Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
17-06-2021 05:04
Static task
static1
Behavioral task
behavioral1
Sample
6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe
Resource
win10v20210410
General
-
Target
6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe
-
Size
122KB
-
MD5
57ff40b98ed3c71c8a7e48bea44e0d8f
-
SHA1
3ee75869cf8019b1fbdf7a0bd317b3ca53433b59
-
SHA256
6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb
-
SHA512
e2a9d2f52a72a3c2cf3dc48185026fd000032ec787dead9a666a138a5b87718feed710317dd731bb4c791aeb8604e0780f7c39c9c1337d6ac79f42473d321512
Malware Config
Extracted
C:\4mpirq6my0-readme.txt
http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/
https://www.coveware.com/blog/2019/7/15/ransomware-amounts-rise-3x-in-q2-as-ryuk-amp-sodinokibi-spread
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/535FF8856C256A2E
http://decoder.re/535FF8856C256A2E
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\TraceMove.tiff 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File renamed C:\Users\Admin\Pictures\StartSend.png => \??\c:\users\admin\pictures\StartSend.png.4mpirq6my0 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File renamed C:\Users\Admin\Pictures\TraceMove.tiff => \??\c:\users\admin\pictures\TraceMove.tiff.4mpirq6my0 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File renamed C:\Users\Admin\Pictures\PingGet.tif => \??\c:\users\admin\pictures\PingGet.tif.4mpirq6my0 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File renamed C:\Users\Admin\Pictures\LimitUnregister.png => \??\c:\users\admin\pictures\LimitUnregister.png.4mpirq6my0 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\t32mMaunsR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe" 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exedescription ioc process File opened (read-only) \??\N: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\U: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\Z: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\A: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\E: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\I: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\J: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\Q: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\R: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\T: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\V: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\F: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\K: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\L: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\M: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\W: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\B: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\G: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\S: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\Y: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\D: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\H: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\O: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\P: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened (read-only) \??\X: 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe -
Drops file in Program Files directory 45 IoCs
Processes:
6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exedescription ioc process File created \??\c:\program files (x86)\tmp 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\FormatUnprotect.pdf 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\GroupBackup.tiff 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\ImportInitialize.pot 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\RedoDismount.vssm 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\SplitJoin.pptm 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File created \??\c:\program files\tmp 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\DisconnectOptimize.vdw 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\LimitClose.wpl 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\RepairAdd.png 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\StopResolve.vsd 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\UnblockTest.mpe 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File created \??\c:\program files\4mpirq6my0-readme.txt 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File created \??\c:\program files (x86)\4mpirq6my0-readme.txt 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\EditResolve.xps 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\UpdateTrace.xltm 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\WriteUnregister.emf 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\CompressResize.raw 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\ConnectEnable.zip 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\InitializeSuspend.mhtml 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\WaitFind.mov 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\SearchResize.7z 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\UninstallNew.ttc 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\tmp 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\tmp 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\ConvertToEnable.asx 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\GroupDeny.wax 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\MeasureExpand.vsd 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\RenameAssert.htm 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\RestartClear.avi 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\AssertRepair.asx 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\DismountCopy.dxf 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\MergeRename.mid 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\RepairReceive.raw 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\RequestOut.wm 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\SaveRename.dxf 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\SuspendWatch.asf 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\4mpirq6my0-readme.txt 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\BackupConvert.wmv 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\PublishSet.pub 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\RestartShow.xlsx 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File opened for modification \??\c:\program files\ResumeFind.aifc 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\tmp 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\4mpirq6my0-readme.txt 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\4mpirq6my0-readme.txt 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exepid process 1348 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe 1348 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe 1348 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe 1348 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exevssvc.exedescription pid process Token: SeDebugPrivilege 1348 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe Token: SeTakeOwnershipPrivilege 1348 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe Token: SeBackupPrivilege 1356 vssvc.exe Token: SeRestorePrivilege 1356 vssvc.exe Token: SeAuditPrivilege 1356 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exedescription pid process target process PID 1348 wrote to memory of 1324 1348 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe netsh.exe PID 1348 wrote to memory of 1324 1348 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe netsh.exe PID 1348 wrote to memory of 1324 1348 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe netsh.exe PID 1348 wrote to memory of 1324 1348 6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe"C:\Users\Admin\AppData\Local\Temp\6834005e47c6ad53cb0793e1f13b6ea45383d86691b179f4229214d8768d0ceb.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes2⤵PID:1324
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1672
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1356