24fa69380258da421941c711036a3f0a834ec6eb7919d0a4992b05ea0c549807

Analysis

max time kernel
122s
max time network
125s
platform
windows10_x64
resource
win10v20210408
submitted
07/05/2021, 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Compil by raminhk.exe
Size

11.7MB
MD5

cae9a30235cd1be5aba8f2969ad82573
SHA1

35a86c4eb38a60a22b102b2fb82b34e4126956d2
SHA256

24fa69380258da421941c711036a3f0a834ec6eb7919d0a4992b05ea0c549807
SHA512

2d50e3aed489f7e18bf076b056e2a5d66dd7cb235b3f0b5b5df96e89d3e7e31afa1d6ee9a37895717a700467b5c7516c9de5740ef990fdbdeb0efabb63ee0930

Score

9^/10

evasion persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3940	bcdedit.exe

Disables Task Manager via registry modification
evasion

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\RevokeTest.tif => C:\Users\Admin\Pictures\RevokeTest.tif.GoNNaCry	Compil by raminhk.exe
File renamed	C:\Users\Admin\Pictures\CompleteSelect.png => C:\Users\Admin\Pictures\CompleteSelect.png.GoNNaCry	Compil by raminhk.exe
File renamed	C:\Users\Admin\Pictures\PopUnregister.tif => C:\Users\Admin\Pictures\PopUnregister.tif.GoNNaCry	Compil by raminhk.exe
File renamed	C:\Users\Admin\Pictures\RevokeInitialize.png => C:\Users\Admin\Pictures\RevokeInitialize.png.GoNNaCry	Compil by raminhk.exe
File renamed	C:\Users\Admin\Pictures\StopBackup.png => C:\Users\Admin\Pictures\StopBackup.png.GoNNaCry	Compil by raminhk.exe
File renamed	C:\Users\Admin\Pictures\SubmitUndo.tif => C:\Users\Admin\Pictures\SubmitUndo.tif.GoNNaCry	Compil by raminhk.exe
File renamed	C:\Users\Admin\Pictures\UseUndo.png => C:\Users\Admin\Pictures\UseUndo.png.GoNNaCry	Compil by raminhk.exe
File renamed	C:\Users\Admin\Pictures\ConfirmRestore.tif => C:\Users\Admin\Pictures\ConfirmRestore.tif.GoNNaCry	Compil by raminhk.exe
File renamed	C:\Users\Admin\Pictures\FormatShow.tif => C:\Users\Admin\Pictures\FormatShow.tif.GoNNaCry	Compil by raminhk.exe
File renamed	C:\Users\Admin\Pictures\RevokeMerge.tif => C:\Users\Admin\Pictures\RevokeMerge.tif.GoNNaCry	Compil by raminhk.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Infected = "55628c8cbd9c8a3d3b490872acc0f1e9bab5044f91fd363ad29ec3c808c7dbcc55628c8cbd9c8a3d3b490872acc0f1e9"	Compil by raminhk.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Security Update = "C:\\Users\\Admin\\WindowsSecurityUpdate.exe /onboot"	reg.exe

