Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
07-05-2021 04:05
Static task
static1
Behavioral task
behavioral1
Sample
Compile.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Compile.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
Compile.exe
-
Size
6.6MB
-
MD5
0063315a032fd1d3728c2f6e726a30d0
-
SHA1
9c2bc3b753ee4ce52f9d48f9d2c067cb1ce5eb24
-
SHA256
f0f3009b3d88e680f9e022575be694cb565ec8824d8d3252a8af43b00fb2dd36
-
SHA512
0c5d05c8dfdbf7f7394664054a9acd0d02ac54f7eac8e78dae2f8987583c7a66974e1fe1b4e429df710d1f0b5d6c711da96113ec0d497be14355336cf854450f
Score
9/10
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Compile.exedescription ioc process File renamed C:\Users\Admin\Pictures\OptimizeApprove.png => C:\Users\Admin\Pictures\OptimizeApprove.png.GoNNaCry Compile.exe File renamed C:\Users\Admin\Pictures\ShowDisconnect.tif => C:\Users\Admin\Pictures\ShowDisconnect.tif.GoNNaCry Compile.exe File renamed C:\Users\Admin\Pictures\UnlockTest.png => C:\Users\Admin\Pictures\UnlockTest.png.GoNNaCry Compile.exe File renamed C:\Users\Admin\Pictures\WaitPop.tif => C:\Users\Admin\Pictures\WaitPop.tif.GoNNaCry Compile.exe File renamed C:\Users\Admin\Pictures\ClearConvertFrom.tif => C:\Users\Admin\Pictures\ClearConvertFrom.tif.GoNNaCry Compile.exe File renamed C:\Users\Admin\Pictures\CompareRevoke.tif => C:\Users\Admin\Pictures\CompareRevoke.tif.GoNNaCry Compile.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Compile.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Infected = "c8029c6cb9c1e297835f0df0ae8d36991887f3daa1c8535223074e3feb7962a6c8029c6cb9c1e297835f0df0ae8d3699" Compile.exe -
Drops desktop.ini file(s) 24 IoCs
Processes:
Compile.exedescription ioc process File created C:\Users\Public\Libraries\desktop.ini Compile.exe File created C:\Users\Public\Music\desktop.ini Compile.exe File created C:\Users\Admin\Desktop\desktop.ini Compile.exe File created C:\Users\Admin\Documents\desktop.ini Compile.exe File created C:\Users\Admin\OneDrive\desktop.ini Compile.exe File created C:\Users\Admin\Pictures\desktop.ini Compile.exe File created C:\Users\Admin\Videos\desktop.ini Compile.exe File created C:\Users\Admin\Downloads\desktop.ini Compile.exe File created C:\Users\Admin\Saved Games\desktop.ini Compile.exe File created C:\Users\Public\Documents\desktop.ini Compile.exe File created C:\Users\Public\Downloads\desktop.ini Compile.exe File created C:\Users\Public\Desktop\desktop.ini Compile.exe File created C:\Users\Public\desktop.ini Compile.exe File created C:\Users\Admin\Favorites\Links\desktop.ini Compile.exe File created C:\Users\Admin\Links\desktop.ini Compile.exe File created C:\Users\Admin\Music\desktop.ini Compile.exe File created C:\Users\Admin\Searches\desktop.ini Compile.exe File created C:\Users\Public\AccountPictures\desktop.ini Compile.exe File created C:\Users\Public\Videos\desktop.ini Compile.exe File created C:\Users\Admin\Contacts\desktop.ini Compile.exe File created C:\Users\Admin\Favorites\desktop.ini Compile.exe File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini Compile.exe File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini Compile.exe File created C:\Users\Public\Pictures\desktop.ini Compile.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
