Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows7_x64 -
resource
win7 -
submitted
04-07-2020 15:21
Static task
static1
Behavioral task
behavioral1
Sample
194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe
Resource
win7
Behavioral task
behavioral2
Sample
194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe
Resource
win10v200430
General
-
Target
194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe
-
Size
2.0MB
-
MD5
13ee6ed04ada2524eabdf26bcc4849fe
-
SHA1
ea5aa317603aea0a39972f521792edc62d941fbc
-
SHA256
194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6
-
SHA512
8fd889ffc305e39702c7f2c2b798dfc5c0ea29ce9c39268321ad2917e8a90ee373862bff12bb6613f4ba3a2becc9236534f53a7aba85c248363aa419dc902920
Malware Config
Extracted
C:\Users\Admin\Desktop\READ_ME_Heyyyyyyy.txt
1NxoWvpXufC5PkagnfWD9Rf19wm5jchVkX
Signatures
-
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
xc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run xc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\svñhîst = "%USERPROFILE%\\AppData\\Local\\Temp\\xc.exe" xc.exe -
Loads dropped DLL 1 IoCs
Processes:
194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exepid process 1060 194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exeXVlBzgbaiC.exexX.execmd.exedescription pid process target process PID 1060 wrote to memory of 1308 1060 194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe XVlBzgbaiC.exe PID 1060 wrote to memory of 1308 1060 194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe XVlBzgbaiC.exe PID 1060 wrote to memory of 1308 1060 194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe XVlBzgbaiC.exe PID 1060 wrote to memory of 1308 1060 194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe XVlBzgbaiC.exe PID 1308 wrote to memory of 1496 1308 XVlBzgbaiC.exe xX.exe PID 1308 wrote to memory of 1496 1308 XVlBzgbaiC.exe xX.exe PID 1308 wrote to memory of 1496 1308 XVlBzgbaiC.exe xX.exe PID 1308 wrote to memory of 1496 1308 XVlBzgbaiC.exe xX.exe PID 1308 wrote to memory of 1616 1308 XVlBzgbaiC.exe xc.exe PID 1308 wrote to memory of 1616 1308 XVlBzgbaiC.exe xc.exe PID 1308 wrote to memory of 1616 1308 XVlBzgbaiC.exe xc.exe PID 1308 wrote to memory of 1616 1308 XVlBzgbaiC.exe xc.exe PID 1496 wrote to memory of 1904 1496 xX.exe cmd.exe PID 1496 wrote to memory of 1904 1496 xX.exe cmd.exe PID 1496 wrote to memory of 1904 1496 xX.exe cmd.exe PID 1496 wrote to memory of 1904 1496 xX.exe cmd.exe PID 1904 wrote to memory of 1948 1904 cmd.exe timeout.exe PID 1904 wrote to memory of 1948 1904 cmd.exe timeout.exe PID 1904 wrote to memory of 1948 1904 cmd.exe timeout.exe PID 1904 wrote to memory of 1948 1904 cmd.exe timeout.exe -
Executes dropped EXE 3 IoCs
Processes:
XVlBzgbaiC.exexX.exexc.exepid process 1308 XVlBzgbaiC.exe 1496 xX.exe 1616 xc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
xc.exepid process 1616 xc.exe 1616 xc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
xX.exedescription pid process Token: SeDebugPrivilege 1496 xX.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1948 timeout.exe -
Processes:
xc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main xc.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch xc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" xc.exe -
Processes:
xc.exexX.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde xc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 xX.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 xX.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 xc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
xX.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\ransom.jpg" xX.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\Wallpaper.jpg" xX.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe"C:\Users\Admin\AppData\Local\Temp\194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exeC:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\xX.exe"C:\Users\Admin\AppData\Local\Temp\xX.exe"3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Modifies system certificate store
- Sets desktop wallpaper using registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C timeout 2 && Del /Q /F C:\Users\Admin\AppData\Local\Temp\xX.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\xc.exe"C:\Users\Admin\AppData\Local\Temp\xc.exe"3⤵
- Adds Run entry to start application
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Modifies Internet Explorer settings
- Modifies system certificate store
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe
-
C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe
-
C:\Users\Admin\AppData\Local\Temp\xX.exe
-
C:\Users\Admin\AppData\Local\Temp\xX.exe
-
C:\Users\Admin\AppData\Local\Temp\xc.exe
-
C:\Users\Admin\AppData\Local\Temp\xc.exe
-
\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe
-
memory/1308-1-0x0000000000000000-mapping.dmp
-
memory/1496-4-0x0000000000000000-mapping.dmp
-
memory/1616-6-0x0000000000000000-mapping.dmp
-
memory/1904-15-0x0000000000000000-mapping.dmp
-
memory/1948-20-0x0000000000000000-mapping.dmp