90413227e6a42728248b5adf7c8930491a3ef2c7ec3b21d93f5da52a8f126f6d

Analysis

max time kernel
5s
max time network
36s
platform
windows7_x64
resource
win7v20210410
submitted
10-07-2021 06:22

Sharing

Copy URL

Twitter E-mail

Reason

Remote task has failed: Machine shutdown

Report Analysis Logs

General

Target

repack by xatab.exe
Size

222KB
MD5

e2aaff3cf5f2b9fee6061eddf55620b9
SHA1

f780afcca44c836dc48619dece8374882521bbb1
SHA256

90413227e6a42728248b5adf7c8930491a3ef2c7ec3b21d93f5da52a8f126f6d
SHA512

8827152335018563b4091ed5aebac7d26ff0eae478a848eb8659c9fe9a4ffcd9599457587b3b4310253d85571fe385d3ac4499366e621326092be1b178039834

Score

10^/10

bootkit persistence ransomware upx

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2513283230-931923277-594887482-1000\HOW TO DECRYPT FILES.txt

Ransom Note

The harddisks of your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key To purchase your key and restore your data, please follow these three easy steps: 1.Create btc wallet and send 350 $ to Happy walentine day nohing personal Please make my life easier write in the them of transaction your email adress

Signatures

Executes dropped EXE 4 IoCs

Processes:

DECRYPTOR V0.2D.EXEMISHA.EXEUPDATE.EXEUPDATE12.EXE

pid process

1848 DECRYPTOR V0.2D.EXE
1752 MISHA.EXE
1700 UPDATE.EXE
756 UPDATE12.EXE

pid	process
1848	DECRYPTOR V0.2D.EXE
1752	MISHA.EXE
1700	UPDATE.EXE
756	UPDATE12.EXE

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\UPDATE.EXE	upx
C:\Users\Admin\AppData\Local\Temp\UPDATE.EXE	upx
C:\Users\Admin\AppData\Local\Temp\UPDATE.EXE	upx
\Users\Admin\AppData\Local\Temp\UPDATE.EXE	upx
\Users\Admin\AppData\Local\Temp\UPDATE.EXE	upx
\Users\Admin\AppData\Local\Temp\UPDATE.EXE	upx

Loads dropped DLL 7 IoCs

Processes:

repack by xatab.exeUPDATE.EXE

pid process

1308 repack by xatab.exe
1308 repack by xatab.exe
1308 repack by xatab.exe
1308 repack by xatab.exe
1700 UPDATE.EXE
1700 UPDATE.EXE
1700 UPDATE.EXE

pid	process
1308	repack by xatab.exe
1308	repack by xatab.exe
1308	repack by xatab.exe
1308	repack by xatab.exe
1700	UPDATE.EXE
1700	UPDATE.EXE
1700	UPDATE.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

UPDATE.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	UPDATE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\q3j7M8QHiu41t8O.exe"	UPDATE.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

MISHA.EXE

description ioc process

File opened for modification \??\PhysicalDrive0 MISHA.EXE
Drops file in Program Files directory 1 IoCs

Processes:

UPDATE.EXE

description ioc process

File created C:\Program Files\7-Zip\HOW TO DECRYPT FILES.txt UPDATE.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

564 756 WerFault.exe UPDATE12.EXE

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MISHA.EXE

description	ioc	process
File created	C:\Program Files\7-Zip\HOW TO DECRYPT FILES.txt	UPDATE.EXE

pid	pid_target	process	target process
564	756	WerFault.exe	UPDATE12.EXE

Modifies registry class 10 IoCs

Processes:

UPDATE.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\q3j7M8QHiu41t8O.exe,0"	UPDATE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV\shell	UPDATE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV\shell\open	UPDATE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "KCXHETCINNVXNCV"	UPDATE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV\DefaultIcon	UPDATE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV\ = "CRYPTED!"	UPDATE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV\shell\open\command	UPDATE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\q3j7M8QHiu41t8O.exe"	UPDATE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	UPDATE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV	UPDATE.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