Drops desktop.ini file(s) 24 IoCs

description	ioc	Process
File created	C:\Users\Admin\Music\desktop.ini	Compil by raminhk.exe
File created	C:\Users\Admin\Searches\desktop.ini	Compil by raminhk.exe
File created	C:\Users\Public\Libraries\desktop.ini	Compil by raminhk.exe
File created	C:\Users\Public\Videos\desktop.ini	Compil by raminhk.exe
File created	C:\Users\Public\Downloads\desktop.ini	Compil by raminhk.exe
File created	C:\Users\Admin\Documents\desktop.ini	Compil by raminhk.exe
File created	C:\Users\Admin\Downloads\desktop.ini	Compil by raminhk.exe
File created	C:\Users\Admin\Favorites\desktop.ini	Compil by raminhk.exe
File created	C:\Users\Admin\Links\desktop.ini	Compil by raminhk.exe
File created	C:\Users\Public\Desktop\desktop.ini	Compil by raminhk.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	Compil by raminhk.exe
File created	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	Compil by raminhk.exe
File created	C:\Users\Admin\Videos\desktop.ini	Compil by raminhk.exe
File created	C:\Users\Public\AccountPictures\desktop.ini	Compil by raminhk.exe
File created	C:\Users\Public\Documents\desktop.ini	Compil by raminhk.exe
File created	C:\Users\Admin\Saved Games\desktop.ini	Compil by raminhk.exe
File created	C:\Users\Public\Music\desktop.ini	Compil by raminhk.exe
File created	C:\Users\Public\Pictures\desktop.ini	Compil by raminhk.exe
File created	C:\Users\Admin\Contacts\desktop.ini	Compil by raminhk.exe
File created	C:\Users\Admin\Desktop\desktop.ini	Compil by raminhk.exe
File created	C:\Users\Admin\OneDrive\desktop.ini	Compil by raminhk.exe
File created	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Compil by raminhk.exe
File created	C:\Users\Admin\Pictures\desktop.ini	Compil by raminhk.exe
File created	C:\Users\Public\desktop.ini	Compil by raminhk.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3884	tasklist.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2552	reg.exe
3860	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
584	Compil by raminhk.exe
584	Compil by raminhk.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	3884	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3028	WMIC.exe
Token: SeSecurityPrivilege	3028	WMIC.exe
Token: SeTakeOwnershipPrivilege	3028	WMIC.exe
Token: SeLoadDriverPrivilege	3028	WMIC.exe
Token: SeSystemProfilePrivilege	3028	WMIC.exe
Token: SeSystemtimePrivilege	3028	WMIC.exe
Token: SeProfSingleProcessPrivilege	3028	WMIC.exe
Token: SeIncBasePriorityPrivilege	3028	WMIC.exe
Token: SeCreatePagefilePrivilege	3028	WMIC.exe
Token: SeBackupPrivilege	3028	WMIC.exe
Token: SeRestorePrivilege	3028	WMIC.exe
Token: SeShutdownPrivilege	3028	WMIC.exe
Token: SeDebugPrivilege	3028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3028	WMIC.exe
Token: SeRemoteShutdownPrivilege	3028	WMIC.exe
Token: SeUndockPrivilege	3028	WMIC.exe
Token: SeManageVolumePrivilege	3028	WMIC.exe
Token: 33	3028	WMIC.exe
Token: 34	3028	WMIC.exe
Token: 35	3028	WMIC.exe
Token: 36	3028	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3028	WMIC.exe
Token: SeSecurityPrivilege	3028	WMIC.exe
Token: SeTakeOwnershipPrivilege	3028	WMIC.exe
Token: SeLoadDriverPrivilege	3028	WMIC.exe
Token: SeSystemProfilePrivilege	3028	WMIC.exe
Token: SeSystemtimePrivilege	3028	WMIC.exe
Token: SeProfSingleProcessPrivilege	3028	WMIC.exe
Token: SeIncBasePriorityPrivilege	3028	WMIC.exe
Token: SeCreatePagefilePrivilege	3028	WMIC.exe
Token: SeBackupPrivilege	3028	WMIC.exe
Token: SeRestorePrivilege	3028	WMIC.exe
Token: SeShutdownPrivilege	3028	WMIC.exe
Token: SeDebugPrivilege	3028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3028	WMIC.exe
Token: SeRemoteShutdownPrivilege	3028	WMIC.exe
Token: SeUndockPrivilege	3028	WMIC.exe
Token: SeManageVolumePrivilege	3028	WMIC.exe
Token: 33	3028	WMIC.exe
Token: 34	3028	WMIC.exe
Token: 35	3028	WMIC.exe
Token: 36	3028	WMIC.exe
Token: SeBackupPrivilege	3168	vssvc.exe
Token: SeRestorePrivilege	3168	vssvc.exe
Token: SeAuditPrivilege	3168	vssvc.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 584 wrote to memory of 3884	584	Compil by raminhk.exe	71
PID 584 wrote to memory of 3884	584	Compil by raminhk.exe	71
PID 584 wrote to memory of 2544	584	Compil by raminhk.exe	76
PID 584 wrote to memory of 2544	584	Compil by raminhk.exe	76
PID 2544 wrote to memory of 3756	2544	cmd.exe	78
PID 2544 wrote to memory of 3756	2544	cmd.exe	78
PID 2544 wrote to memory of 3028	2544	cmd.exe	79
PID 2544 wrote to memory of 3028	2544	cmd.exe	79
PID 584 wrote to memory of 4048	584	Compil by raminhk.exe	83
PID 584 wrote to memory of 4048	584	Compil by raminhk.exe	83
PID 4048 wrote to memory of 3940	4048	cmd.exe	85
PID 4048 wrote to memory of 3940	4048	cmd.exe	85
PID 584 wrote to memory of 3068	584	Compil by raminhk.exe	86
PID 584 wrote to memory of 3068	584	Compil by raminhk.exe	86
PID 3068 wrote to memory of 2552	3068	cmd.exe	88
PID 3068 wrote to memory of 2552	3068	cmd.exe	88
PID 584 wrote to memory of 2488	584	Compil by raminhk.exe	89
PID 584 wrote to memory of 2488	584	Compil by raminhk.exe	89
PID 2488 wrote to memory of 3860	2488	cmd.exe	91
PID 2488 wrote to memory of 3860	2488	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\Compil by raminhk.exe
"C:\Users\Admin\AppData\Local\Temp\Compil by raminhk.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:584
- C:\Windows\system32\tasklist.exe
  tasklist /FO csv
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3884
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin delete shadow /all /quiet & wmic shadowcopy delete & bcdedit /set {default} boostatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -q
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadow /all /quiet
    3⤵
    PID:3756
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3028
- C:\Windows\system32\cmd.exe
  cmd /c bcdedit /set {default} recoveryenabled No cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures C:\Windows\System32\cmd.exe /C vssadmin.exe Delete Shadows /All Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3940
- C:\Windows\system32\cmd.exe
  cmd /c REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\system32\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2552
- C:\Windows\system32\cmd.exe
  cmd /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Windows Security Update" /t REG_SZ /d "C:\Users\Admin\WindowsSecurityUpdate.exe /onboot" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Windows Security Update" /t REG_SZ /d "C:\Users\Admin\WindowsSecurityUpdate.exe /onboot" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:3860

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/584-115-0x00007FFA2E970000-0x00007FFA2E972000-memory.dmp

Filesize
8KB

Download