Overview

overview

8

Static

static

URLScan

urlscan

https://tshares.exch...

windows10_x64

Analysis

  • max time kernel
    98s
  • max time network
    100s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    05-03-2021 09:56

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    https://tshares.exchange

  • Sample

    210305-d89wxkq3bs

Score
8/10
bootkitransomware

Malware Config

Signatures

  • Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs

    Enables rebooting of the machine without requiring login credentials.

    ransomwarebootkit
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://tshares.exchange
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3496
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3496 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1396
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0 /state0:0xa3ad1855 /state1:0x41c64e6d
    1⤵
    • Modifies WinLogon to allow AutoLogon
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
    MD5

    f5a84eb1f868299edae28ac27ec56e66

    SHA1

    7e59b5af11a541805bf1a069f96c55bab07178d8

    SHA256

    63eae6a5790932181365bbb783b50de9764703b18e77ae1b9032cfe935247be9

    SHA512

    0dd92573d3565344349cd8dbaf4a53313f27f712d6c72b4c809cbb801a64279af9adbcfb1ec3a18ee712d1f22304e557540d9d860a1d08532ecf874c485661c9

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
    MD5

    faa4cca64a09dbf794af5bae664ab5b0

    SHA1

    db96b271b4ae4a991ac8532788474de84ce69f94

    SHA256

    38abc6033c992b68d3768545dbdddb0c9c546bd3149e17d429c6332aafc9ebe8

    SHA512

    2b84a948a4e400292df2256639b00c263af26359ab61e398c4eb66edae5e70e2c5f36758b5690b44d5f644830068708d36de686db243ac432936f05519e93c0b

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    6944d2b7b5cf313ed7eabd694b919fdc

    SHA1

    d34fe2e343e5f711c7d57241d52b073ffe1e3e8b

    SHA256

    8f4c256186b2fa2216dd37654445eae3cdf5684e9013be3aca78b4b7b72d82dd

    SHA512

    237d31ecc18fc65ff5fac6531cde23c78e1f20f0d134b87a048c10c6cc67f0b2a3f5c49c760bd1393a4f37ce37a47728d7dc0971b8e539aa77c575f489ca7886

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25
    MD5

    0fe6da545e9d8cc441c733015d59cbab

    SHA1

    ea828cb375ab37b483528ea895a0cb54f8a820b4

    SHA256

    3bb8f7c7b0c1ad1b407810088d01d8098c9f1057fd0db5364caddd1b11e1d7cb

    SHA512

    bccb26a5aa6d1e11aea3685b1de6526159e310bdf91c26313d0145c43779637dae13c545182b5d11e5673a360386f827c656d3b161b4fe5ddc20b45888d6600f

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_69A30491916BE8D0D7ADE02D7B9D1C7E
    MD5

    5cf3a755c62d6fd62e30b6659fd69f16

    SHA1

    db565ff5e0fd42f860d0211cfba05773417df230

    SHA256

    12ebf30615c186a38043766b6584eb20cb0176a34c8914fe3fc79ee55ed0954b

    SHA512

    d502cb5e44dca0c7103e35f8debf47f9351ee6ea2d2c1bb0434a661fff6bd0c53ca778c0de99ad28dc8a051cceab5a0ccc92e303edb7ddb02bc2d2e52383cd65

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
    MD5

    9c60bb6d74909ebc311183acc4d02db7

    SHA1

    dac84f877aa7a186f5eb04682c3ddf27ca5fb2a5

    SHA256

    f0b4e2415dcaef37494b120c0a8bb7b6eb322beaf2a9663119450866f987345d

    SHA512

    26412ed9e9b2efe83cf66150fe4252d764f85615d6cd4d2c464cb89a5253421e1cb38a9140843a6a87efdbe35b065a6a0c606981ff81719049ce363c521932d0

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
    MD5

    6fed9cb687c46b51e47ec6267e40aff9

    SHA1

    4c83f5a69977b04a310d14f5285a506bcaf3a72c

    SHA256

    91ecb699a4280b4b502e6d5293e316e5a363aa8f7a5830e35da668e24cdeaf57

    SHA512

    19ee77afeb68b61a255f242589ced53e471a1f54f9dc468a872efdb4edca5e3c399a323e07fdb0a0d9d18cf18be9be7c8ce51e5f280dc137123f4c4606539d33

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    b80713f7dd6502a92e279312f8cb88b8

