Analysis
-
max time kernel
84s -
max time network
138s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
23-08-2020 17:14
Static task
static1
Behavioral task
behavioral1
Sample
DirectX_Update.bin.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
DirectX_Update.bin.exe
Resource
win10
General
-
Target
DirectX_Update.bin.exe
-
Size
401KB
-
MD5
feaccffc7990693228933d5a5f67b833
-
SHA1
adcad8fe079bfcfdcf09cca72920d5e93d61594a
-
SHA256
30718dcdb6fc8e48a442f5b1f63e413e69f6cf2a279fed1c7c80e9517a133317
-
SHA512
739151a037f3a27699c4f14df4e613e0f86bc6e39988fbceb978935c6a048de3c4ce8117b413a17bc8a1a1d0f4dbb5867a96eb5d0fa369c020a8c39e40535c03
Malware Config
Extracted
C:\ATTENTION-feeef-README.txt
http://restore-now.top/online-chat/
http://i6jppiczqa5moqfl57gssi33npwfseqppdsnz7rriiv7suf4pf4w42id.onion
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
DirectX_Update.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\UnpublishUndo.raw => C:\Users\Admin\Pictures\UnpublishUndo.raw.feeef DirectX_Update.bin.exe File opened for modification C:\Users\Admin\Pictures\ConfirmPop.tiff DirectX_Update.bin.exe File renamed C:\Users\Admin\Pictures\ConfirmPop.tiff => C:\Users\Admin\Pictures\ConfirmPop.tiff.feeef DirectX_Update.bin.exe File renamed C:\Users\Admin\Pictures\RemoveSplit.tif => C:\Users\Admin\Pictures\RemoveSplit.tif.feeef DirectX_Update.bin.exe File renamed C:\Users\Admin\Pictures\SendConfirm.crw => C:\Users\Admin\Pictures\SendConfirm.crw.feeef DirectX_Update.bin.exe File renamed C:\Users\Admin\Pictures\UnprotectEdit.raw => C:\Users\Admin\Pictures\UnprotectEdit.raw.feeef DirectX_Update.bin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
DirectX_Update.bin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DirectX_Update.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fuck_this_PC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DirectX_Update.bin.exe" DirectX_Update.bin.exe -
Drops desktop.ini file(s) 26 IoCs
Processes:
DirectX_Update.bin.exedescription ioc process File created C:\Users\Admin\Saved Games\desktop.ini DirectX_Update.bin.exe File created C:\Users\Admin\Searches\desktop.ini DirectX_Update.bin.exe File created C:\Users\Public\Music\Sample Music\desktop.ini DirectX_Update.bin.exe File created C:\Users\Public\Pictures\desktop.ini DirectX_Update.bin.exe File created C:\Users\Public\Pictures\Sample Pictures\desktop.ini DirectX_Update.bin.exe File created C:\Users\Public\Recorded TV\Sample Media\desktop.ini DirectX_Update.bin.exe File created C:\Users\Public\Videos\Sample Videos\desktop.ini DirectX_Update.bin.exe File created C:\Users\Admin\Desktop\desktop.ini DirectX_Update.bin.exe File created C:\Users\Admin\Downloads\desktop.ini DirectX_Update.bin.exe File created C:\Users\Admin\Favorites\desktop.ini DirectX_Update.bin.exe File created C:\Users\Admin\Links\desktop.ini DirectX_Update.bin.exe File created C:\Users\Admin\Videos\desktop.ini DirectX_Update.bin.exe File created C:\Users\Public\Videos\desktop.ini DirectX_Update.bin.exe File created C:\Users\Admin\Documents\desktop.ini DirectX_Update.bin.exe File created C:\Users\Admin\Favorites\Links for United States\desktop.ini DirectX_Update.bin.exe File created C:\Users\Admin\Music\desktop.ini DirectX_Update.bin.exe File created C:\Users\Admin\Pictures\desktop.ini DirectX_Update.bin.exe File created C:\Users\Public\Recorded TV\desktop.ini DirectX_Update.bin.exe File created C:\Users\Admin\Contacts\desktop.ini DirectX_Update.bin.exe File created C:\Users\Admin\Favorites\Links\desktop.ini DirectX_Update.bin.exe File created C:\Users\Public\desktop.ini DirectX_Update.bin.exe File created C:\Users\Public\Desktop\desktop.ini DirectX_Update.bin.exe File created C:\Users\Public\Documents\desktop.ini DirectX_Update.bin.exe File created C:\Users\Public\Downloads\desktop.ini DirectX_Update.bin.exe File created C:\Users\Public\Libraries\desktop.ini DirectX_Update.bin.exe File created C:\Users\Public\Music\desktop.ini DirectX_Update.bin.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
