Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-11-2020 11:23
Static task
static1
Behavioral task
behavioral1
Sample
0494a9fb7d3360da05ce76def600f533d818465fd625ff765cd15cc65a9b2c07.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0494a9fb7d3360da05ce76def600f533d818465fd625ff765cd15cc65a9b2c07.exe
Resource
win10v20201028
General
-
Target
0494a9fb7d3360da05ce76def600f533d818465fd625ff765cd15cc65a9b2c07.exe
-
Size
2.7MB
-
MD5
006252b08e8a073c31d43cc03e1df107
-
SHA1
12378cadbb8642ab9178c1bf87499f244738140b
-
SHA256
0494a9fb7d3360da05ce76def600f533d818465fd625ff765cd15cc65a9b2c07
-
SHA512
77b6b77e135be5266aca463edee263b3abfcdfe76893219ed769bbf128952c9109027d6ddaf1d46f1148850210a0aa8283f81aedb78a9c899ae140a1589f9103
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
luhkggtu.ati.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\Label\\System.exe" luhkggtu.ati.exe -
Executes dropped EXE 6 IoCs
Processes:
Install.sfx.exeInstall.exeluhkggtu.ati.exefdsytbkb.jpw.exefdsytbkb.jpw.tmpSystem.exepid process 4388 Install.sfx.exe 3336 Install.exe 3200 luhkggtu.ati.exe 3408 fdsytbkb.jpw.exe 896 fdsytbkb.jpw.tmp 1068 System.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\luhkggtu.ati.exe upx C:\Users\Admin\AppData\Local\Temp\luhkggtu.ati.exe upx C:\Users\Admin\Documents\Label\System.exe upx C:\Users\Admin\Documents\Label\System.exe upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
luhkggtu.ati.exeSystem.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\Documents\\Label\\System.exe" luhkggtu.ati.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\Documents\\Label\\System.exe" System.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
xcopy.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
luhkggtu.ati.exeSystem.exedescription pid process Token: SeIncreaseQuotaPrivilege 3200 luhkggtu.ati.exe Token: SeSecurityPrivilege 3200 luhkggtu.ati.exe Token: SeTakeOwnershipPrivilege 3200 luhkggtu.ati.exe Token: SeLoadDriverPrivilege 3200 luhkggtu.ati.exe Token: SeSystemProfilePrivilege 3200 luhkggtu.ati.exe Token: SeSystemtimePrivilege 3200 luhkggtu.ati.exe Token: SeProfSingleProcessPrivilege 3200 luhkggtu.ati.exe Token: SeIncBasePriorityPrivilege 3200 luhkggtu.ati.exe Token: SeCreatePagefilePrivilege 3200 luhkggtu.ati.exe Token: SeBackupPrivilege 3200 luhkggtu.ati.exe Token: SeRestorePrivilege 3200 luhkggtu.ati.exe Token: SeShutdownPrivilege 3200 luhkggtu.ati.exe Token: SeDebugPrivilege 3200 luhkggtu.ati.exe Token: SeSystemEnvironmentPrivilege 3200 luhkggtu.ati.exe Token: SeChangeNotifyPrivilege 3200 luhkggtu.ati.exe Token: SeRemoteShutdownPrivilege 3200 luhkggtu.ati.exe Token: SeUndockPrivilege 3200 luhkggtu.ati.exe Token: SeManageVolumePrivilege 3200 luhkggtu.ati.exe Token: SeImpersonatePrivilege 3200 luhkggtu.ati.exe Token: SeCreateGlobalPrivilege 3200 luhkggtu.ati.exe Token: 33 3200 luhkggtu.ati.exe Token: 34 3200 luhkggtu.ati.exe Token: 35 3200 luhkggtu.ati.exe Token: 36 3200 luhkggtu.ati.exe Token: SeIncreaseQuotaPrivilege 1068 System.exe Token: SeSecurityPrivilege 1068 System.exe Token: SeTakeOwnershipPrivilege 1068 System.exe Token: SeLoadDriverPrivilege 1068 System.exe Token: SeSystemProfilePrivilege 1068 System.exe Token: SeSystemtimePrivilege 1068 System.exe Token: SeProfSingleProcessPrivilege 1068 System.exe Token: SeIncBasePriorityPrivilege 1068 System.exe Token: SeCreatePagefilePrivilege 1068 System.exe Token: SeBackupPrivilege 1068 System.exe Token: SeRestorePrivilege 1068 