5e7f8b2a39176df856d2fe25a5bfcf0915cc72aa114efe92797b674434dc3d47

Resubmissions

26-02-2021 11:37

210226-4cte82r1vs 8

26-02-2021 11:28

210226-p6webfglhn 8

Analysis

max time kernel
150s
max time network
104s
platform
windows7_x64
resource
win7v20201028
submitted
26-02-2021 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SPREADTHECORRUPTION.exe
Size

425KB
MD5

241c8c8c809fe670f1f6ef0f7c935815
SHA1

63928026939b367ea1677ba3ecc17acb8b1553ad
SHA256

5e7f8b2a39176df856d2fe25a5bfcf0915cc72aa114efe92797b674434dc3d47
SHA512

5c86649a3c085530ed0c455c06adeb16f9ad107d7a25f92009694202dee0fa1867fdd29b341d027e265aec815c925a5cb05a84781d63ee781e33ff69bbe4dbf8

Score

8^/10

evasion ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

SPREADTHECORRUPTION.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\HideEdit.tif.jcrypt	SPREADTHECORRUPTION.exe
File created	C:\Users\Admin\Pictures\RepairStep.crw.jcrypt	SPREADTHECORRUPTION.exe
File created	C:\Users\Admin\Pictures\SearchInitialize.crw.jcrypt	SPREADTHECORRUPTION.exe
File opened for modification	C:\Users\Admin\Pictures\SendRedo.tiff	SPREADTHECORRUPTION.exe
File created	C:\Users\Admin\Pictures\SetSearch.tif.jcrypt	SPREADTHECORRUPTION.exe
File created	C:\Users\Admin\Pictures\StepPush.tiff.jcrypt	SPREADTHECORRUPTION.exe
File created	C:\Users\Admin\Pictures\UnblockWrite.crw.jcrypt	SPREADTHECORRUPTION.exe
File created	C:\Users\Admin\Pictures\DismountDebug.raw.jcrypt	SPREADTHECORRUPTION.exe
File created	C:\Users\Admin\Pictures\PublishWrite.tif.jcrypt	SPREADTHECORRUPTION.exe
File created	C:\Users\Admin\Pictures\SendRedo.tiff.jcrypt	SPREADTHECORRUPTION.exe
File opened for modification	C:\Users\Admin\Pictures\StepPush.tiff	SPREADTHECORRUPTION.exe
File created	C:\Users\Admin\Pictures\UnpublishUnregister.tiff.jcrypt	SPREADTHECORRUPTION.exe
File opened for modification	C:\Users\Admin\Pictures\UnpublishUnregister.tiff	SPREADTHECORRUPTION.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

SPREADTHECORRUPTION.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	SPREADTHECORRUPTION.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	SPREADTHECORRUPTION.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	SPREADTHECORRUPTION.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

SPREADTHECORRUPTION.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\Desktop\Wallpaper	SPREADTHECORRUPTION.exe

Drops file in Program Files directory 1 IoCs

Processes:

SPREADTHECORRUPTION.exe

description ioc process

File created C:\Program Files\System32\CORRUPT2.exe SPREADTHECORRUPTION.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SPREADTHECORRUPTION.exe

description pid process

Token: SeDebugPrivilege 1152 SPREADTHECORRUPTION.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

SPREADTHECORRUPTION.exe

pid process

1152 SPREADTHECORRUPTION.exe

description	ioc	process
File created	C:\Program Files\System32\CORRUPT2.exe	SPREADTHECORRUPTION.exe

description	pid	process
Token: SeDebugPrivilege	1152	SPREADTHECORRUPTION.exe

pid	process
1152	SPREADTHECORRUPTION.exe

C:\Users\Admin\AppData\Local\Temp\SPREADTHECORRUPTION.exe
"C:\Users\Admin\AppData\Local\Temp\SPREADTHECORRUPTION.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1152-2-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/1152-3-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/1152-5-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/1152-6-0x00000000049A5000-0x00000000049B6000-memory.dmp

Filesize
68KB

Download