exe File opened for modification C:\Users\Public\Music\desktop.ini TimeTime.exe -
Drops file in System32 directory 1 IoCs
Processes:
TimeTime.exedescription ioc process File opened for modification C:\Windows\SysWOW64\regedit.exe TimeTime.exe -
Drops file in Windows directory 24 IoCs
Processes:
TimeTime.exedescription ioc process File opened for modification C:\Windows\setuperr.log TimeTime.exe File opened for modification C:\Windows\system.ini TimeTime.exe File opened for modification C:\Windows\win.ini TimeTime.exe File opened for modification C:\Windows\write.exe TimeTime.exe File opened for modification C:\Windows\bootstat.dat TimeTime.exe File opened for modification C:\Windows\PFRO.log TimeTime.exe File opened for modification C:\Windows\hh.exe TimeTime.exe File opened for modification C:\Windows\notepad.exe TimeTime.exe File opened for modification C:\Windows\WindowsShell.Manifest TimeTime.exe File opened for modification C:\Windows\WindowsUpdate.log TimeTime.exe File opened for modification C:\Windows\WMSysPr9.prx TimeTime.exe File created C:\Windows\bootstat.dat TimeTime.exe File opened for modification C:\Windows\DtcInstall.log TimeTime.exe File opened for modification C:\Windows\bfsvc.exe TimeTime.exe File opened for modification C:\Windows\mib.bin TimeTime.exe File opened for modification C:\Windows\HelpPane.exe TimeTime.exe File opened for modification C:\Windows\lsasetup.log TimeTime.exe File opened for modification C:\Windows\Professional.xml TimeTime.exe File opened for modification C:\Windows\setupact.log TimeTime.exe File opened for modification C:\Windows\splwow64.exe TimeTime.exe File opened for modification C:\Windows\twain_32.dll TimeTime.exe File created C:\Windows\@__RECOVER_YOUR_FILES__@.txt TimeTime.exe File opened for modification C:\Windows\explorer.exe TimeTime.exe File opened for modification C:\Windows\winhlp32.exe TimeTime.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2616 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
vssvc.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1696 vssvc.exe Token: SeRestorePrivilege 1696 vssvc.exe Token: SeAuditPrivilege 1696 vssvc.exe Token: SeIncreaseQuotaPrivilege 636 WMIC.exe Token: SeSecurityPrivilege 636 WMIC.exe Token: SeTakeOwnershipPrivilege 636 WMIC.exe Token: SeLoadDriverPrivilege 636 WMIC.exe Token: SeSystemProfilePrivilege 636 WMIC.exe Token: SeSystemtimePrivilege 636 WMIC.exe Token: SeProfSingleProcessPrivilege 636 WMIC.exe Token: SeIncBasePriorityPrivilege 636 WMIC.exe Token: SeCreatePagefilePrivilege 636 WMIC.exe Token: SeBackupPrivilege 636 WMIC.exe Token: SeRestorePrivilege 636 WMIC.exe Token: SeShutdownPrivilege 636 WMIC.exe Token: SeDebugPrivilege 636 WMIC.exe Token: SeSystemEnvironmentPrivilege 636 WMIC.exe Token: SeRemoteShutdownPrivilege 636 WMIC.exe Token: SeUndockPrivilege 636 WMIC.exe Token: SeManageVolumePrivilege 636 WMIC.exe Token: 33 636 WMIC.exe Token: 34 636 WMIC.exe Token: 35 636 WMIC.exe Token: 36 636 WMIC.exe Token: SeIncreaseQuotaPrivilege 636 WMIC.exe Token: SeSecurityPrivilege 636 WMIC.exe