System.exe Token: SeShutdownPrivilege 1068 System.exe Token: SeDebugPrivilege 1068 System.exe Token: SeSystemEnvironmentPrivilege 1068 System.exe Token: SeChangeNotifyPrivilege 1068 System.exe Token: SeRemoteShutdownPrivilege 1068 System.exe Token: SeUndockPrivilege 1068 System.exe Token: SeManageVolumePrivilege 1068 System.exe Token: SeImpersonatePrivilege 1068 System.exe Token: SeCreateGlobalPrivilege 1068 System.exe Token: 33 1068 System.exe Token: 34 1068 System.exe Token: 35 1068 System.exe Token: 36 1068 System.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
System.exepid process 1068 System.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
0494a9fb7d3360da05ce76def600f533d818465fd625ff765cd15cc65a9b2c07.execmd.exeInstall.sfx.exeInstall.exefdsytbkb.jpw.exeluhkggtu.ati.exeSystem.exedescription pid process target process PID 4800 wrote to memory of 3660 4800 0494a9fb7d3360da05ce76def600f533d818465fd625ff765cd15cc65a9b2c07.exe cmd.exe PID 4800 wrote to memory of 3660 4800 0494a9fb7d3360da05ce76def600f533d818465fd625ff765cd15cc65a9b2c07.exe cmd.exe PID 4800 wrote to memory of 3660 4800 0494a9fb7d3360da05ce76def600f533d818465fd625ff765cd15cc65a9b2c07.exe cmd.exe PID 3660 wrote to memory of 4388 3660 cmd.exe Install.sfx.exe PID 3660 wrote to memory of 4388 3660 cmd.exe Install.sfx.exe PID 3660 wrote to memory of 4388 3660 cmd.exe Install.sfx.exe PID 4388 wrote to memory of 3336 4388 Install.sfx.exe Install.exe PID 4388 wrote to memory of 3336 4388 Install.sfx.exe Install.exe PID 4388 wrote to memory of 3336 4388 Install.sfx.exe Install.exe PID 3336 wrote to memory of 3200 3336 Install.exe luhkggtu.ati.exe PID 3336 wrote to memory of 3200 3336 Install.exe luhkggtu.ati.exe PID 3336 wrote to memory of 3200 3336 Install.exe luhkggtu.ati.exe PID 3336 wrote to memory of 3408 3336 Install.exe fdsytbkb.jpw.exe PID 3336 wrote to memory of 3408 3336 Install.exe fdsytbkb.jpw.exe PID 3336 wrote to memory of 3408 3336 Install.exe fdsytbkb.jpw.exe PID 3408 wrote to memory of 896 3408 fdsytbkb.jpw.exe fdsytbkb.jpw.tmp PID 3408 wrote to memory of 896 3408 fdsytbkb.jpw.exe fdsytbkb.jpw.tmp PID 3408 wrote to memory of 896 3408 fdsytbkb.jpw.exe fdsytbkb.jpw.tmp PID 3200 wrote to memory of 1068 3200 luhkggtu.ati.exe System.exe PID 3200 wrote to memory of 1068 3200 luhkggtu.ati.exe System.exe PID 3200 wrote to memory of 1068 3200 luhkggtu.ati.exe System.exe PID 1068 wrote to memory of 1200 1068 System.exe notepad.exe PID 1068 wrote to memory of 1200 1068 System.exe notepad.exe PID 1068 wrote to memory of 1200 1068 System.exe notepad.exe PID 1068 wrote to memory of 1200 1068 System.exe notepad.exe PID 1068 wrote to memory of 1200 1068 System.exe notepad.exe PID 1068 wrote to memory of 1200 1068 System.exe notepad.exe PID 1068 wrote to memory of 1200 1068 System.exe notepad.exe PID 1068 wrote to memory of 1200 1068 System.exe notepad.exe PID 1068 wrote to memory of 1200 1068 System.exe notepad.exe PID 1068 wrote to memory of 1200 1068 System.exe notepad.exe PID 1068 wrote to memory of 1200 1068 System.exe notepad.exe PID 1068 wrote to memory of 1200 1068 System.exe notepad.exe PID 1068 wrote to memory of 1200 1068 System.exe notepad.exe PID 1068 wrote to memory of 1200 1068 System.exe notepad.exe PID 1068 wrote to memory of 1200 1068 System.exe notepad.exe PID 1068 wrote to memory of 1200 1068 System.exe notepad.exe PID 1068 wrote to memory of 1200 1068 System.exe notepad.exe PID 1068 wrote to memory of 1200 