5e7f8b2a39176df856d2fe25a5bfcf0915cc72aa114efe92797b674434dc3d47

Resubmissions

26/02/2021, 11:37

210226-4cte82r1vs 8

26/02/2021, 11:28

210226-p6webfglhn 8

Analysis

max time kernel
150s
max time network
104s
platform
windows7_x64
resource
win7v20201028
submitted
26/02/2021, 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SPREADTHECORRUPTION.exe
Size

425KB
MD5

241c8c8c809fe670f1f6ef0f7c935815
SHA1

63928026939b367ea1677ba3ecc17acb8b1553ad
SHA256

5e7f8b2a39176df856d2fe25a5bfcf0915cc72aa114efe92797b674434dc3d47
SHA512

5c86649a3c085530ed0c455c06adeb16f9ad107d7a25f92009694202dee0fa1867fdd29b341d027e265aec815c925a5cb05a84781d63ee781e33ff69bbe4dbf8

Score

8^/10

evasion ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\HideEdit.tif.jcrypt	SPREADTHECORRUPTION.exe
File created	C:\Users\Admin\Pictures\RepairStep.crw.jcrypt	SPREADTHECORRUPTION.exe
File created	C:\Users\Admin\Pictures\SearchInitialize.crw.jcrypt	SPREADTHECORRUPTION.exe
File opened for modification	C:\Users\Admin\Pictures\SendRedo.tiff	SPREADTHECORRUPTION.exe
File created	C:\Users\Admin\Pictures\SetSearch.tif.jcrypt	SPREADTHECORRUPTION.exe
File created	C:\Users\Admin\Pictures\StepPush.tiff.jcrypt	SPREADTHECORRUPTION.exe
File created	C:\Users\Admin\Pictures\UnblockWrite.crw.jcrypt	SPREADTHECORRUPTION.exe
File created	C:\Users\Admin\Pictures\DismountDebug.raw.jcrypt	SPREADTHECORRUPTION.exe
File created	C:\Users\Admin\Pictures\PublishWrite.tif.jcrypt	SPREADTHECORRUPTION.exe
File created	C:\Users\Admin\Pictures\SendRedo.tiff.jcrypt	SPREADTHECORRUPTION.exe
File opened for modification	C:\Users\Admin\Pictures\StepPush.tiff	SPREADTHECORRUPTION.exe
File created	C:\Users\Admin\Pictures\UnpublishUnregister.tiff.jcrypt	SPREADTHECORRUPTION.exe
File opened for modification	C:\Users\Admin\Pictures\UnpublishUnregister.tiff	SPREADTHECORRUPTION.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	SPREADTHECORRUPTION.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	SPREADTHECORRUPTION.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	SPREADTHECORRUPTION.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\Desktop\Wallpaper	SPREADTHECORRUPTION.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\System32\CORRUPT2.exe	SPREADTHECORRUPTION.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	SPREADTHECORRUPTION.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1152	SPREADTHECORRUPTION.exe

C:\Users\Admin\AppData\Local\Temp\SPREADTHECORRUPTION.exe
"C:\Users\Admin\AppData\Local\Temp\SPREADTHECORRUPTION.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact