Analysis
-
max time kernel
151s -
max time network
44s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
31-05-2020 11:49
Static task
static1
Behavioral task
behavioral1
Sample
ransom.bin.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
ransom.bin.exe
Resource
win10v200430
General
-
Target
ransom.bin.exe
-
Size
82KB
-
MD5
50a8eaf7e9aacf554862a4dd4a44f70f
-
SHA1
81fce02871932bbc6811fb955471ff90b5f29190
-
SHA256
adc2f5649973f922dc8294df91c63303870178c8a6839c1a9e8c9e4c4516bfd0
-
SHA512
416e15f6dc1e25c867011a90645775c6a30add95578082b19950641e28a22bd8c049b5f8c02d5d7514e6b5db0e646e91995b09ea3a58ab7bce9726e60a9f2cf4
Malware Config
Extracted
C:\Users\Admin\ReadMe.txt
jerjis@tuta.io
jerjis@tutamail.com
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
ransom.bin.exepid process 1516 ransom.bin.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ransom.bin.exedescription pid process target process PID 1516 wrote to memory of 1032 1516 ransom.bin.exe cmd.exe PID 1516 wrote to memory of 1032 1516 ransom.bin.exe cmd.exe PID 1516 wrote to memory of 1032 1516 ransom.bin.exe cmd.exe PID 1516 wrote to memory of 1792 1516 ransom.bin.exe cmd.exe PID 1516 wrote to memory of 1792 1516 ransom.bin.exe cmd.exe PID 1516 wrote to memory of 1792 1516 ransom.bin.exe cmd.exe PID 1516 wrote to memory of 1820 1516 ransom.bin.exe cmd.exe PID 1516 wrote to memory of 1820 1516 ransom.bin.exe cmd.exe PID 1516 wrote to memory of 1820 1516 ransom.bin.exe cmd.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
ransom.bin.exevssvc.exedescription pid process Token: SeDebugPrivilege 1516 ransom.bin.exe Token: SeBackupPrivilege 1840 vssvc.exe Token: SeRestorePrivilege 1840 vssvc.exe Token: SeAuditPrivilege 1840 vssvc.exe -
Drops startup file 3 IoCs
Processes:
ransom.bin.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ransom.exe ransom.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ransom.exe ransom.bin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\info.hta ransom.bin.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1748 vssadmin.exe -
Drops file in Program Files directory 5661 IoCs
Processes:
ransom.bin.exedescription ioc process File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Bahia_Banderas ransom.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\MSB1CACH.LEX ransom.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\VBE7.DLL ransom.bin.exe File created C:\Program Files\Internet Explorer\pdmproxy100.dll ransom.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml ransom.bin.exe File created C:\Program Files\Common Files\System\Ole DB\msxactps.dll ransom.bin.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\ReadMe.txt ransom.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar ransom.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\ReadMe.txt ransom.bin.exe File created C:\Program Files\Common Files\Microsoft Shared\EQUATION\1033\ReadMe.txt ransom.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\TRANSLAT\ENES\MSB1ENES.ITS ransom.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml ransom.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaBrightRegular.ttf ransom.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt ransom.bin.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\ReadMe.txt ransom.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST ransom.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml ransom.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL ransom.bin.exe File created C:\Program Files\DVD Maker\PipeTran.dll ransom.bin.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll ransom.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-nodes.jar ransom.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk ransom.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif ransom.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_ja.jar ransom.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\sunmscapi.jar ransom.bin.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\ReadMe.txt ransom.bin.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\tpcps.dll ransom.bin.exe File opened for modification C:\Program Files (x86)\Google\Chrome\Application\81.0.4044.129\v8_context_snapshot.bin ransom.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santo_Domingo ransom.bin.exe File created C:\Program Files\Common Files\Microsoft Shared\THEMES14\PIXEL\ReadMe.txt ransom.bin.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_sk.dll ransom.bin.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log ransom.bin.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\11.png ransom.bin.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe ransom.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOICONS.EXE ransom.bin.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe.config ransom.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-5 ransom.bin.exe File created C:\Program Files\Common Files\Microsoft Shared\VC\ReadMe.txt ransom.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_VideoInset.png ransom.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png ransom.