Overview

overview

10

Static

static

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

1

Analysis

  • max time kernel
    358s
  • max time network
    328s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    22-11-2020 06:28

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    ie.svg.xml

  • Size

    769B

  • MD5

    aab795251934d2063ba9df1c539706db

  • SHA1

    3fd39edb2aa407eb4e10dc08f899f1e41690291c

  • SHA256

    a1cef33ec4d98a1bf01a70ebb04e7ebc695910ba9c258aca0bb5214bf9af98d3

  • SHA512

    80de8f68c8f15f523b78c50ed4fb053eccca8d2c78db7fa99a8b16650f7ca0aed698fce13629f6ac24cdad536d6c4dedb3be37b7ecbec064feeb0c2d911b98b8

Score
8/10
bootkitransomware

Malware Config

Signatures

  • Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs

    Enables rebooting of the machine without requiring login credentials.

    ransomwarebootkit
  • Modifies Internet Explorer settings 1 TTPs 49 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
    "C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\ie.svg.xml"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4708
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\ie.svg.xml
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3644
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3644 CREDAT:82945 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1256
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0 /state0:0xa3ad3055 /state1:0x41c64e6d
    1⤵
    • Modifies WinLogon to allow AutoLogon
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
    MD5

    ffc04cd305e33221116feebf2eaa50b0

    SHA1

    6aeecd1a32ce6655a43e6b35cb2d0cb45876c9d4

    SHA256

    e0215011ac1136f278389a2a9b9572d9cdbb704f4a2a6d4b9cb8e99eba316de4

    SHA512

    ecd09a4db7f337f7b4b767edca0615262af8785c3dd85e6369037c04eda0865c59949a406e6e016ba8e893e7f740881be22909aa472ea6fd1c38aa3902979a01

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
    MD5

    40832964c8fb43651d88b4d61debaef0

    SHA1

    4c255f79da3233e2d9c2d5d6e979c4a00002b0bc

    SHA256

    b770223ed183384c5d4b10df618ce06847b8a774b7414fccbd303c3559b3d3ef

    SHA512

    2a57e9d5b26d59beadd83c49ae3e9a0e4281d1de4ee1ba994d37f47cbee186c1eb7e352af2151a1d24e260ed86eec47785dbbdc53486503c7eb4227134cc9b48

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\W0VNL7L0.cookie
    MD5

    be7f2ae50d08dd0f0c83ebb9da9b59e0

    SHA1

    5abeabf77030b9f988af13ce0a8b2686d31eff90

    SHA256

    fa7e89dc01b93331277c2dcd51321c3c3d50b40237f181ec8c15f083d6b64917

    SHA512

    00703981edab7e78969aefd9da6875b767ec8030d8cc894b21d13ac4fcb4712595f89a3bf6b415b3b45fa633acd1b9a133b7947299ae836b1bde0440855e6949

    Download Submit
  • memory/1256-1-0x0000000000000000-mapping.dmp
    Download
  • memory/3644-0-0x0000000000000000-mapping.dmp
    Download