1068 System.exe notepad.exe PID 1068 wrote to memory of 1200 1068 System.exe notepad.exe PID 1068 wrote to memory of 1200 1068 System.exe notepad.exe PID 1068 wrote to memory of 1200 1068 System.exe notepad.exe PID 1068 wrote to memory of 1200 1068 System.exe notepad.exe PID 3660 wrote to memory of 1612 3660 cmd.exe cmd.exe PID 3660 wrote to memory of 1612 3660 cmd.exe cmd.exe PID 3660 wrote to memory of 1612 3660 cmd.exe cmd.exe PID 3660 wrote to memory of 1728 3660 cmd.exe xcopy.exe PID 3660 wrote to memory of 1728 3660 cmd.exe xcopy.exe PID 3660 wrote to memory of 1728 3660 cmd.exe xcopy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0494a9fb7d3360da05ce76def600f533d818465fd625ff765cd15cc65a9b2c07.exe"C:\Users\Admin\AppData\Local\Temp\0494a9fb7d3360da05ce76def600f533d818465fd625ff765cd15cc65a9b2c07.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Decrypt.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.sfx.exeInstall.sfx.exe -pdingdingdingdogdomgngfjnsjnfg -d\Users\Admin\AppData\Roaming\3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\luhkggtu.ati.exe"C:\Users\Admin\AppData\Local\Temp\luhkggtu.ati.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\Label\System.exe"C:\Users\Admin\Documents\Label\System.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad7⤵
-
C:\Users\Admin\AppData\Local\Temp\fdsytbkb.jpw.exe"C:\Users\Admin\AppData\Local\Temp\fdsytbkb.jpw.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-47H7P.tmp\fdsytbkb.jpw.tmp"C:\Users\Admin\AppData\Local\Temp\is-47H7P.tmp\fdsytbkb.jpw.tmp" /SL5="$10222,56832,0,C:\Users\Admin\AppData\Local\Temp\fdsytbkb.jpw.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO Y "3⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy /s "\Users\Admin\AppData\Roaming\Install.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"3⤵
- Enumerates system info in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Decrypt.batMD5
9fa23714d07fb86619910d2ec534b0bb
SHA1b0ea0f623f0e4b0a4672e748618bee254677cc4e
SHA256d4c16e0a78390f4896e43753daf9a88e55119fb11f46db100e7478b7a71c1973
SHA512253fe7e331b80d39714ce26709810d0980c30bd6755d970c6ce87e8dbaa362f90876d7f0231b238b5a83edc534d10d769e7e547df6876243afdc815122192fee
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.sfx.exeMD5
fbb4dbb9e9a16e815835967796ad1ad1
SHA1c292bed8147bde727624d3ebb88e802042fab982
SHA2566846870c61ae1fa37920189095f53d6bd46eb762d43682a50a12d453476606ec
SHA51216587311ed6ca829b69facf2dff0b7da48265702c88c890cc6341450e7bebe4f906fd6f2dcabcda52d0dce5559f6ef13c3c2d7fd0d87e3379bf5a728bf0dc9ad
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.sfx.exeMD5
fbb4dbb9e9a16e815835967796ad1ad1
SHA1c292bed8147bde727624d3ebb88e802042fab982
SHA2566846870c61ae1fa37920189095f53d6bd46eb762d43682a50a12d453476606ec
SHA51216587311ed6ca829b69facf2dff0b7da48265702c88c890cc6341450e7bebe4f906fd6f2dcabcda52d0dce5559f6ef13c3c2d7fd0d87e3379bf5a728bf0dc9ad
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exeMD5
0b9601c5d801de1ce0414855e52af119
SHA112d14e2c9b3d999270f6bae8ea373382aff0389a
SHA25614cbd55c2eb162235a78c42f61941ac6d64c28ab770eb0395f8a7d6de85ac48e
SHA512804da68b6567b7511bf0ecfb936de9534342ca94e74a39f262bb171f8547eb62c6dc7cb84c3d797fdeb6699bf1a127b1ede9a77f0b2fa0ffd2433865f60dfb90
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exeMD5
0b9601c5d801de1ce0414855e52af119
SHA112d14e2c9b3d999270f6bae8ea373382aff0389a
SHA25614cbd55c2eb162235a78c42f61941ac6d64c28ab770eb0395f8a7d6de85ac48e
