Analysis
-
max time kernel
136s -
max time network
134s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
04-07-2020 15:21
Static task
static1
Behavioral task
behavioral1
Sample
194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe
Resource
win7
Behavioral task
behavioral2
Sample
194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe
Resource
win10v200430
General
-
Target
194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe
-
Size
2.0MB
-
MD5
13ee6ed04ada2524eabdf26bcc4849fe
-
SHA1
ea5aa317603aea0a39972f521792edc62d941fbc
-
SHA256
194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6
-
SHA512
8fd889ffc305e39702c7f2c2b798dfc5c0ea29ce9c39268321ad2917e8a90ee373862bff12bb6613f4ba3a2becc9236534f53a7aba85c248363aa419dc902920
Malware Config
Extracted
C:\Users\Admin\Desktop\READ_ME_Heyyyyyyy.txt
1NxoWvpXufC5PkagnfWD9Rf19wm5jchVkX
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
XVlBzgbaiC.exexX.exexc.exepid process 3908 XVlBzgbaiC.exe 648 xX.exe 752 xc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
xc.exepid process 752 xc.exe 752 xc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
xX.exedescription pid process Token: SeDebugPrivilege 648 xX.exe -
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
xc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\svñhîst = "%USERPROFILE%\\AppData\\Local\\Temp\\xc.exe" xc.exe Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run xc.exe -
Processes:
xc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch xc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" xc.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
xX.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\ransom.jpg" xX.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3884 timeout.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exeXVlBzgbaiC.exexX.execmd.exedescription pid process target process PID 3944 wrote to memory of 3908 3944 194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe XVlBzgbaiC.exe PID 3944 wrote to memory of 3908 3944 194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe XVlBzgbaiC.exe PID 3908 wrote to memory of 648 3908 XVlBzgbaiC.exe xX.exe PID 3908 wrote to memory of 648 3908 XVlBzgbaiC.exe xX.exe PID 3908 wrote to memory of 648 3908 XVlBzgbaiC.exe xX.exe PID 3908 wrote to memory of 752 3908 XVlBzgbaiC.exe xc.exe PID 3908 wrote to memory of 752 3908 XVlBzgbaiC.exe xc.exe PID 3908 wrote to memory of 752 3908 XVlBzgbaiC.exe xc.exe PID 648 wrote to memory of 4024 648 xX.exe cmd.exe PID 648 wrote to memory of 4024 648 xX.exe cmd.exe PID 648 wrote to memory of 4024 648 xX.exe cmd.exe PID 4024 wrote to memory of 3884 4024 cmd.exe timeout.exe PID 4024 wrote to memory of 3884 4024 cmd.exe timeout.exe PID 4024 wrote to memory of 3884 4024 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe"C:\Users\Admin\AppData\Local\Temp\194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exeC:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xX.exe"C:\Users\Admin\AppData\Local\Temp\xX.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C timeout 2 && Del /Q /F C:\Users\Admin\AppData\Local\Temp\xX.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\xc.exe"C:\Users\Admin\AppData\Local\Temp\xc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Adds Run entry to start application
- Modifies Internet Explorer settings
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe
-
C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe
-
C:\Users\Admin\AppData\Local\Temp\xX.exe
-
C:\Users\Admin\AppData\Local\Temp\xX.exe
-
C:\Users\Admin\AppData\Local\Temp\xc.exe
-
C:\Users\Admin\AppData\Local\Temp\xc.exe
-
memory/648-5-0x0000000000000000-mapping.dmp
-
memory/752-7-0x0000000000000000-mapping.dmp
-
memory/3884-12-0x0000000000000000-mapping.dmp
-
memory/3908-2-0x0000000000000000-mapping.dmp
-
memory/4024-11-0x0000000000000000-mapping.dmp