    SHA1

    54648a4359c8c3fcaffb23d92eb5fbd9ff20c5cf

    SHA256

    cbcc94bb0fa5b151e0d300fecf9b209fd7e1b6e4f8654169e8ad35076cd54f45

    SHA512

    e8c4d714a5b2a430d2ef4e67cdf467cbe739249d6ee567afbdc15480ad88612e398362afd813803f2ad1a97174e6166c04adec53cafc826c6fc303aa144568d7

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25
    MD5

    7532f5448c82e11870499188e3e87030

    SHA1

    b9781e494a3ae9ad50bd89890381582cafdde0ea

    SHA256

    c9de59ceaafa2687911d0a12a6440bb50dd858a0c564bad1a8ce08a7b6e0c594

    SHA512

    624e44e4049207c7eab01d427c7daab604734ef3a95198045ce48a400e10c9b55b826ac0aafb50e81db56ef5751008ea21179c7c98d1c94bbabfb01f50b532e1

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_69A30491916BE8D0D7ADE02D7B9D1C7E
    MD5

    d36c9adf5e3e8f0494267035a7fc4463

    SHA1

    512484c3b3a3c061d46e036f780f189706facce8

    SHA256

    2495b179a5269a044423c37ef443f9f5c38ab238c078b2aec6d3880a7fec0113

    SHA512

    93cf86b5f6dabbfd8f17905efae52817c5909ef753f05073278a126cd197abca9ae56971db284f95c636d2e004da8d3fd76efe68f07d884608c7001a2bb54b6e

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\5UFKUFBN.cookie
    MD5

    205ca67aea4ab5699bb7dfea8f49759e

    SHA1

    7f13918ba26781bf1ae8953457be9437badf3ef4

    SHA256

    eba25b91e3e76eaf52004f2c2d50c92d3d1a433b8238694ac7b22e3752427f6f

    SHA512

    d4d40a6169c9b99c06d4274dd1a83528e58166374a410356a35b8c55109f55549e54eee492eaed08064b56e649e731a582304dc8907d07f863d519e48b070846

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\HPWS9RG9.cookie
    MD5

    f2ed00e98c8c3f2567237a35089eb11b

    SHA1

    ef74997db772ef30874e2dfae932337ff78d717b

    SHA256

    34a53d0c01f1b7479320c109bd8fa4c061b4f6322df8506149f1bc1569650d91

    SHA512

    d34166555e57d25e40f96aaf42ba65fd7fd6777ffb5ada19e10775e3246f606612c0865e9458f2094b5114aa3f48fef9c8a9c33c43841ac3c112fccb52d175a2

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\N41082QE.cookie
    MD5

    14deaee97567207e958548a9c1c481d6

    SHA1

    0bce786bba2e0dfca96c40d10957e9e5a13f2981

    SHA256

    409256e097b914070affe2c04b614bb54105c4bd4f55e016dfa0788158592d6d

    SHA512

    8e6d44d52077772b6483a21d5a4f6d98c66d99f7c071c66c4127b090496218c4cf61fe317fa4f888a7539f4576d01e0f1ecc382a598a0ccab5cc7daa0e73a67d

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\RY7WVTTS.cookie
    MD5

    89704dc64df6af4c24e680aaf2e980ee

    SHA1

    15597c572a098b00668bdaea8dcec5ceed1735a7

    SHA256

    d17c3d421fd2ed3563d478203ba87b6f4e2c20fd57b6be5388533194eb41b775

    SHA512

    46c8bae264823e1058123081a845ad297b6deac7090421df37bb33532408b96fa1ba21f00d74bd797c5f6c5a0a7969c2c70a94ab55d65f358e645fe1a7ffdede

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\XNOO887V.cookie
    MD5

    69114dac94da6af908c7b74d1a818cd7

    SHA1

    8143c8860a82646304825e14dc52c6b1bbd83431

    SHA256

    4a97cebf1ee7de7fa9a2dc8b58f14aaa34b7811eaca0f60e318f0c37c706b5a0

    SHA512

    ab663652387fc20eb1e5f81ba8ed2fab1878c679ad34f4058f13cff1503d6a5b3cf807ddfd8095f8716da9da3ed0d3d34548eccf4647cb16d5cc7bbea38d03cb

    Download Submit
  • memory/1396-2-0x0000000000000000-mapping.dmp
    Download