Token: SeTakeOwnershipPrivilege 636 WMIC.exe Token: SeLoadDriverPrivilege 636 WMIC.exe Token: SeSystemProfilePrivilege 636 WMIC.exe Token: SeSystemtimePrivilege 636 WMIC.exe Token: SeProfSingleProcessPrivilege 636 WMIC.exe Token: SeIncBasePriorityPrivilege 636 WMIC.exe Token: SeCreatePagefilePrivilege 636 WMIC.exe Token: SeBackupPrivilege 636 WMIC.exe Token: SeRestorePrivilege 636 WMIC.exe Token: SeShutdownPrivilege 636 WMIC.exe Token: SeDebugPrivilege 636 WMIC.exe Token: SeSystemEnvironmentPrivilege 636 WMIC.exe Token: SeRemoteShutdownPrivilege 636 WMIC.exe Token: SeUndockPrivilege 636 WMIC.exe Token: SeManageVolumePrivilege 636 WMIC.exe Token: 33 636 WMIC.exe Token: 34 636 WMIC.exe Token: 35 636 WMIC.exe Token: 36 636 WMIC.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
TimeTime.exeTimeTime.exesvchost.exesvchost.execmd.exedescription pid process target process PID 3608 wrote to memory of 2264 3608 TimeTime.exe TimeTime.exe PID 3608 wrote to memory of 2264 3608 TimeTime.exe TimeTime.exe PID 3608 wrote to memory of 2264 3608 TimeTime.exe TimeTime.exe PID 2264 wrote to memory of 364 2264 TimeTime.exe svchost.exe PID 2264 wrote to memory of 364 2264 TimeTime.exe svchost.exe PID 2264 wrote to memory of 364 2264 TimeTime.exe svchost.exe PID 364 wrote to memory of 2784 364 svchost.exe svchost.exe PID 364 wrote to memory of 2784 364 svchost.exe svchost.exe PID 364 wrote to memory of 2784 364 svchost.exe svchost.exe PID 364 wrote to memory of 2752 364 svchost.exe svchost.exe PID 364 wrote to memory of 2752 364 svchost.exe svchost.exe PID 364 wrote to memory of 2752 364 svchost.exe svchost.exe PID 364 wrote to memory of 1140 364 svchost.exe svchost.exe PID 364 wrote to memory of 1140 364 svchost.exe svchost.exe PID 364 wrote to memory of 1140 364 svchost.exe svchost.exe PID 2784 wrote to memory of 2416 2784 svchost.exe cmd.exe PID 2784 wrote to memory of 2416 2784 svchost.exe cmd.exe PID 2784 wrote to memory of 2416 2784 svchost.exe cmd.exe PID 2416 wrote to memory of 2616 2416 cmd.exe vssadmin.exe PID 2416 wrote to memory of 2616 2416 cmd.exe vssadmin.exe PID 2416 wrote to memory of 2616 2416 cmd.exe vssadmin.exe PID 2416 wrote to memory of 636 2416 cmd.exe WMIC.exe PID 2416 wrote to memory of 636 2416 cmd.exe WMIC.exe PID 2416 wrote to memory of 636 2416 cmd.exe WMIC.exe PID 2784 wrote to memory of 3720 2784 svchost.exe cmd.exe PID 2784 wrote to memory of 3720 2784 svchost.exe cmd.exe PID 2784 wrote to memory of 3720 2784 svchost.exe cmd.exe PID 2784 wrote to memory of 3116 2784 svchost.exe cmd.exe PID 2784 wrote to memory of 3116 2784 svchost.exe cmd.exe PID 2784 wrote to memory of 3116 2784 svchost.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TimeTime.exe"C:\Users\Admin\AppData\Local\Temp\TimeTime.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TimeTime.exe"C:\Users\Admin\AppData\Local\Temp\TimeTime.exe" /c2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe" /x3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe" /x14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet5⤵
