Analysis
-
max time kernel
144s -
max time network
99s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-02-2021 11:37
Static task
static1
Behavioral task
behavioral1
Sample
SPREADTHECORRUPTION.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SPREADTHECORRUPTION.exe
Resource
win10v20201028
General
-
Target
SPREADTHECORRUPTION.exe
-
Size
425KB
-
MD5
241c8c8c809fe670f1f6ef0f7c935815
-
SHA1
63928026939b367ea1677ba3ecc17acb8b1553ad
-
SHA256
5e7f8b2a39176df856d2fe25a5bfcf0915cc72aa114efe92797b674434dc3d47
-
SHA512
5c86649a3c085530ed0c455c06adeb16f9ad107d7a25f92009694202dee0fa1867fdd29b341d027e265aec815c925a5cb05a84781d63ee781e33ff69bbe4dbf8
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
SPREADTHECORRUPTION.exedescription ioc process File created C:\Users\Admin\Pictures\ImportUnregister.tif.jcrypt SPREADTHECORRUPTION.exe File created C:\Users\Admin\Pictures\MergeApprove.tif.jcrypt SPREADTHECORRUPTION.exe File created C:\Users\Admin\Pictures\SetStep.crw.jcrypt SPREADTHECORRUPTION.exe -
Drops desktop.ini file(s) 3 IoCs
Processes:
SPREADTHECORRUPTION.exedescription ioc process File opened for modification C:\Users\Admin\Desktop\desktop.ini SPREADTHECORRUPTION.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini SPREADTHECORRUPTION.exe File opened for modification C:\Users\Admin\Documents\desktop.ini SPREADTHECORRUPTION.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
SPREADTHECORRUPTION.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\Desktop\Wallpaper SPREADTHECORRUPTION.exe -
Drops file in Program Files directory 1 IoCs
Processes:
SPREADTHECORRUPTION.exedescription ioc process File created C:\Program Files\System32\CORRUPT2.exe SPREADTHECORRUPTION.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 512 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
AUDIODG.EXESPREADTHECORRUPTION.exedescription pid process Token: 33 760 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 760 AUDIODG.EXE Token: 33 760 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 760 AUDIODG.EXE Token: SeDebugPrivilege 384 SPREADTHECORRUPTION.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
SPREADTHECORRUPTION.exepid process 384 SPREADTHECORRUPTION.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SPREADTHECORRUPTION.exe"C:\Users\Admin\AppData\Local\Temp\SPREADTHECORRUPTION.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\___RECOVER__FILES__.jcrypt.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\___RECOVER__FILES__.jcrypt.txtMD5
048f37fd8e5849166bc3002f87e5f4a5
SHA12469f7efa94b1804c425c72b5678f06b8c21cebb
SHA256fec72920c210224d84339fea44c7470d82dbbccc3885023534beb9a806825f60
SHA512e496c1601813f0d67a60fe37ba4ac28e86eddc0b9347a89b2faad04327925826b6e84888cdf94bc506bda78c4d392abd0379a34cf93cf04ad09a6b737f488df8
-
memory/384-2-0x0000000074390000-0x0000000074A7E000-memory.dmpFilesize
6.9MB
-
memory/384-3-0x0000000000070000-0x0000000000071000-memory.dmpFilesize
4KB
-
memory/384-5-0x0000000004290000-0x0000000004291000-memory.dmpFilesize
4KB
-
memory/384-6-0x0000000004295000-0x00000000042A6000-memory.dmpFilesize
68KB
-
memory/756-7-0x000007FEFB9D1000-0x000007FEFB9D3000-memory.dmpFilesize
8KB
-
memory/1924-10-0x000007FEF7300000-0x000007FEF757A000-memory.dmpFilesize
2.5MB