Analysis
-
max time kernel
13s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
07-05-2021 04:05
Static task
static1
Behavioral task
behavioral1
Sample
Compile by raminhk 2.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Compile by raminhk 2.exe
Resource
win10v20210408
General
-
Target
Compile by raminhk 2.exe
-
Size
7.9MB
-
MD5
fb9eb8850ee963bc69583f0227803aef
-
SHA1
a8c4277662b79d84ebec5f17b83153d364a478a7
-
SHA256
373dd8d9b31679fa1f46779be91f0d8e378af030bffe91de45d150c78e2cae53
-
SHA512
2d26b6f014ac2ca6b925ab5dfe259847869d3967754de91c8434f0a932bd2ec844403dfa2bc5b5c3442730c42500e2f0c45d321b416450012aae62128e74942c
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
-
Disables Task Manager via registry modification
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Compile by raminhk 2.exedescription ioc process File renamed C:\Users\Admin\Pictures\DenyReset.tif => C:\Users\Admin\Pictures\DenyReset.tif.GoNNaCry Compile by raminhk 2.exe File renamed C:\Users\Admin\Pictures\MountDismount.tif => C:\Users\Admin\Pictures\MountDismount.tif.GoNNaCry Compile by raminhk 2.exe -
Processes:
resource yara_rule behavioral2/memory/424-114-0x00000000002E0000-0x0000000001570000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
Compile by raminhk 2.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Infected = "a15ea89b6e566d87d387e161e6697ce2854fea89c9143c6acdb31cca4f79844ea15ea89b6e566d87d387e161e6697ce2" Compile by raminhk 2.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Security Update = "C:\\Users\\Admin\\WindowsSecurityUpdate.exe /onboot" reg.exe -
Drops desktop.ini file(s) 24 IoCs
Processes:
Compile by raminhk 2.exedescription ioc process File created C:\Users\Admin\Saved Games\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Videos\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\Pictures\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Favorites\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Links\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Pictures\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\AccountPictures\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\Downloads\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\Videos\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Documents\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Favorites\Links\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Desktop\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\Music\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\OneDrive\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Searches\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\Desktop\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\Documents\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\Libraries\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Contacts\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Downloads\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Music\desktop.ini Compile by raminhk 2.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Compile by raminhk 2.exepid process 424 Compile by raminhk 2.exe 424 Compile by raminhk 2.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
tasklist.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 2608 tasklist.exe Token: SeIncreaseQuotaPrivilege 1548 WMIC.exe Token: SeSecurityPrivilege 1548 WMIC.exe Token: SeTakeOwnershipPrivilege 1548 WMIC.exe Token: SeLoadDriverPrivilege 1548 WMIC.exe Token: SeSystemProfilePrivilege 1548 WMIC.exe Token: SeSystemtimePrivilege 1548 WMIC.exe Token: SeProfSingleProcessPrivilege 1548 WMIC.exe Token: SeIncBasePriorityPrivilege 1548 WMIC.exe Token: SeCreatePagefilePrivilege 1548 WMIC.exe Token: SeBackupPrivilege 1548 WMIC.exe Token: SeRestorePrivilege 1548 WMIC.exe Token: SeShutdownPrivilege 1548 WMIC.exe Token: SeDebugPrivilege 1548 WMIC.exe Token: SeSystemEnvironmentPrivilege 1548 WMIC.exe Token: SeRemoteShutdownPrivilege 1548 WMIC.exe Token: SeUndockPrivilege 1548 WMIC.exe Token: SeManageVolumePrivilege 1548 WMIC.exe Token: 33 1548 WMIC.exe Token: 34 1548 WMIC.exe Token: 35 1548 WMIC.exe Token: 36 1548 WMIC.exe Token: