Overview

overview

10

Static

static

10

Wolfteam/Hack.exe

windows7_x64

10

Wolfteam/Hack.exe

windows10_x64

10

Wolfteam/S...RT.dll

windows7_x64

Wolfteam/S...RT.dll

windows10_x64

Wolfteam/a..._0.dll

windows7_x64

Wolfteam/a..._0.dll

windows10_x64

Wolfteam/a..._0.dll

windows7_x64

Wolfteam/a..._0.dll

windows10_x64

Wolfteam/a..._0.dll

windows7_x64

Wolfteam/a..._0.dll

windows10_x64

Wolfteam/a..._0.dll

windows7_x64

1

Wolfteam/a..._0.dll

windows10_x64

1

Wolfteam/python27.dll

windows7_x64

Wolfteam/python27.dll

windows10_x64

Analysis

  • max time kernel
    32s
  • max time network
    35s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    25-03-2021 22:00

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Wolfteam/SpeedTreeRT.dll

  • Size

    1.7MB

  • MD5

    1ac3d612389fa679f5ca3c6bab855145

  • SHA1

    2f4f279d0c99c112db1adee5a3c324d0355fcbf5

  • SHA256

    ddba9b9b427d541ebc0bf1221fffc5d56a85d7b8ee0dfe6370a83a133da6967b

  • SHA512

    847376db96f3a3c1ab844fbf066f4e0e05b203769d7ca04fdf2463e86fc99ea1589054d1cc10ff70e45a5fb82a9e103edc2aa17b76cd94497cd49fedb6e06788

Score
8/10
bootkitransomware

Malware Config

Signatures

  • Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs

    Enables rebooting of the machine without requiring login credentials.

    ransomwarebootkit
  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wolfteam\SpeedTreeRT.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3928
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wolfteam\SpeedTreeRT.dll,#1
      2⤵
        PID:3696
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 620
          3⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2560
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0 /state0:0xa3ad5055 /state1:0x41c64e6d
      1⤵
      • Modifies WinLogon to allow AutoLogon
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:1644

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2560-3-0x00000000046F0000-0x00000000046F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3696-2-0x0000000000000000-mapping.dmp

      Download