Analysis
-
max time kernel
133s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-04-2021 08:27
Static task
static1
Behavioral task
behavioral1
Sample
a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe
Resource
win10v20210408
General
-
Target
a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe
-
Size
149KB
-
MD5
af4e348901e1e0b23f477a3a80fa931c
-
SHA1
b88a2d7fd7f929ae375b7665052ffef0180819f7
-
SHA256
a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4
-
SHA512
1adaa62cf6fb8018d01201411bba827a00b43e27f8b60bb2f7b4f67abf810cf49c43f49e93debc8a0992e38e5cd318142dd3cac219f6c82483f0fa3db209e29c
Malware Config
Extracted
C:\k8n5d2s8t3-readme.txt
http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/
https://www.coveware.com/blog/2019/7/15/ransomware-amounts-rise-3x-in-q2-as-ryuk-amp-sodinokibi-spread
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E6449F08685668F3
http://decoder.re/E6449F08685668F3
Signatures
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\RequestAdd.tiff a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File renamed C:\Users\Admin\Pictures\RequestAdd.tiff => \??\c:\users\admin\pictures\RequestAdd.tiff.k8n5d2s8t3 a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened for modification \??\c:\users\admin\pictures\StopUninstall.tiff a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File renamed C:\Users\Admin\Pictures\StopUninstall.tiff => \??\c:\users\admin\pictures\StopUninstall.tiff.k8n5d2s8t3 a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File renamed C:\Users\Admin\Pictures\TraceSet.tif => \??\c:\users\admin\pictures\TraceSet.tif.k8n5d2s8t3 a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File renamed C:\Users\Admin\Pictures\UnregisterMerge.raw => \??\c:\users\admin\pictures\UnregisterMerge.raw.k8n5d2s8t3 a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File renamed C:\Users\Admin\Pictures\EnterExport.raw => \??\c:\users\admin\pictures\EnterExport.raw.k8n5d2s8t3 a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File renamed C:\Users\Admin\Pictures\ReadOptimize.raw => \??\c:\users\admin\pictures\ReadOptimize.raw.k8n5d2s8t3 a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zQS1XtGvA8 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe" a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exedescription ioc process File opened (read-only) \??\N: a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened (read-only) \??\P: a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened (read-only) \??\U: a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened (read-only) \??\X: a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened (read-only) \??\D: a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened (read-only) \??\H: a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened (read-only) \??\G: a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened (read-only) \??\F: a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened (read-only) \??\J: a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened (read-only) \??\L: a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened (read-only) \??\M: a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened (read-only) \??\Q: a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened (read-only) \??\R: a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened (read-only) \??\V: a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened (read-only) \??\A: a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened (read-only) \??\Y: a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened (read-only) \??\E: a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened (read-only) \??\I: a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened (read-only) \??\K: a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened (read-only) \??\O: a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened (read-only) \??\S: a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened (read-only) \??\T: a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened (read-only) \??\W: a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened (read-only) \??\B: a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened (read-only) \??\Z: a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\r8wezo.bmp" a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe -
Drops file in Program Files directory 20 IoCs
Processes:
a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exedescription ioc process File opened for modification \??\c:\program files\ConvertToGrant.wm a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened for modification \??\c:\program files\SkipStart.mp4v a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened for modification \??\c:\program files\CompressExpand.jpeg a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened for modification \??\c:\program files\PublishSubmit.cfg a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened for modification \??\c:\program files\UnlockWatch.aiff a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened for modification \??\c:\program files\UseExport.htm a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File created \??\c:\program files\k8n5d2s8t3-readme.txt a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened for modification \??\c:\program files\ConfirmEnter.WTV a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened for modification \??\c:\program files\InvokeCheckpoint.xltx a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened for modification \??\c:\program files\SearchShow.xml a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened for modification \??\c:\program files\UndoNew.TTS a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened for modification \??\c:\program files\UnlockUnprotect.rm a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened for modification \??\c:\program files\UnprotectWrite.pdf a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened for modification \??\c:\program files\WatchOpen.css a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File created \??\c:\program files (x86)\k8n5d2s8t3-readme.txt a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened for modification \??\c:\program files\RemoveEdit.DVR a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened for modification \??\c:\program files\ResumeDismount.ini a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened for modification \??\c:\program files\SelectMount.m3u a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened for modification \??\c:\program files\TraceMerge.dxf a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe File opened for modification \??\c:\program files\AddSearch.jpg a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exepid process 640 a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe 640 a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe 640 a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe 640 a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe 640 a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe 640 a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe 640 a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe 640 a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe 640 a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe 640 a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exevssvc.exedescription pid process Token: SeDebugPrivilege 640 a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe Token: SeTakeOwnershipPrivilege 640 a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe Token: SeBackupPrivilege 1504 vssvc.exe Token: SeRestorePrivilege 1504 vssvc.exe Token: SeAuditPrivilege 1504 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe"C:\Users\Admin\AppData\Local\Temp\a73a43077585ebd48d24a87abb17a7dae40696eb11a9cee6275e3408ecc5c5e4.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2352
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\k8n5d2s8t3-readme.txt1⤵PID:2992
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\k8n5d2s8t3-readme.txtMD5
f02855fd35fca36e95bb07e779638544
SHA1e206183d13d45ae5cf177d4e26f2ff6bcf131b46
SHA256c42d04a149d673d851251f28b4bf49f77a084484604feb67b42e520d8f30beee
SHA5120a8bdb4e8b7d9f210e4628d2fabb771a168b79224e34d35b55a3735ebc14b424cc3593a66715b59eaca52209ac1d5c0d0ee3559252710f1f561782a464585b7c