SHA512804da68b6567b7511bf0ecfb936de9534342ca94e74a39f262bb171f8547eb62c6dc7cb84c3d797fdeb6699bf1a127b1ede9a77f0b2fa0ffd2433865f60dfb90
-
C:\Users\Admin\AppData\Local\Temp\fdsytbkb.jpw.exeMD5
3bb4d7274a9e76c55e4816be94117c41
SHA1a77a9f9d438514cd986b9002a29cff70b26522e5
SHA25623b50fdc5d7cebb068f60ad28205577cd6bfd4b35e1c273423e55e01c75a103e
SHA512d9ed4e4a7c6b3568a0d897ac12db4800283451c128530cca4ac03e8b0c38e78b3e60c2c9bc059416ebd38bb75f693c007ecf07c7576769647d49c7adc81bee2f
-
C:\Users\Admin\AppData\Local\Temp\fdsytbkb.jpw.exeMD5
3bb4d7274a9e76c55e4816be94117c41
SHA1a77a9f9d438514cd986b9002a29cff70b26522e5
SHA25623b50fdc5d7cebb068f60ad28205577cd6bfd4b35e1c273423e55e01c75a103e
SHA512d9ed4e4a7c6b3568a0d897ac12db4800283451c128530cca4ac03e8b0c38e78b3e60c2c9bc059416ebd38bb75f693c007ecf07c7576769647d49c7adc81bee2f
-
C:\Users\Admin\AppData\Local\Temp\is-47H7P.tmp\fdsytbkb.jpw.tmpMD5
a2c4d52c66b4b399facadb8cc8386745
SHA1c326304c56a52a3e5bfbdce2fef54604a0c653e0
SHA2566c0465ce64c07e729c399a338705941d77727c7d089430957df3e91a416e9d2a
SHA5122a66256ff8535e2b300aa0ca27b76e85d42422b0aaf5e7e6d055f7abb9e338929c979e185c6be8918d920fb134b7f28a76b714579cacb8ace09000c046dd34d6
-
C:\Users\Admin\AppData\Local\Temp\is-47H7P.tmp\fdsytbkb.jpw.tmpMD5
a2c4d52c66b4b399facadb8cc8386745
SHA1c326304c56a52a3e5bfbdce2fef54604a0c653e0
SHA2566c0465ce64c07e729c399a338705941d77727c7d089430957df3e91a416e9d2a
SHA5122a66256ff8535e2b300aa0ca27b76e85d42422b0aaf5e7e6d055f7abb9e338929c979e185c6be8918d920fb134b7f28a76b714579cacb8ace09000c046dd34d6
-
C:\Users\Admin\AppData\Local\Temp\luhkggtu.ati.exeMD5
d1cfbc0f04971a4b80cdad65aa7b54a3
SHA1e562a1ed9650a750847171780efd14ac57e941e0
SHA256ef1fd20bf82f64e45f52176ee0521b456975bf62970671cc6f1bc2dd8c388341
SHA5122eb5f6a051efad1fabc627f607d3c3acc16f17d29e12a9e8315e3ce83ccf139b74c277d55895e229b698aaeb7014795a88014724cf1247bd3502a9c5df76634d
-
C:\Users\Admin\AppData\Local\Temp\luhkggtu.ati.exeMD5
d1cfbc0f04971a4b80cdad65aa7b54a3
SHA1e562a1ed9650a750847171780efd14ac57e941e0
SHA256ef1fd20bf82f64e45f52176ee0521b456975bf62970671cc6f1bc2dd8c388341
SHA5122eb5f6a051efad1fabc627f607d3c3acc16f17d29e12a9e8315e3ce83ccf139b74c277d55895e229b698aaeb7014795a88014724cf1247bd3502a9c5df76634d
-
C:\Users\Admin\Documents\Label\System.exeMD5
d1cfbc0f04971a4b80cdad65aa7b54a3
SHA1e562a1ed9650a750847171780efd14ac57e941e0
SHA256ef1fd20bf82f64e45f52176ee0521b456975bf62970671cc6f1bc2dd8c388341
SHA5122eb5f6a051efad1fabc627f607d3c3acc16f17d29e12a9e8315e3ce83ccf139b74c277d55895e229b698aaeb7014795a88014724cf1247bd3502a9c5df76634d
-
C:\Users\Admin\Documents\Label\System.exeMD5
d1cfbc0f04971a4b80cdad65aa7b54a3
SHA1e562a1ed9650a750847171780efd14ac57e941e0
SHA256ef1fd20bf82f64e45f52176ee0521b456975bf62970671cc6f1bc2dd8c388341
SHA5122eb5f6a051efad1fabc627f607d3c3acc16f17d29e12a9e8315e3ce83ccf139b74c277d55895e229b698aaeb7014795a88014724cf1247bd3502a9c5df76634d
-
memory/896-14-0x0000000000000000-mapping.dmp
-
memory/1068-17-0x0000000000000000-mapping.dmp
-
memory/1200-20-0x0000000000000000-mapping.dmp
-
memory/1200-22-0x0000000000000000-mapping.dmp
-
memory/1200-21-0x0000000003310000-0x0000000003311000-memory.dmpFilesize
4KB
-
memory/1612-23-0x0000000000000000-mapping.dmp
-
memory/1728-24-0x0000000000000000-mapping.dmp
-
memory/3200-8-0x0000000000000000-mapping.dmp
-
memory/3336-5-0x0000000000000000-mapping.dmp
-
memory/3408-11-0x0000000000000000-mapping.dmp
-
memory/3660-0-0x0000000000000000-mapping.dmp
-
memory/4388-2-0x0000000000000000-mapping.dmp