Analysis

  • max time kernel
    152s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    02-05-2020 23:41

General

  • Target

    RapeD.exe

  • Size

    92KB

  • MD5

    b709b29f7b84533ad0899a6fb739f0d1

  • SHA1

    9649c54ef995f14f702191c618221331d1058c38

  • SHA256

    e264b1a0c00bcb0329845d7155bd540dfe3909f8bf72d2572db0f56bdcbb99ed

  • SHA512

    d45b583dd5b6fbe6b2360526e94df2d105f4019aef60f8f224a3ef462dd058e4d8de1ddbded8284e05487341760f92e9468cabc15a9d93b38b86cc89bce97fb5

Malware Config

Signatures

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 285 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Drops startup file 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Drops desktop.ini file(s) 77 IoCs
  • Drops file in Program Files directory 27842 IoCs
  • Adds Run entry to start application 2 TTPs 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies service 2 TTPs 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RapeD.exe
    "C:\Users\Admin\AppData\Local\Temp\RapeD.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Adds Run entry to start application
    • Drops file in System32 directory
    PID:1032
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
        PID:916
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:1768
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:1788
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          2⤵
            PID:2036
            • C:\Windows\system32\mode.com
              mode con cp select=1251
              3⤵
                PID:1088
              • C:\Windows\system32\vssadmin.exe
                vssadmin delete shadows /all /quiet
                3⤵
                • Interacts with shadow copies
                PID:1264
            • C:\Windows\System32\mshta.exe
              "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
              2⤵
              • Suspicious use of SetWindowsHookEx
              • Modifies Internet Explorer settings
              PID:1464
            • C:\Windows\System32\mshta.exe
              "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
              2⤵
              • Modifies Internet Explorer settings
              PID:1780
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            • Modifies service
            PID:1820
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FILES ENCRYPTED.txt
            1⤵
              PID:1720

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Persistence

            Registry Run Keys / Startup Folder

            1
            T1060

            Modify Existing Service

            1
            T1031

            Defense Evasion

            File Deletion

            2
            T1107

            Modify Registry

            3
            T1112

            Credential Access

            Credentials in Files

            1
            T1081

            Collection

            Data from Local System

            1
            T1005

            Impact

            Inhibit System Recovery

            2
            T1490

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
            • C:\Users\Admin\Desktop\FILES ENCRYPTED.txt
            • memory/1464-10-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp
              Filesize

              64KB