DirectX_Update.bin.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 DirectX_Update.bin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier DirectX_Update.bin.exe -
Processes:
DirectX_Update.bin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 DirectX_Update.bin.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 DirectX_Update.bin.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
DirectX_Update.bin.exepid process 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe 852 DirectX_Update.bin.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
WMIC.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 768 WMIC.exe Token: SeSecurityPrivilege 768 WMIC.exe Token: SeTakeOwnershipPrivilege 768 WMIC.exe Token: SeLoadDriverPrivilege 768 WMIC.exe Token: SeSystemProfilePrivilege 768 WMIC.exe Token: SeSystemtimePrivilege 768 WMIC.exe Token: SeProfSingleProcessPrivilege 768 WMIC.exe Token: SeIncBasePriorityPrivilege 768 WMIC.exe Token: SeCreatePagefilePrivilege 768 WMIC.exe Token: SeBackupPrivilege 768 WMIC.exe Token: SeRestorePrivilege 768 WMIC.exe Token: SeShutdownPrivilege 768 WMIC.exe Token: SeDebugPrivilege 768 WMIC.exe Token: SeSystemEnvironmentPrivilege 768 WMIC.exe Token: SeRemoteShutdownPrivilege 768 WMIC.exe Token: SeUndockPrivilege 768 WMIC.exe Token: SeManageVolumePrivilege 768 WMIC.exe Token: 33 768 WMIC.exe Token: 34 768 WMIC.exe Token: 35 768 WMIC.exe Token: SeIncreaseQuotaPrivilege 768 WMIC.exe Token: SeSecurityPrivilege 768 WMIC.exe Token: SeTakeOwnershipPrivilege 768 WMIC.exe Token: SeLoadDriverPrivilege 768 WMIC.exe Token: SeSystemProfilePrivilege 768 WMIC.exe Token: SeSystemtimePrivilege 768 WMIC.exe Token: SeProfSingleProcessPrivilege 768 WMIC.exe Token: SeIncBasePriorityPrivilege 768 WMIC.exe Token: SeCreatePagefilePrivilege 768 WMIC.exe Token: SeBackupPrivilege 768 WMIC.exe Token: SeRestorePrivilege 768 WMIC.exe Token: SeShutdownPrivilege 768 WMIC.exe Token: SeDebugPrivilege 768 WMIC.exe Token: SeSystemEnvironmentPrivilege 768 WMIC.exe Token: SeRemoteShutdownPrivilege 768 WMIC.exe Token: SeUndockPrivilege 768 WMIC.exe Token: SeManageVolumePrivilege 768 WMIC.exe Token: 33 768 WMIC.exe Token: 34 768 WMIC.exe Token: 35 768 WMIC.exe Token: SeBackupPrivilege 1004 vssvc.exe Token: SeRestorePrivilege 1004 vssvc.exe Token: SeAuditPrivilege 1004 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
DirectX_Update.bin.execmd.exedescription pid process target process PID 852 wrote to memory of 1316 852 DirectX_Update.bin.exe cmd.exe PID 852 wrote to memory of 1316 852 DirectX_Update.bin.exe cmd.exe PID 852 wrote to memory of 1316 852 DirectX_Update.bin.exe cmd.exe PID 852 wrote to memory of 1316 852 DirectX_Update.bin.exe cmd.exe PID 1316 wrote to memory of 768 1316 cmd.exe WMIC.exe PID 1316 wrote to memory of 768 1316 cmd.exe WMIC.exe PID 1316 wrote to memory of 768 1316 cmd.exe WMIC.exe PID 1316 wrote to memory of 768 1316 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DirectX_Update.bin.exe"C:\Users\Admin\AppData\Local\Temp\DirectX_Update.bin.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates system info in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic.exe shadowcopy delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic.exe shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/768-65-0x0000000000000000-mapping.dmp
-
memory/852-0-0x0000000000860000-0x0000000000871000-memory.dmpFilesize
68KB
-
memory/852-1-0x00000000024B0000-0x00000000024C1000-memory.dmpFilesize
68KB
-
memory/852-2-0x0000000000860000-0x0000000000871000-memory.dmpFilesize
68KB
-
memory/1316-64-0x0000000000000000-mapping.dmp
-
memory/1568-66-0x000007FEF7C60000-0x000007FEF7EDA000-memory.dmpFilesize
2.5MB