Analysis
-
max time kernel
38s -
max time network
6s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
26-06-2020 13:11
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10
General
-
Target
sample.exe
-
Size
56KB
-
MD5
ecb00e9a61f99a7d4c90723294986bbc
-
SHA1
be59c867da75e2a66b8c2519e950254f817cd4ad
-
SHA256
8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80
-
SHA512
9dee79827d865de41a63962b419eed7e1f9610ff27f00f8b7b2b9f51e905d5db907d310da590d8f1a11ac88e549373edf39bffdb44d1b205728f1b5e0a43aa5e
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Fx:binFx.exepid process 1500 Fx:bin 1864 Fx.exe -
NTFS ADS 1 IoCs
Processes:
sample.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Fx:bin sample.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 840 vssadmin.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Loads dropped DLL 2 IoCs
Processes:
sample.exepid process 1440 sample.exe 1440 sample.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1604 vssvc.exe Token: SeRestorePrivilege 1604 vssvc.exe Token: SeAuditPrivilege 1604 vssvc.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1596 cmd.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1768 takeown.exe 1244 icacls.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1768 takeown.exe 1244 icacls.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 1960 attrib.exe 1932 attrib.exe 1956 attrib.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops file in System32 directory 2 IoCs
Processes:
Fx:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Fx.exe Fx:bin File opened for modification C:\Windows\SysWOW64\Fx.exe attrib.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
sample.exeFx:binFx.execmd.execmd.execmd.exedescription pid process target process PID 1440 wrote to memory of 1500 1440 sample.exe Fx:bin PID 1440 wrote to memory of 1500 1440 sample.exe Fx:bin PID 1440 wrote to memory of 1500 1440 sample.exe Fx:bin PID 1440 wrote to memory of 1500 1440 sample.exe Fx:bin PID 1500 wrote to memory of 840 1500 Fx:bin vssadmin.exe PID 1500 wrote to memory of 840 1500 Fx:bin vssadmin.exe PID 1500 wrote to memory of 840 1500 Fx:bin vssadmin.exe PID 1500 wrote to memory of 840 1500 Fx:bin vssadmin.exe PID 1500 wrote to memory of 1768 1500 Fx:bin takeown.exe PID 1500 wrote to memory of 1768 1500 Fx:bin takeown.exe PID 1500 wrote to memory of 1768 1500 Fx:bin takeown.exe PID 1500 wrote to memory of 1768 1500 Fx:bin takeown.exe PID 1500 wrote to memory of 1244 1500 Fx:bin icacls.exe PID 1500 wrote to memory of 1244 1500 Fx:bin icacls.exe PID 1500 wrote to memory of 1244 1500 Fx:bin icacls.exe PID 1500 wrote to memory of 1244 1500 Fx:bin icacls.exe PID 1864 wrote to memory of 524 1864 Fx.exe cmd.exe PID 1864 wrote to memory of 524 1864 Fx.exe cmd.exe PID 1864 wrote to memory of 524 1864 Fx.exe cmd.exe PID 1864 wrote to memory of 524 1864 Fx.exe cmd.exe PID 1500 wrote to memory of 1624 1500 Fx:bin cmd.exe PID 1500 wrote to memory of 1624 1500 Fx:bin cmd.exe PID 1500 wrote to memory of 1624 1500 Fx:bin cmd.exe PID 1500 wrote to memory of 1624 1500 Fx:bin cmd.exe PID 1440 wrote to memory of 1596 1440 sample.exe cmd.exe PID 1440 wrote to memory of 1596 1440 sample.exe cmd.exe PID 1440 wrote to memory of 1596 1440 sample.exe cmd.exe PID 1440 wrote to memory of 1596 1440 sample.exe cmd.exe PID 524 wrote to memory of 1620 524 cmd.exe choice.exe PID 524 wrote to memory of 1620 524 cmd.exe choice.exe PID 524 wrote to memory of 1620 524 cmd.exe choice.exe PID 524 wrote to memory of 1620 524 cmd.exe choice.exe PID 1624 wrote to memory of 1548 1624 cmd.exe choice.exe PID 1624 wrote to memory of 1548 1624 cmd.exe choice.exe PID 1624 wrote to memory of 1548 1624 cmd.exe choice.exe PID 1624 wrote to memory of 1548 1624 cmd.exe choice.exe PID 1596 wrote to memory of 1928 1596 cmd.exe choice.exe PID 1596 wrote to memory of 1928 1596 cmd.exe choice.exe PID 1596 wrote to memory of 1928 1596 cmd.exe choice.exe PID 1596 wrote to memory of 1928 1596 cmd.exe choice.exe PID 524 wrote to memory of 1956 524 cmd.exe attrib.exe PID 524 wrote to memory of 1956 524 cmd.exe attrib.exe PID 524 wrote to memory of 1956 524 cmd.exe attrib.exe PID 524 wrote to memory of 1956 524 cmd.exe attrib.exe PID 1624 wrote to memory of 1960 1624 cmd.exe attrib.exe PID 1624 wrote to memory of 1960 1624 cmd.exe attrib.exe PID 1624 wrote to memory of 1960 1624 cmd.exe attrib.exe PID 1624 wrote to memory of 1960 1624 cmd.exe attrib.exe PID 1596 wrote to memory of 1932 1596 cmd.exe attrib.exe PID 1596 wrote to memory of 1932 1596 cmd.exe attrib.exe PID 1596 wrote to memory of 1932 1596 cmd.exe attrib.exe PID 1596 wrote to memory of 1932 1596 cmd.exe attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- NTFS ADS
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Fx:binC:\Users\Admin\AppData\Roaming\Fx:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Fx.exe3⤵
- Modifies file permissions
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Fx.exe /reset3⤵
- Modifies file permissions
- Possible privilege escalation attempt
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Fx" & del "C:\Users\Admin\AppData\Roaming\Fx"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Fx"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\sample.exe" & del "C:\Users\Admin\AppData\Local\Temp\sample.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\sample.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Fx.exeC:\Windows\SysWOW64\Fx.exe -s1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Fx.exe" & del "C:\Windows\SysWOW64\Fx.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Fx.exe"3⤵
- Views/modifies file attributes
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Fx:bin
-
C:\Users\Admin\AppData\Roaming\Fx:bin
-
C:\Windows\SysWOW64\Fx.exe
-
C:\Windows\SysWOW64\Fx.exe
-
\Users\Admin\AppData\Roaming\Fx
-
\Users\Admin\AppData\Roaming\Fx
-
memory/524-10-0x0000000000000000-mapping.dmp
-
memory/840-4-0x0000000000000000-mapping.dmp
-
memory/1244-8-0x0000000000000000-mapping.dmp
-
memory/1500-2-0x0000000000000000-mapping.dmp
-
memory/1548-14-0x0000000000000000-mapping.dmp
-
memory/1596-12-0x0000000000000000-mapping.dmp
-
memory/1620-13-0x0000000000000000-mapping.dmp
-
memory/1624-11-0x0000000000000000-mapping.dmp
-
memory/1768-6-0x0000000000000000-mapping.dmp
-
memory/1928-15-0x0000000000000000-mapping.dmp
-
memory/1932-18-0x0000000000000000-mapping.dmp
-
memory/1956-16-0x0000000000000000-mapping.dmp
-
memory/1960-17-0x0000000000000000-mapping.dmp