Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
25-05-2021 17:46
Static task
static1
Behavioral task
behavioral1
Sample
a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
Resource
win10v20210410
General
-
Target
a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
-
Size
126KB
-
MD5
e1ff64f0910b1e31a12a17ecc9173250
-
SHA1
edee8ab5e9edae3c6f7fbff32151c9d9e2c7f360
-
SHA256
a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a
-
SHA512
10364700d1dd533bbf2345908067129386e119cb434ceaff55282a2ee2cc58fc9ddfca40fbc3e333dd4394436eabeb5c29268c088f94eec95abc69921af48428
Malware Config
Extracted
C:\Users\Admin\Desktop\READ_ME.crypted.txt
kabayaboo@protonmail.com
36yFAmBGNDowqjXxbaPA2F3byPUoxWfZyz
Signatures
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exedescription ioc process File created C:\Users\Admin\Pictures\ConvertToClear.crw.crypted a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe -
Drops desktop.ini file(s) 3 IoCs
Processes:
a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\desktop.ini a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe File opened for modification C:\Users\Admin\Documents\desktop.ini a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_Classes\Local Settings rundll32.exe -
Opens file in notepad (likely ransom note) 4 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXENOTEPAD.EXEpid process 916 NOTEPAD.EXE 1740 NOTEPAD.EXE 1104 NOTEPAD.EXE 1388 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exedescription pid process Token: SeDebugPrivilege 1748 a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exepid process 1748 a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1960 wrote to memory of 1388 1960 rundll32.exe NOTEPAD.EXE PID 1960 wrote to memory of 1388 1960 rundll32.exe NOTEPAD.EXE PID 1960 wrote to memory of 1388 1960 rundll32.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe"C:\Users\Admin\AppData\Local\Temp\a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\READ_ME.crypted.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\READ_ME.crypted.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\READ_ME.crypted.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\WatchEnable.cfg.crypted1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WatchEnable.cfg.crypted2⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\READ_ME.crypted.txtMD5
2501d4102b74c5618996c57ea4376765
SHA16288d7898ccaee948a3951a94923d6872720a928
SHA25630c921614d1b4495a48aea880e4b58f15ae0de076722d8fed20cc1f3bf66d732
SHA51208de352e9cec73109cb2bb94b93a3a868907eb249ef60a632a5044bc24411aec14053946e8f6c5919596ab2554ea03fe814b01ad3d257c62c1a8b4c2945f5cbc
-
C:\Users\Admin\Desktop\WatchEnable.cfg.cryptedMD5
7567159e9939cbefc75ed8328c66d0c6
SHA1ade3cb6877cc26e48a6d0a184fa012537557e693
SHA2569a43a9c87757993ef6d616d75a41fbaff7b52db1f8dbeadeca2fa782edf81dfc
SHA512f50e2ff913d08b14d2c980e74dd70b0505e824860dbe18800fddaa36c8518c9bd34bd7d6b1255ac6c980c5d71d83dcda136ba2d8df5e945719d0c3b860bbe1b1
-
memory/916-63-0x000007FEFB8F1000-0x000007FEFB8F3000-memory.dmpFilesize
8KB
-
memory/1388-68-0x0000000000000000-mapping.dmp
-
memory/1748-59-0x0000000000010000-0x0000000000011000-memory.dmpFilesize
4KB
-
memory/1748-61-0x0000000004C70000-0x0000000004C71000-memory.dmpFilesize
4KB
-
memory/1748-62-0x0000000004C75000-0x0000000004C86000-memory.dmpFilesize
68KB