Overview

overview

10

Static

static

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

1

Analysis

  • max time kernel
    400s
  • max time network
    361s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    22-11-2020 06:28

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    index(11).html

  • Size

    98KB

  • MD5

    8c322ed467ef41c0e709fb02f5b72c82

  • SHA1

    9d370ead145f80c04e2a53a6683103a972d34ee0

  • SHA256

    8b0b9ed969fc04412fe395bc3291074fc25f2efa7b1254143c57f0763d568e0e

  • SHA512

    cb73796263bfd29e82465785bfdf9ff200bc7a691825ee8da92496e41c18435cb72ad9f9dbb9733186f162e901f7210ba9feead4eb6436a1d8aa40b19d657186

Score
8/10
bootkitransomware

Malware Config

Signatures

  • Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs

    Enables rebooting of the machine without requiring login credentials.

    ransomwarebootkit
  • Modifies Internet Explorer settings 1 TTPs 42 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 36 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\index(11).html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:412
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:412 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2840
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:188
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0 /state0:0xa3ad4055 /state1:0x41c64e6d
      1⤵
      • Modifies WinLogon to allow AutoLogon
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:1280

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Winlogon Helper DLL

    1
    T1004

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
      MD5

      4fd1154dbee8bda008d2a2ff53240855

      SHA1

      29913132808f93bb89583082786ca080b6609a1f

      SHA256

      f0643a2bc9668f5378bb84f7302b925073d18374648e1d33624c88c149b9370d

      SHA512

      62739cb9df68299ee11ebbbcded36a7cc821d8a3b08e1fa0e84969340338e904feb320079e0dc10a8cd3fce33ffbe21dff569333a801aa8edbf776fb4285b235

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
      MD5

      5a42e5d33bf2009014c9d934d7c0790a

      SHA1

      18e0de3504842887dd6ae1eb1a364e9ed396151d

      SHA256

      1c8b31c321f7ea1009bebe474b655e50e6180aa88422182d9365736332c64e36

      SHA512

      90b8861887d05219fd10f97a988fe4815e0d5ccb13350ce4a9164d6d3fa6ab7c21a8fccad86af4088c9a93712eb8ef6e98aed2901db7c702292c5eea9b131632

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\STBO9Y9D.cookie
      MD5

      86a5e8ca4af5fa9de1e78305b20ab4f4

      SHA1

      32f79370c67e84f62a26fefa0fe37a78db84c259

      SHA256

      9ff9078d30040b565eac5083f99f85c14b7e5c5c3f91bf674b12d1d98714686b

      SHA512

      d302c9e9f605d3a8dca84025a0bad28103ec5086706c0fec6fd08040c711d21ba530a24afb48ffbcdedf53484abd35695306d7811ea92d8e006e894273b6abfb

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\ZJ4JCIA3.cookie
      MD5

      b5c0e697732224b18ee84cbc3b8051e7

      SHA1

      a8b84af90f153b1d3229f8f24df290b83b502d71

      SHA256

      0384ff75c3d824cd37fb1c2f7c3035c19b4a0c4f6a633c8ba0fe029ec72761bb

      SHA512

      d9f299e96e2666bbd16a3c79a984d5241afabd15a267c0f19ac9f232b2f8ede0e122601d84334028137608850b905988a8f8478108778b0cfb1ac4c0f97f5d67

      Download Submit
    • memory/2840-0-0x0000000000000000-mapping.dmp
      Download