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe" /x24⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe" /x34⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.logMD5
4281b0b0b43289aae7f4a10177a90186
SHA1e30aaa3225c070dac9e21de55b3e9136e5a76a1e
SHA2561e4b22c219c549efcdb74def4a92ba4fae6966eabee3e958828228b22129aa47
SHA51229d6f029de06839baf3ece633fb7ab13ec6359b59f640b249b26cd21c04f3f5429fdecc16d119f834c2682060d769aa1fcf6764c985e4b5d519ab71551a9a3c5
-
C:\Users\Admin\AppData\Roaming\svchost.exeMD5
8345d2b0dc8fd2134d12856557b15181
SHA1a4c5ea013f8fc27d4079b5cd9f710bdbca02011f
SHA2565ee8500fe1a2f22029908d4e2b32e7fb85aec03ffea714f3b5e82ebb2bc10f21
SHA512bdfc9573df999957269f5bef22f7f20e75eae37765b9013f1971b4507d2f5420d591898aa4a535bc5158ab6367921dbf597378225aa02dd1a25f42b60624397e
-
C:\Users\Admin\AppData\Roaming\svchost.exeMD5
8345d2b0dc8fd2134d12856557b15181
SHA1a4c5ea013f8fc27d4079b5cd9f710bdbca02011f
SHA2565ee8500fe1a2f22029908d4e2b32e7fb85aec03ffea714f3b5e82ebb2bc10f21
SHA512bdfc9573df999957269f5bef22f7f20e75eae37765b9013f1971b4507d2f5420d591898aa4a535bc5158ab6367921dbf597378225aa02dd1a25f42b60624397e
-
C:\Users\Admin\AppData\Roaming\svchost.exeMD5
8345d2b0dc8fd2134d12856557b15181
SHA1a4c5ea013f8fc27d4079b5cd9f710bdbca02011f
SHA2565ee8500fe1a2f22029908d4e2b32e7fb85aec03ffea714f3b5e82ebb2bc10f21
SHA512bdfc9573df999957269f5bef22f7f20e75eae37765b9013f1971b4507d2f5420d591898aa4a535bc5158ab6367921dbf597378225aa02dd1a25f42b60624397e
-
C:\Users\Admin\AppData\Roaming\svchost.exeMD5
8345d2b0dc8fd2134d12856557b15181
SHA1a4c5ea013f8fc27d4079b5cd9f710bdbca02011f
SHA2565ee8500fe1a2f22029908d4e2b32e7fb85aec03ffea714f3b5e82ebb2bc10f21
SHA512bdfc9573df999957269f5bef22f7f20e75eae37765b9013f1971b4507d2f5420d591898aa4a535bc5158ab6367921dbf597378225aa02dd1a25f42b60624397e
-
C:\Users\Admin\AppData\Roaming\svchost.exeMD5
8345d2b0dc8fd2134d12856557b15181
SHA1a4c5ea013f8fc27d4079b5cd9f710bdbca02011f
SHA2565ee8500fe1a2f22029908d4e2b32e7fb85aec03ffea714f3b5e82ebb2bc10f21
SHA512bdfc9573df999957269f5bef22f7f20e75eae37765b9013f1971b4507d2f5420d591898aa4a535bc5158ab6367921dbf597378225aa02dd1a25f42b60624397e
-
memory/364-124-0x0000000000000000-mapping.dmp
-
memory/636-153-0x0000000000000000-mapping.dmp
-
memory/1140-137-0x0000000000000000-mapping.dmp
-
memory/2264-119-0x0000000000000000-mapping.dmp
-
memory/2416-151-0x0000000000000000-mapping.dmp
-
memory/2616-152-0x0000000000000000-mapping.dmp
-
memory/2752-134-0x0000000000000000-mapping.dmp
-
memory/2784-132-0x0000000000000000-mapping.dmp
-
memory/3116-155-0x0000000000000000-mapping.dmp
-
memory/3608-130-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/3608-118-0x0000000004E40000-0x0000000004E41000-memory.dmpFilesize
4KB
-
memory/3608-117-0x0000000005340000-0x0000000005341000-memory.dmpFilesize
4KB
-
memory/3608-115-0x0000000000520000-0x0000000000521000-memory.dmpFilesize
4KB
-
memory/3608-156-0x0000000002680000-0x0000000002681000-memory.dmpFilesize
4KB
-
memory/3608-157-0x0000000004E33000-0x0000000004E35000-memory.dmpFilesize
8KB
-
memory/3720-154-0x0000000000000000-mapping.dmp