Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
06-06-2021 18:34
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v20210408
General
-
Target
sample.exe
-
Size
171KB
-
MD5
d3d0035a769e6ef98b1433160b2c8333
-
SHA1
be1d0aed32308166721d4756e2216dc44c2d0baa
-
SHA256
6b6158f74dbd43b8c839d5ae65d33ae9a11c9e3cef5fa52d86105983a67cdc4f
-
SHA512
b86b1ab9ad2c4c851c8712d0e49321cd3f9671815592bd4228664d236093cbb904f091dc7ad60815a56da5f9face2ce11fbd84790afca4d480ae17fa76dcb229
Malware Config
Signatures
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
sample.exedescription ioc process File created C:\Users\Admin\Pictures\CloseWatch.crw.mcburglar sample.exe File created C:\Users\Admin\Pictures\ConvertResolve.crw.mcburglar sample.exe File created C:\Users\Admin\Pictures\ExportUnpublish.raw.mcburglar sample.exe File created C:\Users\Admin\Pictures\InstallComplete.png.mcburglar sample.exe File created C:\Users\Admin\Pictures\SaveOptimize.crw.mcburglar sample.exe File created C:\Users\Admin\Pictures\WatchRename.raw.mcburglar sample.exe File created C:\Users\Admin\Pictures\WriteRename.png.mcburglar sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 12 IoCs
Processes:
sample.exedescription ioc process File opened for modification C:\Users\Admin\Desktop\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\MLS6OOW4\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XVLP3GFJ\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini sample.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini sample.exe File opened for modification C:\Users\Admin\Documents\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\93PHUZFG\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VLFEZDK1\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 3 IoCs
Processes:
rundll32.exerundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_Classes\Local Settings rundll32.exe -
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXEpid process 840 NOTEPAD.EXE 868 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 1644 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1644 AUDIODG.EXE Token: 33 1644 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1644 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 904 wrote to memory of 840 904 rundll32.exe NOTEPAD.EXE PID 904 wrote to memory of 840 904 rundll32.exe NOTEPAD.EXE PID 904 wrote to memory of 840 904 rundll32.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\desktop.ini.mcburglar1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\desktop.ini.mcburglar2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\AddRevoke.avi.mcburglar1⤵
- Modifies registry class
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README-MCBURGLAR.txt1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\WaitLock.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x48c1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\README-MCBURGLAR.txtMD5
704193eac7d536949827ecfad5fdbf6c
SHA1734da35e83bc056f3a8c94bca46c50e4c7735a5a
SHA2564ddc3aa84bed75b693a6265c8492145e2a7affbe4da90ba487352eb7bd1b2d7c
SHA51239eb548f0a106191780d1c41ef271678c66ff28930469713bd6e3dafcff7cda4e3a53d5838c992b4d0527e02374455739e3e2d69a0d089d603edcad5fc4924dc
-
C:\Users\Admin\Desktop\desktop.ini.mcburglarMD5
ddb7545e6cbd5b39caa8f7c999e89613
SHA179e1549e9daa21cbc6be4b94de51d6ddbaebf6f3
SHA25630148b590468ae2e4d7559540aeb83ba45e0693ba1c675a7645315730b6a4895
SHA512946a1ed063ae4f7b602174ecca1ea5438a98bf3816b45fb4d68ab2d6330c4890c544576231a0b34ad89b4c95b90efc24cca740c21ccd1a5b954775d9b96db0b2
-
memory/840-65-0x0000000000000000-mapping.dmp
-
memory/904-64-0x000007FEFB881000-0x000007FEFB883000-memory.dmpFilesize
8KB
-
memory/1616-60-0x0000000000AC0000-0x0000000000AC1000-memory.dmpFilesize
4KB
-
memory/1616-62-0x0000000075631000-0x0000000075633000-memory.dmpFilesize
8KB
-
memory/1616-63-0x0000000004980000-0x0000000004981000-memory.dmpFilesize
4KB