Analysis
-
max time kernel
142s -
max time network
36s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
28-06-2020 16:12
Static task
static1
Behavioral task
behavioral1
Sample
4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
Resource
win10
General
-
Target
4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
-
Size
156KB
-
MD5
fcd21c6fca3b9378961aa1865bee7ecb
-
SHA1
0abaa05da2a05977e0baf68838cff1712f1789e0
-
SHA256
4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458
-
SHA512
e39c1f965f6faeaa33dfec6eba23fbfff14b287f4777797ea79480bb037d6d806516bda7046315e051961fce12e935ac546819c1e0bef5c33568d68955a9792a
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\!TXDOT_READ_ME!.txt
txdot911@protonmail.com
Signatures
-
Processes:
wbadmin.exepid process 1644 wbadmin.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewbengine.exedescription pid process Token: SeSecurityPrivilege 1624 wevtutil.exe Token: SeSecurityPrivilege 1604 wevtutil.exe Token: SeBackupPrivilege 1624 wevtutil.exe Token: SeBackupPrivilege 1604 wevtutil.exe Token: SeSecurityPrivilege 1648 wevtutil.exe Token: SeBackupPrivilege 1648 wevtutil.exe Token: SeSecurityPrivilege 1616 wevtutil.exe Token: SeBackupPrivilege 1616 wevtutil.exe Token: SeSecurityPrivilege 1608 wevtutil.exe Token: SeBackupPrivilege 1608 wevtutil.exe Token: SeBackupPrivilege 1864 wbengine.exe Token: SeRestorePrivilege 1864 wbengine.exe Token: SeSecurityPrivilege 1864 wbengine.exe -
Disables use of System Restore points 1 TTPs
-
Deletes system backup catalog 2 TTPs
Ransomware often tries to delete backup files to inhibit system recovery.
-
Clears Windows event logs 1 TTPs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exepid process 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exedescription pid process target process PID 1520 wrote to memory of 1340 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe fsutil.exe PID 1520 wrote to memory of 1340 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe fsutil.exe PID 1520 wrote to memory of 1340 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe fsutil.exe PID 1520 wrote to memory of 1340 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe fsutil.exe PID 1520 wrote to memory of 628 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe schtasks.exe PID 1520 wrote to memory of 628 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe schtasks.exe PID 1520 wrote to memory of 628 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe schtasks.exe PID 1520 wrote to memory of 628 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe schtasks.exe PID 1520 wrote to memory of 632 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe bcdedit.exe PID 1520 wrote to memory of 632 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe bcdedit.exe PID 1520 wrote to memory of 632 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe bcdedit.exe PID 1520 wrote to memory of 632 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe bcdedit.exe PID 1520 wrote to memory of 1904 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe bcdedit.exe PID 1520 wrote to memory of 1904 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe bcdedit.exe PID 1520 wrote to memory of 1904 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe bcdedit.exe PID 1520 wrote to memory of 1904 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe bcdedit.exe PID 1520 wrote to memory of 1604 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe wevtutil.exe PID 1520 wrote to memory of 1604 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe wevtutil.exe PID 1520 wrote to memory of 1604 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe wevtutil.exe PID 1520 wrote to memory of 1604 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe wevtutil.exe PID 1520 wrote to memory of 1616 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe wevtutil.exe PID 1520 wrote to memory of 1616 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe wevtutil.exe PID 1520 wrote to memory of 1616 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe wevtutil.exe PID 1520 wrote to memory of 1616 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe wevtutil.exe PID 1520 wrote to memory of 1608 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe wevtutil.exe PID 1520 wrote to memory of 1608 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe wevtutil.exe PID 1520 wrote to memory of 1608 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe wevtutil.exe PID 1520 wrote to memory of 1608 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe wevtutil.exe PID 1520 wrote to memory of 1648 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe wevtutil.exe PID 1520 wrote to memory of 1648 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe wevtutil.exe PID 1520 wrote to memory of 1648 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe wevtutil.exe PID 1520 wrote to memory of 1648 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe wevtutil.exe PID 1520 wrote to memory of 1624 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe wevtutil.exe PID 1520 wrote to memory of 1624 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe wevtutil.exe PID 1520 wrote to memory of 1624 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe wevtutil.exe PID 1520 wrote to memory of 1624 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe wevtutil.exe PID 1520 wrote to memory of 1644 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe wbadmin.exe PID 1520 wrote to memory of 1644 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe wbadmin.exe PID 1520 wrote to memory of 1644 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe wbadmin.exe PID 1520 wrote to memory of 1644 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe wbadmin.exe PID 1520 wrote to memory of 956 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe cipher.exe PID 1520 wrote to memory of 956 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe cipher.exe PID 1520 wrote to memory of 956 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe cipher.exe PID 1520 wrote to memory of 956 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe cipher.exe PID 1520 wrote to memory of 300 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe cipher.exe PID 1520 wrote to memory of 300 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe cipher.exe PID 1520 wrote to memory of 300 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe cipher.exe PID 1520 wrote to memory of 300 1520 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe cipher.exe -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 632 bcdedit.exe 1904 bcdedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe"C:\Users\Admin\AppData\Local\Temp\4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\fsutil.exe"C:\Windows\System32\fsutil.exe" usn deletejournal /D C:2⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵
-
C:\Windows\SysWOW64\cipher.exe"C:\Windows\System32\cipher.exe" /w:D:2⤵
-
C:\Windows\SysWOW64\cipher.exe"C:\Windows\System32\cipher.exe" /w:C:2⤵
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\wbadmin.exe"C:\Windows\System32\wbadmin.exe" delete catalog -quiet2⤵
- Deletes backup catalog
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" sl Security /e:false2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" cl Security2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" cl System2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" cl Setup2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" cl Application2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/300-10-0x0000000000000000-mapping.dmp
-
memory/628-2-0x0000000000000000-mapping.dmp
-
memory/632-1-0x0000000000000000-mapping.dmp
-
memory/956-11-0x0000000000000000-mapping.dmp
-
memory/1340-0-0x0000000000000000-mapping.dmp
-
memory/1604-7-0x0000000000000000-mapping.dmp
-
memory/1608-9-0x0000000000000000-mapping.dmp
-
memory/1616-8-0x0000000000000000-mapping.dmp
-
memory/1624-5-0x0000000000000000-mapping.dmp
-
memory/1644-3-0x0000000000000000-mapping.dmp
-
memory/1648-4-0x0000000000000000-mapping.dmp
-
memory/1904-6-0x0000000000000000-mapping.dmp