SeIncreaseQuotaPrivilege 1548 WMIC.exe Token: SeSecurityPrivilege 1548 WMIC.exe Token: SeTakeOwnershipPrivilege 1548 WMIC.exe Token: SeLoadDriverPrivilege 1548 WMIC.exe Token: SeSystemProfilePrivilege 1548 WMIC.exe Token: SeSystemtimePrivilege 1548 WMIC.exe Token: SeProfSingleProcessPrivilege 1548 WMIC.exe Token: SeIncBasePriorityPrivilege 1548 WMIC.exe Token: SeCreatePagefilePrivilege 1548 WMIC.exe Token: SeBackupPrivilege 1548 WMIC.exe Token: SeRestorePrivilege 1548 WMIC.exe Token: SeShutdownPrivilege 1548 WMIC.exe Token: SeDebugPrivilege 1548 WMIC.exe Token: SeSystemEnvironmentPrivilege 1548 WMIC.exe Token: SeRemoteShutdownPrivilege 1548 WMIC.exe Token: SeUndockPrivilege 1548 WMIC.exe Token: SeManageVolumePrivilege 1548 WMIC.exe Token: 33 1548 WMIC.exe Token: 34 1548 WMIC.exe Token: 35 1548 WMIC.exe Token: 36 1548 WMIC.exe Token: SeBackupPrivilege 3908 vssvc.exe Token: SeRestorePrivilege 3908 vssvc.exe Token: SeAuditPrivilege 3908 vssvc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Compile by raminhk 2.execmd.execmd.execmd.execmd.exedescription pid process target process PID 424 wrote to memory of 2608 424 Compile by raminhk 2.exe tasklist.exe PID 424 wrote to memory of 2608 424 Compile by raminhk 2.exe tasklist.exe PID 424 wrote to memory of 2700 424 Compile by raminhk 2.exe cmd.exe PID 424 wrote to memory of 2700 424 Compile by raminhk 2.exe cmd.exe PID 2700 wrote to memory of 508 2700 cmd.exe vssadmin.exe PID 2700 wrote to memory of 508 2700 cmd.exe vssadmin.exe PID 2700 wrote to memory of 1548 2700 cmd.exe WMIC.exe PID 2700 wrote to memory of 1548 2700 cmd.exe WMIC.exe PID 424 wrote to memory of 2008 424 Compile by raminhk 2.exe cmd.exe PID 424 wrote to memory of 2008 424 Compile by raminhk 2.exe cmd.exe PID 2008 wrote to memory of 2704 2008 cmd.exe bcdedit.exe PID 2008 wrote to memory of 2704 2008 cmd.exe bcdedit.exe PID 424 wrote to memory of 3556 424 Compile by raminhk 2.exe cmd.exe PID 424 wrote to memory of 3556 424 Compile by raminhk 2.exe cmd.exe PID 3556 wrote to memory of 2340 3556 cmd.exe reg.exe PID 3556 wrote to memory of 2340 3556 cmd.exe reg.exe PID 424 wrote to memory of 3652 424 Compile by raminhk 2.exe cmd.exe PID 424 wrote to memory of 3652 424 Compile by raminhk 2.exe cmd.exe PID 3652 wrote to memory of 1652 3652 cmd.exe reg.exe PID 3652 wrote to memory of 1652 3652 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Compile by raminhk 2.exe"C:\Users\Admin\AppData\Local\Temp\Compile by raminhk 2.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO csv2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c vssadmin delete shadow /all /quiet & wmic shadowcopy delete & bcdedit /set {default} boostatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -q2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadow /all /quiet3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c bcdedit /set {default} recoveryenabled No cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures C:\Windows\System32\cmd.exe /C vssadmin.exe Delete Shadows /All Quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.execmd /c REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\system32\cmd.execmd /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Windows Security Update" /t REG_SZ /d "C:\Users\Admin\WindowsSecurityUpdate.exe /onboot" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Windows Security Update" /t REG_SZ /d "C:\Users\Admin\WindowsSecurityUpdate.exe /onboot" /f3⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/424-114-0x00000000002E0000-0x0000000001570000-memory.dmpFilesize
18.6MB
-
memory/424-115-0x00007FF8A19C0000-0x00007FF8A19C2000-memory.dmpFilesize
8KB
-
memory/508-118-0x0000000000000000-mapping.dmp
-
memory/1548-119-0x0000000000000000-mapping.dmp
-
memory/1652-125-0x0000000000000000-mapping.dmp
-
memory/2008-120-0x0000000000000000-mapping.dmp
-
memory/2340-123-0x0000000000000000-mapping.dmp
-
memory/2608-116-0x0000000000000000-mapping.dmp
-
memory/2700-117-0x0000000000000000-mapping.dmp
-
memory/2704-121-0x0000000000000000-mapping.dmp
-
memory/3556-122-0x0000000000000000-mapping.dmp
-
memory/3652-124-0x0000000000000000-mapping.dmp