5e7f8b2a39176df856d2fe25a5bfcf0915cc72aa114efe92797b674434dc3d47

Resubmissions

26-02-2021 11:37

210226-4cte82r1vs 8

26-02-2021 11:28

210226-p6webfglhn 8

Analysis

max time kernel
144s
max time network
99s
platform
windows7_x64
resource
win7v20201028
submitted
26-02-2021 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SPREADTHECORRUPTION.exe
Size

425KB
MD5

241c8c8c809fe670f1f6ef0f7c935815
SHA1

63928026939b367ea1677ba3ecc17acb8b1553ad
SHA256

5e7f8b2a39176df856d2fe25a5bfcf0915cc72aa114efe92797b674434dc3d47
SHA512

5c86649a3c085530ed0c455c06adeb16f9ad107d7a25f92009694202dee0fa1867fdd29b341d027e265aec815c925a5cb05a84781d63ee781e33ff69bbe4dbf8

Score

8^/10

evasion ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

SPREADTHECORRUPTION.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\ImportUnregister.tif.jcrypt	SPREADTHECORRUPTION.exe
File created	C:\Users\Admin\Pictures\MergeApprove.tif.jcrypt	SPREADTHECORRUPTION.exe
File created	C:\Users\Admin\Pictures\SetStep.crw.jcrypt	SPREADTHECORRUPTION.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

SPREADTHECORRUPTION.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	SPREADTHECORRUPTION.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	SPREADTHECORRUPTION.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	SPREADTHECORRUPTION.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

SPREADTHECORRUPTION.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\Desktop\Wallpaper	SPREADTHECORRUPTION.exe

Drops file in Program Files directory 1 IoCs

Processes:

SPREADTHECORRUPTION.exe

description ioc process

File created C:\Program Files\System32\CORRUPT2.exe SPREADTHECORRUPTION.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

512 NOTEPAD.EXE

description	ioc	process
File created	C:\Program Files\System32\CORRUPT2.exe	SPREADTHECORRUPTION.exe

pid	process
512	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

AUDIODG.EXESPREADTHECORRUPTION.exe

description	pid	process
Token: 33	760	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	760	AUDIODG.EXE
Token: 33	760	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	760	AUDIODG.EXE
Token: SeDebugPrivilege	384	SPREADTHECORRUPTION.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

SPREADTHECORRUPTION.exe

pid process

384 SPREADTHECORRUPTION.exe

pid	process
384	SPREADTHECORRUPTION.exe

C:\Users\Admin\AppData\Local\Temp\SPREADTHECORRUPTION.exe
"C:\Users\Admin\AppData\Local\Temp\SPREADTHECORRUPTION.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:384

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:756

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\___RECOVER__FILES__.jcrypt.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\___RECOVER__FILES__.jcrypt.txt
MD5
048f37fd8e5849166bc3002f87e5f4a5

SHA1
2469f7efa94b1804c425c72b5678f06b8c21cebb

SHA256
fec72920c210224d84339fea44c7470d82dbbccc3885023534beb9a806825f60

SHA512
e496c1601813f0d67a60fe37ba4ac28e86eddc0b9347a89b2faad04327925826b6e84888cdf94bc506bda78c4d392abd0379a34cf93cf04ad09a6b737f488df8

Download Submit
memory/384-2-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/384-3-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/384-5-0x0000000004290000-0x0000000004291000-memory.dmp

Filesize
4KB

Download
memory/384-6-0x0000000004295000-0x00000000042A6000-memory.dmp

Filesize
68KB

Download
memory/756-7-0x000007FEFB9D1000-0x000007FEFB9D3000-memory.dmp

Filesize
8KB

Download
memory/1924-10-0x000007FEF7300000-0x000007FEF757A000-memory.dmp

Filesize
2.5MB

Download