Analysis
-
max time kernel
116s -
max time network
100s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
12/03/2021, 08:08
Static task
static1
Behavioral task
behavioral1
Sample
ransomw.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ransomw.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
ransomw.exe
-
Size
2.5MB
-
MD5
8243dc32479532fcb82669da4b81a9d1
-
SHA1
3580a4719ded43c0bbc40d2e26abc0868811a03f
-
SHA256
4ad3332742b46d2a60a21ca009941fd85a3e58cd635df5a1c3ed0888061a1fda
-
SHA512
8a88c38f4507e64b4cfe6d13c7e4e98ad86dc15df9051badc5fb283f1a24f4549c0c14055a3d42a59f31b8d5da074cc3f8356acce9683190dd4a95fe7ae0da4d
Score
6/10
Malware Config
Signatures
-
Drops desktop.ini file(s) 28 IoCs
description ioc Process File opened for modification C:\Users\Public\Downloads\desktop.ini ransomw.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini ransomw.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini ransomw.exe File opened for modification C:\Users\Admin\Documents\desktop.ini ransomw.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini ransomw.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\desktop.ini ransomw.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini ransomw.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini ransomw.exe File created C:\Users\Admin\AppData\Local\Temp\desktop.ini ransomw.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini ransomw.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini ransomw.exe File opened for modification C:\Users\Admin\Links\desktop.ini ransomw.exe File opened for modification C:\Users\Admin\Searches\desktop.ini ransomw.exe File opened for modification C:\Users\Public\Videos\desktop.ini ransomw.exe File opened for modification C:\Users\Public\desktop.ini ransomw.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini ransomw.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini ransomw.exe File opened for modification C:\Users\Public\Desktop\desktop.ini ransomw.exe File opened for modification C:\Users\Public\Documents\desktop.ini ransomw.exe File opened for modification C:\Users\Public\Libraries\desktop.ini ransomw.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini ransomw.exe File opened for modification C:\Users\Public\Pictures\desktop.ini ransomw.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini ransomw.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ransomw.exe File opened for modification C:\Users\Public\Music\desktop.ini ransomw.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini ransomw.exe File opened for modification C:\Users\Admin\Music\desktop.ini ransomw.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini ransomw.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "322301330" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C3732351-8309-11EB-8CDB-D6D89EDB0C53} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b110d662a6de1d4899d3d3ae557652ac000000000200000000001066000000010000200000007f70eb9cee040e80e1014e1510a946d7fd942b14f6e53ed9f0b81233b7d46dc6000000000e8000000002000020000000fdae0eaf708031920ecd93c8c82a85c91fc1d51cb5b710f036e64d01712b0224200000007733198aa2d00d41b8b24f410c064e1fe9f171edd112c4f93d78be29ee4f92fa40000000063b7b38595bdae20c138ea409c772bde4d684d042e7feadc0e2aff7faa78f86f2026dd61efdb5fd70d281dd7b4888d0042de34034c2b300abd4302a95d02cb7 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b110d662a6de1d4899d3d3ae557652ac00000000020000000000106600000001000020000000297e5bdad6ae38a5c5503dc1c499d981992bf412bda2722ad560ed10757831bb000000000e8000000002000020000000924957f5294325df63151dad580f7084fff1b9063fcd51ac3815c1a9d5bfe447900000008a1abfa229603920737e7dc87411599a1b039742f6231d74778ee99f0d641a662ad9b4bd444781ffc511b07684e44b1ab22d8ea48a1b5d7c48e6b9ec50be24894219e355a2808f7b16c22f99ae532319db86b350104c77644c7368bb25b447ca95b115a1f0b93d3caa32fc1b7da6ba1d81bf3209d147e1c03d0e6b75edfc5694889c7013df38fc663339bc117878bbad40000000386a272f8855cfbe0d5d04ed3336e4cde5d16a85e855b3da24f5d21c0a956b844f4c755a190487501d03de253c3df5be50ac441166c3ea2de973705bb90153da iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10fda8981617d701 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithList\WINWORD.EXE IEXPLORE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml IEXPLORE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithList IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_Classes\Local Settings IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache IEXPLORE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WINWORD.EXE IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1500 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1500 iexplore.exe 1500 iexplore.exe 1184 IEXPLORE.EXE 1184 IEXPLORE.EXE 1184 IEXPLORE.EXE 1184 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1500 wrote to memory of 1184 1500 iexplore.exe 35 PID 1500 wrote to memory of 1184 1500 iexplore.exe 35 PID 1500 wrote to memory of 1184 1500 iexplore.exe 35 PID 1500 wrote to memory of 1184 1500 iexplore.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\ransomw.exe"C:\Users\Admin\AppData\Local\Temp\ransomw.exe"1⤵
- Drops desktop.ini file(s)
PID:1576
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:268
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\READ_TO_DECRYPT.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1500 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1184
-