Analysis
-
max time kernel
295s -
max time network
297s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
06-07-2021 11:36
Static task
static1
Behavioral task
behavioral1
Sample
martinhal.exe
Resource
win10v20210410
General
-
Target
martinhal.exe
-
Size
122KB
-
MD5
c3afcdffa4aeeee56b80cf2fd3c9758c
-
SHA1
e405c212107696a579494a67531ca5877956fac0
-
SHA256
9b46d03b690bda0df57c0ebb8dae0aebdd1d131beb500242fa8fe59cb260eed1
-
SHA512
3a984d836176b14d16ac0106c11ebd37f8d7343668e8156d33d74fc721e4224efadd1cc2ae22b3630bcf181eb077a55c571d9f670dd1552905e1fc4605b51346
Malware Config
Extracted
C:\6iu4l9w-readme.txt
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B5D63CC5BB219DA3
http://decoder.re/B5D63CC5BB219DA3
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
martinhal.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\ConvertConnect.tiff martinhal.exe File renamed C:\Users\Admin\Pictures\ConvertConnect.tiff => \??\c:\users\admin\pictures\ConvertConnect.tiff.6iu4l9w martinhal.exe File renamed C:\Users\Admin\Pictures\FormatRemove.png => \??\c:\users\admin\pictures\FormatRemove.png.6iu4l9w martinhal.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
martinhal.exedescription ioc process File opened (read-only) \??\E: martinhal.exe File opened (read-only) \??\G: martinhal.exe File opened (read-only) \??\V: martinhal.exe File opened (read-only) \??\B: martinhal.exe File opened (read-only) \??\H: martinhal.exe File opened (read-only) \??\S: martinhal.exe File opened (read-only) \??\T: martinhal.exe File opened (read-only) \??\Y: martinhal.exe File opened (read-only) \??\A: martinhal.exe File opened (read-only) \??\F: martinhal.exe File opened (read-only) \??\M: martinhal.exe File opened (read-only) \??\N: martinhal.exe File opened (read-only) \??\O: martinhal.exe File opened (read-only) \??\Q: martinhal.exe File opened (read-only) \??\Z: martinhal.exe File opened (read-only) \??\U: martinhal.exe File opened (read-only) \??\W: martinhal.exe File opened (read-only) \??\I: martinhal.exe File opened (read-only) \??\J: martinhal.exe File opened (read-only) \??\K: martinhal.exe File opened (read-only) \??\L: martinhal.exe File opened (read-only) \??\P: martinhal.exe File opened (read-only) \??\R: martinhal.exe File opened (read-only) \??\X: martinhal.exe File opened (read-only) \??\D: martinhal.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
martinhal.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4l69.bmp" martinhal.exe -
Drops file in Program Files directory 21 IoCs
Processes:
martinhal.exedescription ioc process File created \??\c:\program files\tmp martinhal.exe File opened for modification \??\c:\program files\JoinTest.m1v martinhal.exe File opened for modification \??\c:\program files\MoveConvertTo.crw martinhal.exe File opened for modification \??\c:\program files\ResetUnpublish.M2TS martinhal.exe File opened for modification \??\c:\program files\UnpublishRestart.xlsx martinhal.exe File opened for modification \??\c:\program files\SubmitStop.M2V martinhal.exe File opened for modification \??\c:\program files\SuspendInstall.search-ms martinhal.exe File created \??\c:\program files (x86)\tmp martinhal.exe File created \??\c:\program files (x86)\6iu4l9w-readme.txt martinhal.exe File opened for modification \??\c:\program files\FindUninstall.fon martinhal.exe File opened for modification \??\c:\program files\OutAssert.ppsx martinhal.exe File opened for modification \??\c:\program files\RepairPop.htm martinhal.exe File opened for modification \??\c:\program files\ResumeSet.TS martinhal.exe File opened for modification \??\c:\program files\UseGet.mp2 martinhal.exe File opened for modification \??\c:\program files\WaitInvoke.scf martinhal.exe File opened for modification \??\c:\program files\WatchBlock.mov martinhal.exe File created \??\c:\program files\6iu4l9w-readme.txt martinhal.exe File opened for modification \??\c:\program files\MountUndo.php martinhal.exe File opened for modification \??\c:\program files\OutLock.html martinhal.exe File opened for modification \??\c:\program files\SetApprove.inf martinhal.exe File opened for modification \??\c:\program files\StepCheckpoint.mpg martinhal.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
martinhal.exepid process 3920 martinhal.exe 3920 martinhal.exe 3920 martinhal.exe 3920 martinhal.exe 3920 martinhal.exe 3920 martinhal.exe 3920 martinhal.exe 3920 martinhal.exe 3920 martinhal.exe 3920 martinhal.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
martinhal.exevssvc.exedescription pid process Token: SeDebugPrivilege 3920 martinhal.exe Token: SeTakeOwnershipPrivilege 3920 martinhal.exe Token: SeBackupPrivilege 3388 vssvc.exe Token: SeRestorePrivilege 3388 vssvc.exe Token: SeAuditPrivilege 3388 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
martinhal.exedescription pid process target process PID 3920 wrote to memory of 2784 3920 martinhal.exe netsh.exe PID 3920 wrote to memory of 2784 3920 martinhal.exe netsh.exe PID 3920 wrote to memory of 2784 3920 martinhal.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\martinhal.exe"C:\Users\Admin\AppData\Local\Temp\martinhal.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes2⤵PID:2784
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3984
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3388
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2784-114-0x0000000000000000-mapping.dmp