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_ja.jar ransom.bin.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif ransom.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.CHM ransom.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Smart Tag\FBIBLIO.DLL ransom.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\INDUST\INDUST.INF ransom.bin.exe File created C:\Program Files\Java\jre7\lib\deploy\ReadMe.txt ransom.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html ransom.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_ja_4.4.0.v20140623020002.jar ransom.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_zh_4.4.0.v20140623020002.jar ransom.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml ransom.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml ransom.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml ransom.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip ransom.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\JOURNAL\PREVIEW.GIF ransom.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\ReadMe.txt ransom.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\javaws.jar ransom.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Johannesburg ransom.bin.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf ransom.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\RADIAL\THMBNAIL.PNG ransom.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL ransom.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties ransom.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\EXP_XPS.DLL ransom.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png ransom.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Canary ransom.bin.exe -
Drops desktop.ini file(s) 38 IoCs
Processes:
ransom.bin.exedescription ioc process File created C:\Users\Admin\Saved Games\desktop.ini ransom.bin.exe File created C:\Users\Admin\Links\desktop.ini ransom.bin.exe File created C:\Users\Admin\Downloads\desktop.ini ransom.bin.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini ransom.bin.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini ransom.bin.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini ransom.bin.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini ransom.bin.exe File created C:\Users\Public\Desktop\desktop.ini ransom.bin.exe File created C:\Users\Public\Documents\desktop.ini ransom.bin.exe File created C:\Users\Public\Videos\Sample Videos\desktop.ini ransom.bin.exe File created C:\Users\Admin\Favorites\Links\desktop.ini ransom.bin.exe File created C:\Program Files\desktop.ini ransom.bin.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini ransom.bin.exe File created C:\Users\Public\Music\desktop.ini ransom.bin.exe File created C:\Users\Admin\Favorites\Links for United States\desktop.ini ransom.bin.exe File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini ransom.bin.exe File created C:\Users\Admin\Desktop\desktop.ini ransom.bin.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini ransom.bin.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini ransom.bin.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini ransom.bin.exe File created C:\Users\Admin\Videos\desktop.ini ransom.bin.exe File created C:\Users\Public\Music\Sample Music\desktop.ini ransom.bin.exe File created C:\Users\Public\Pictures\Sample Pictures\desktop.ini ransom.bin.exe File created C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini ransom.bin.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini ransom.bin.exe File created C:\Users\Admin\Favorites\desktop.ini ransom.bin.exe File created C:\Users\Admin\Contacts\desktop.ini ransom.bin.exe File created C:\Users\Public\Pictures\desktop.ini ransom.bin.exe File created C:\Users\Admin\Pictures\desktop.ini ransom.bin.exe File created C:\Users\Admin\Music\desktop.ini ransom.bin.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini ransom.bin.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini ransom.bin.exe File created C:\Program Files (x86)\desktop.ini ransom.bin.exe File created C:\Users\Admin\Searches\desktop.ini ransom.bin.exe File created C:\Users\Public\Videos\desktop.ini ransom.bin.exe File created C:\Users\Admin\Documents\desktop.ini ransom.bin.exe File created C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini ransom.bin.exe File created C:\Users\Public\Downloads\desktop.ini ransom.bin.exe -
Modifies service 2 TTPs 15 IoCs
Processes:
netsh.exevssvc.exenetsh.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ransom.bin.exe"C:\Users\Admin\AppData\Local\Temp\ransom.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Drops startup file
- Drops file in Program Files directory
- Drops desktop.ini file(s)
-
C:\Windows\system32\cmd.exe"cmd.exe"2⤵
-
C:\Windows\system32\netsh.exenetsh.exe netsh advfirewall set currentprofile state off3⤵
- Modifies service
-
C:\Windows\system32\cmd.exe"cmd.exe"2⤵
-
C:\Windows\system32\netsh.exenetsh.exe netsh firewall set opmode mode=disable3⤵
- Modifies service
-
C:\Windows\system32\cmd.exe"cmd" /C vssadmin Delete Shadows /All /Quiet2⤵
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service