Resubmissions
28-08-2022 23:26
220828-3e8ymagabq 510-06-2021 11:42
210610-j9y37a6cma 510-06-2021 11:31
210610-k9s461t52a 5Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
10-06-2021 11:31
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v20210410
General
-
Target
sample.exe
-
Size
2.3MB
-
MD5
84ffb87cc91d697db2f5685df68de7af
-
SHA1
4f0360d60b685ed6059d32aef24c6b3cbbd46e9e
-
SHA256
10bba07a1965c61a2ec05b46331e3eeda3d7bdeb8074c86009dc11f2564048fa
-
SHA512
c6b178f37b2318b4eeaf1e151cac70a10b0be8eeb0e8153bd324a66314a33dca27e43254518a4b2db2ed5cab31ff836e0fa84e2a8112b67772409d77f39d5e9f
Malware Config
Signatures
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\Notify.jpg" sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 2 IoCs
Processes:
sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\WallpaperStyle = "6" sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\TileWallpaper = "0" sample.exe -
Modifies registry class 12 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\bam!_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\bam!_auto_file\shell\edit\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\bam!_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\bam!_auto_file\shell\open rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\bam!_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\bam!_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\.bam!\ = "bam!_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\bam!_auto_file\shell\edit rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\bam!_auto_file\shell\open\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\bam!_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\.bam! rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 524 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 1000 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1000 AUDIODG.EXE Token: 33 1000 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1000 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1792 wrote to memory of 524 1792 rundll32.exe NOTEPAD.EXE PID 1792 wrote to memory of 524 1792 rundll32.exe NOTEPAD.EXE PID 1792 wrote to memory of 524 1792 rundll32.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\AssertEnable.vsdx.bam!1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\AssertEnable.vsdx.bam!2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f81⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\AssertEnable.vsdx.bam!MD5
d65ba7e9847369b709cbbd74d6a09aaf
SHA172922d0ab9dba5a5bd1cd8c1dfdf3ab62112755d
SHA2561e323d09edf69d246103061ff0f14dfed226cb902b14611b1c06bfec3beab4ca
SHA512da20ecba20b4369ad491e599e146ecfe54e0831f4ebecd014b0f3be642c67f02bfaa9dd86094cc721301a49deb37dad0969c5821c5de4f81a7fc9a704637fb40
-
memory/524-62-0x0000000000000000-mapping.dmp
-
memory/736-60-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB
-
memory/1792-61-0x000007FEFBEA1000-0x000007FEFBEA3000-memory.dmpFilesize
8KB