Analysis
-
max time kernel
29s -
max time network
31s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
17-06-2021 04:43
Static task
static1
Behavioral task
behavioral1
Sample
6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe
Resource
win10v20210410
General
-
Target
6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe
-
Size
122KB
-
MD5
57ff40b98ed3c71c8a7e48bea44e0d8f
-
SHA1
3ee75869cf8019b1fbdf7a0bd317b3ca53433b59
-
SHA256
6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb
-
SHA512
e2a9d2f52a72a3c2cf3dc48185026fd000032ec787dead9a666a138a5b87718feed710317dd731bb4c791aeb8604e0780f7c39c9c1337d6ac79f42473d321512
Malware Config
Extracted
C:\7rs01j1w-readme.txt
http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/
https://www.coveware.com/blog/2019/7/15/ransomware-amounts-rise-3x-in-q2-as-ryuk-amp-sodinokibi-spread
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7F776AC8AE0C14C7
http://decoder.re/7F776AC8AE0C14C7
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exedescription ioc process File renamed C:\Users\Admin\Pictures\EnableHide.tiff => \??\c:\users\admin\pictures\EnableHide.tiff.7rs01j1w 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\users\admin\pictures\SetUse.tiff 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File renamed C:\Users\Admin\Pictures\SetUse.tiff => \??\c:\users\admin\pictures\SetUse.tiff.7rs01j1w 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\users\admin\pictures\SubmitUnpublish.tiff 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File renamed C:\Users\Admin\Pictures\SubmitUnpublish.tiff => \??\c:\users\admin\pictures\SubmitUnpublish.tiff.7rs01j1w 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File renamed C:\Users\Admin\Pictures\SyncClear.tif => \??\c:\users\admin\pictures\SyncClear.tif.7rs01j1w 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\users\admin\pictures\EnableHide.tiff 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File renamed C:\Users\Admin\Pictures\InitializeExit.crw => \??\c:\users\admin\pictures\InitializeExit.crw.7rs01j1w 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File renamed C:\Users\Admin\Pictures\OutStep.png => \??\c:\users\admin\pictures\OutStep.png.7rs01j1w 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File renamed C:\Users\Admin\Pictures\RenameJoin.tif => \??\c:\users\admin\pictures\RenameJoin.tif.7rs01j1w 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\t32mMaunsR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe" 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exedescription ioc process File opened (read-only) \??\G: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\H: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\K: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\M: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\P: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\Q: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\U: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\A: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\E: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\N: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\T: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\Y: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\L: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\S: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\W: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\X: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\Z: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\B: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\F: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\I: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\J: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\O: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\R: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\V: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\D: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe -
Drops file in Program Files directory 27 IoCs
Processes:
6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exedescription ioc process File opened for modification \??\c:\program files\RepairMerge.rm 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\RequestUninstall.avi 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\SetBackup.php 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\SwitchCopy.vssm 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\UpdateAdd.xltx 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File created \??\c:\program files (x86)\tmp 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\MoveBlock.wvx 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\PopRestart.mpp 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\EnterOut.wdp 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\ResumeWatch.vsdx 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\SetResume.mpeg2 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\SwitchFormat.jpg 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File created \??\c:\program files\7rs01j1w-readme.txt 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\AssertWatch.jfif 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\GetEnable.mp4 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\HideAdd.potx 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\MountOpen.wps 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\RestoreInitialize.vsx 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\SuspendSwitch.jfif 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File created \??\c:\program files\tmp 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File created \??\c:\program files (x86)\7rs01j1w-readme.txt 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\ConvertOpen.mp2v 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\FormatSkip.mov 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\GrantUnpublish.pptx 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\ClearConvertFrom.pptx 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\ExpandGroup.xht 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\ExpandBackup.dxf 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exepid process 3904 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe 3904 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe 3904 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe 3904 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe 3904 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe 3904 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe 3904 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe 3904 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exevssvc.exedescription pid process Token: SeDebugPrivilege 3904 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe Token: SeTakeOwnershipPrivilege 3904 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe Token: SeBackupPrivilege 2420 vssvc.exe Token: SeRestorePrivilege 2420 vssvc.exe Token: SeAuditPrivilege 2420 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exedescription pid process target process PID 3904 wrote to memory of 1592 3904 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe netsh.exe PID 3904 wrote to memory of 1592 3904 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe netsh.exe PID 3904 wrote to memory of 1592 3904 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe"C:\Users\Admin\AppData\Local\Temp\6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes2⤵PID:1592
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2192
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2420
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1592-114-0x0000000000000000-mapping.dmp