tasklist.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 1964 tasklist.exe Token: SeIncreaseQuotaPrivilege 2724 WMIC.exe Token: SeSecurityPrivilege 2724 WMIC.exe Token: SeTakeOwnershipPrivilege 2724 WMIC.exe Token: SeLoadDriverPrivilege 2724 WMIC.exe Token: SeSystemProfilePrivilege 2724 WMIC.exe Token: SeSystemtimePrivilege 2724 WMIC.exe Token: SeProfSingleProcessPrivilege 2724 WMIC.exe Token: SeIncBasePriorityPrivilege 2724 WMIC.exe Token: SeCreatePagefilePrivilege 2724 WMIC.exe Token: SeBackupPrivilege 2724 WMIC.exe Token: SeRestorePrivilege 2724 WMIC.exe Token: SeShutdownPrivilege 2724 WMIC.exe Token: SeDebugPrivilege 2724 WMIC.exe Token: SeSystemEnvironmentPrivilege 2724 WMIC.exe Token: SeRemoteShutdownPrivilege 2724 WMIC.exe Token: SeUndockPrivilege 2724 WMIC.exe Token: SeManageVolumePrivilege 2724 WMIC.exe Token: 33 2724 WMIC.exe Token: 34 2724 WMIC.exe Token: 35 2724 WMIC.exe Token: 36 2724 WMIC.exe Token: SeIncreaseQuotaPrivilege 2724 WMIC.exe Token: SeSecurityPrivilege 2724 WMIC.exe Token: SeTakeOwnershipPrivilege 2724 WMIC.exe Token: SeLoadDriverPrivilege 2724 WMIC.exe Token: SeSystemProfilePrivilege 2724 WMIC.exe Token: SeSystemtimePrivilege 2724 WMIC.exe Token: SeProfSingleProcessPrivilege 2724 WMIC.exe Token: SeIncBasePriorityPrivilege 2724 WMIC.exe Token: SeCreatePagefilePrivilege 2724 WMIC.exe Token: SeBackupPrivilege 2724 WMIC.exe Token: SeRestorePrivilege 2724 WMIC.exe Token: SeShutdownPrivilege 2724 WMIC.exe Token: SeDebugPrivilege 2724 WMIC.exe Token: SeSystemEnvironmentPrivilege 2724 WMIC.exe Token: SeRemoteShutdownPrivilege 2724 WMIC.exe Token: SeUndockPrivilege 2724 WMIC.exe Token: SeManageVolumePrivilege 2724 WMIC.exe Token: 33 2724 WMIC.exe Token: 34 2724 WMIC.exe Token: 35 2724 WMIC.exe Token: 36 2724 WMIC.exe Token: SeBackupPrivilege 3228 vssvc.exe Token: SeRestorePrivilege 3228 vssvc.exe Token: SeAuditPrivilege 3228 vssvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Compile.execmd.execmd.exedescription pid process target process PID 656 wrote to memory of 1964 656 Compile.exe tasklist.exe PID 656 wrote to memory of 1964 656 Compile.exe tasklist.exe PID 656 wrote to memory of 3628 656 Compile.exe cmd.exe PID 656 wrote to memory of 3628 656 Compile.exe cmd.exe PID 3628 wrote to memory of 1988 3628 cmd.exe vssadmin.exe PID 3628 wrote to memory of 1988 3628 cmd.exe vssadmin.exe PID 3628 wrote to memory of 2724 3628 cmd.exe WMIC.exe PID 3628 wrote to memory of 2724 3628 cmd.exe WMIC.exe PID 656 wrote to memory of 2056 656 Compile.exe cmd.exe PID 656 wrote to memory of 2056 656 Compile.exe cmd.exe PID 2056 wrote to memory of 1276 2056 cmd.exe bcdedit.exe PID 2056 wrote to memory of 1276 2056 cmd.exe bcdedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Compile.exe"C:\Users\Admin\AppData\Local\Temp\Compile.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO csv2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c vssadmin delete shadow /all /quiet & wmic shadowcopy delete & bcdedit /set {default} boostatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -q2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadow /all /quiet3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c bcdedit /set {default} recoveryenabled No cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures C:\Windows\System32\cmd.exe /C vssadmin.exe Delete Shadows /All Quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1276-119-0x0000000000000000-mapping.dmp
-
memory/1964-114-0x0000000000000000-mapping.dmp
-
memory/1988-116-0x0000000000000000-mapping.dmp
-
memory/2056-118-0x0000000000000000-mapping.dmp
-
memory/2724-117-0x0000000000000000-mapping.dmp
-
memory/3628-115-0x0000000000000000-mapping.dmp