Overview

overview

9

Static

static

b2a27c3b5c...e3.exe

windows7_x64

9

b2a27c3b5c...e3.exe

windows10_x64

9

Resubmissions

04-05-2020 15:13

200504-6r5nmgfcka 10

21-04-2020 05:49

200421-nvrsxxs6e6 9

Analysis

  • max time kernel
    108s
  • max time network
    115s
  • platform
    windows7_x64
  • resource
    win7v200410
  • submitted
    21-04-2020 05:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe

  • Size

    12KB

  • MD5

    4a7378c7ef7a9b72aa2b38019aa6fcdc

  • SHA1

    7e19a75d8a91fa2e4e6e7519609eb8c300a8a030

  • SHA256

    b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3

  • SHA512

    8eb4cfcd03315f5984ee6909cd33b3086227e610d78d24dd32525a421a92b440fe012f2b5403dbc10be8db875fa5db83731786578395fef44dde8394ec219441

Score
9/10
ransomwareevasionpersistence

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Deletes itself 1 IoCs
  • Modifies service 2 TTPs 10 IoCs
    persistence
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Drops startup file 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Drops desktop.ini file(s) 41 IoCs
  • Drops file in Program Files directory 11773 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
    "C:\Users\Admin\AppData\Local\Temp\b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Sets desktop wallpaper using registry
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1536
    • C:\Windows\system32\vssadmin.exe
      delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:1636
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
      2⤵
        PID:1692
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {current} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:1768
      • C:\Windows\system32\cmd.exe
        "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no
        2⤵
          PID:1728
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {current} recoveryenabled no
            3⤵
            • Modifies boot configuration data using bcdedit
            PID:1620
        • C:\Windows\system32\cmd.exe
          "C:\Windows\sysnative\cmd.exe" /c netsh advfirewall set allprofiles state off
          2⤵
            PID:1752
            • C:\Windows\system32\netsh.exe
              netsh advfirewall set allprofiles state off
              3⤵
              • Modifies service
              PID:1644
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe" >> NUL
            2⤵
            • Deletes itself
            • Suspicious use of WriteProcessMemory
            PID:2016
            • C:\Windows\SysWOW64\timeout.exe
              timeout 1
              3⤵
              • Delays execution with timeout.exe
              PID:2044
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Modifies service
          • Suspicious use of AdjustPrivilegeToken
          PID:996
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\!read_me!.txt
          1⤵
            PID:316

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Modify Existing Service

          2
          T1031

          Privilege Escalation

          Defense Evasion

          Modify Registry

          2
          T1112

          File Deletion

          2
          T1107

          Credential Access

          Discovery

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Defacement

          1
          T1491

          Inhibit System Recovery

          3
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads