Analysis
-
max time kernel
148s -
max time network
6s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
16-05-2020 14:33
Static task
static1
Behavioral task
behavioral1
Sample
5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
Resource
win10v200430
General
-
Target
5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
-
Size
324KB
-
MD5
142a9f0015e581fc7b88db66eec5bf77
-
SHA1
c9dae1b23c711ef916a55616bf0bd558c51ce97c
-
SHA256
5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2
-
SHA512
9cc7d6f6fc0c67a9bd48511094ae1fd16eb04a8876be62c4ab2c319a4b4a6108feb7528a1830e6182bafa3b53b6edb6322fef42827fb25001fd1629ba7c9521a
Malware Config
Extracted
C:\697CB8-DECRYPT.txt
EMAIL:test@mail.com
REPEAT:test@mail.com
Signatures
-
Drops file in Program Files directory 3 IoCs
Processes:
5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exedescription ioc process File created C:\Program Files\LimitRestore.697CB8 5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe File created C:\Program Files\RedoUpdate.697CB8 5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe File created C:\Program Files\697CB8-DECRYPT.txt 5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vssvc.exe5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exedescription pid process Token: SeBackupPrivilege 1448 vssvc.exe Token: SeRestorePrivilege 1448 vssvc.exe Token: SeAuditPrivilege 1448 vssvc.exe Token: SeIncBasePriorityPrivilege 880 5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1520 cmd.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
notepad.exepid process 1060 notepad.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1048 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exepid process 880 5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe 880 5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe 880 5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.execmd.exedescription pid process target process PID 880 wrote to memory of 1048 880 5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe vssadmin.exe PID 880 wrote to memory of 1048 880 5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe vssadmin.exe PID 880 wrote to memory of 1048 880 5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe vssadmin.exe PID 880 wrote to memory of 1048 880 5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe vssadmin.exe PID 880 wrote to memory of 1060 880 5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe notepad.exe PID 880 wrote to memory of 1060 880 5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe notepad.exe PID 880 wrote to memory of 1060 880 5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe notepad.exe PID 880 wrote to memory of 1060 880 5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe notepad.exe PID 880 wrote to memory of 1520 880 5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe cmd.exe PID 880 wrote to memory of 1520 880 5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe cmd.exe PID 880 wrote to memory of 1520 880 5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe cmd.exe PID 880 wrote to memory of 1520 880 5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe cmd.exe PID 1520 wrote to memory of 1680 1520 cmd.exe PING.EXE PID 1520 wrote to memory of 1680 1520 cmd.exe PING.EXE PID 1520 wrote to memory of 1680 1520 cmd.exe PING.EXE PID 1520 wrote to memory of 1680 1520 cmd.exe PING.EXE -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe"C:\Users\Admin\AppData\Local\Temp\5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe"1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exenotepad.exe "C:\Users\Admin\AppData\Local\Temp\697CB8-DECRYPT.txt"2⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 3 && del /f/q "C:\Users\Admin\AppData\Local\Temp\5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service