Analysis Overview
SHA256
1283836cc0ed21b535ca654611d87e766538b81b02e61289ecc94188602aaf2a
Threat Level: Known bad
The file quickbuck.exe was found to be: Known bad.
Malicious Activity Summary
Hive
Deletes shadow copies
Executes dropped EXE
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Interacts with shadow copies
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-09 04:11
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-09 04:11
Reported
2022-06-09 04:16
Platform
win10v2004-20220414-en
Max time kernel
268s
Max time network
278s
Command Line
Signatures
Hive
Deletes shadow copies
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WINWORD.EXE | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quickbuck.exe
"C:\Users\Admin\AppData\Local\Temp\quickbuck.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Users\Admin\AppData\Local\Temp\quickbuck.exe
quickbuck.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\AppData\Local\Temp\quickbuck.exe
quickbuck.exe run
C:\Users\Admin\AppData\Local\Temp\WINWORD.EXE
C:\Users\Admin\AppData\Local\Temp\WINWORD.EXE stage quickbuck.exe run --disable-macro-simulation
C:\Windows\system32\cmd.exe
cmd.exe /c "quickbuck.exe run --disable-macro-simulation"
C:\Users\Admin\AppData\Local\Temp\quickbuck.exe
quickbuck.exe run --disable-macro-simulation
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /for=norealvolume /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ransomware-simulator-note.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ransomware-simulator-note.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.msn.com | udp |
| US | 204.79.197.203:443 | api.msn.com | tcp |
| IE | 20.54.110.249:443 | tcp | |
| US | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| NL | 104.80.225.205:443 | storesdk.dsx.mp.microsoft.com | tcp |
| NL | 104.80.225.205:443 | storesdk.dsx.mp.microsoft.com | tcp |
| NL | 104.80.225.205:443 | storesdk.dsx.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | store-images.s-microsoft.com | udp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
Files
memory/5036-130-0x0000000000000000-mapping.dmp
memory/224-131-0x0000000000000000-mapping.dmp
memory/4532-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\WINWORD.EXE
| MD5 | 5764e41fede27bf9c984242c2b7bfd33 |
| SHA1 | e5b4178bdebf7a59e97c56235cff472b18440359 |
| SHA256 | 1283836cc0ed21b535ca654611d87e766538b81b02e61289ecc94188602aaf2a |
| SHA512 | a3610ca12b1ebfd0a618fae7c0e8f655d879156a0b850c4dd8e0e8827d6719f67ad5facad7496aac3adcafbf79f0195adb5ab62d900202f07ed4ec380e516379 |
C:\Users\Admin\AppData\Local\Temp\WINWORD.EXE
| MD5 | 5764e41fede27bf9c984242c2b7bfd33 |
| SHA1 | e5b4178bdebf7a59e97c56235cff472b18440359 |
| SHA256 | 1283836cc0ed21b535ca654611d87e766538b81b02e61289ecc94188602aaf2a |
| SHA512 | a3610ca12b1ebfd0a618fae7c0e8f655d879156a0b850c4dd8e0e8827d6719f67ad5facad7496aac3adcafbf79f0195adb5ab62d900202f07ed4ec380e516379 |
memory/2104-135-0x0000000000000000-mapping.dmp
memory/3240-136-0x0000000000000000-mapping.dmp
memory/2256-137-0x0000000000000000-mapping.dmp
C:\Users\Admin\Desktop\ransomware-simulator-note.txt
| MD5 | 79cc7032c1e40b959f09bdab991dadde |
| SHA1 | 6b3f5b9902856f7a72efad1a781ecc4debcaec95 |
| SHA256 | f292053578c0c2e0feefae5e6d64091c74d3e6de693801feed19fa2f8614321d |
| SHA512 | a46cf65089a71c1e2b280795cf44be51565da8ae11382061f719712b0644339319bbecb59879eb3df5dcef4b892be6b9a6ab82a78cde628ca533256891891ce6 |