564 WerFault.exe
564 WerFault.exe
564 WerFault.exe
564 WerFault.exe
564 WerFault.exe

pid	process
564	WerFault.exe
564	WerFault.exe
564	WerFault.exe
564	WerFault.exe
564	WerFault.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

shutdown.exeshutdown.exeWerFault.exe

description	pid	process
Token: SeShutdownPrivilege	1880	shutdown.exe
Token: SeRemoteShutdownPrivilege	1880	shutdown.exe
Token: SeShutdownPrivilege	1824	shutdown.exe
Token: SeRemoteShutdownPrivilege	1824	shutdown.exe
Token: SeDebugPrivilege	564	WerFault.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

repack by xatab.exeMISHA.EXEUPDATE12.EXE

description	pid	process	target process
PID 1308 wrote to memory of 1848	1308	repack by xatab.exe	DECRYPTOR V0.2D.EXE
PID 1308 wrote to memory of 1848	1308	repack by xatab.exe	DECRYPTOR V0.2D.EXE
PID 1308 wrote to memory of 1848	1308	repack by xatab.exe	DECRYPTOR V0.2D.EXE
PID 1308 wrote to memory of 1848	1308	repack by xatab.exe	DECRYPTOR V0.2D.EXE
PID 1308 wrote to memory of 1752	1308	repack by xatab.exe	MISHA.EXE
PID 1308 wrote to memory of 1752	1308	repack by xatab.exe	MISHA.EXE
PID 1308 wrote to memory of 1752	1308	repack by xatab.exe	MISHA.EXE
PID 1308 wrote to memory of 1752	1308	repack by xatab.exe	MISHA.EXE
PID 1752 wrote to memory of 1880	1752	MISHA.EXE	shutdown.exe
PID 1752 wrote to memory of 1880	1752	MISHA.EXE	shutdown.exe
PID 1752 wrote to memory of 1880	1752	MISHA.EXE	shutdown.exe
PID 1752 wrote to memory of 1880	1752	MISHA.EXE	shutdown.exe
PID 1308 wrote to memory of 1700	1308	repack by xatab.exe	UPDATE.EXE
PID 1308 wrote to memory of 1700	1308	repack by xatab.exe	UPDATE.EXE
PID 1308 wrote to memory of 1700	1308	repack by xatab.exe	UPDATE.EXE
PID 1308 wrote to memory of 1700	1308	repack by xatab.exe	UPDATE.EXE
PID 1308 wrote to memory of 1700	1308	repack by xatab.exe	UPDATE.EXE
PID 1308 wrote to memory of 1700	1308	repack by xatab.exe	UPDATE.EXE
PID 1308 wrote to memory of 1700	1308	repack by xatab.exe	UPDATE.EXE
PID 1752 wrote to memory of 1824	1752	MISHA.EXE	shutdown.exe
PID 1752 wrote to memory of 1824	1752	MISHA.EXE	shutdown.exe
PID 1752 wrote to memory of 1824	1752	MISHA.EXE	shutdown.exe
PID 1752 wrote to memory of 1824	1752	MISHA.EXE	shutdown.exe
PID 1308 wrote to memory of 756	1308	repack by xatab.exe	UPDATE12.EXE
PID 1308 wrote to memory of 756	1308	repack by xatab.exe	UPDATE12.EXE
PID 1308 wrote to memory of 756	1308	repack by xatab.exe	UPDATE12.EXE
PID 1308 wrote to memory of 756	1308	repack by xatab.exe	UPDATE12.EXE
PID 756 wrote to memory of 564	756	UPDATE12.EXE	WerFault.exe
PID 756 wrote to memory of 564	756	UPDATE12.EXE	WerFault.exe
PID 756 wrote to memory of 564	756	UPDATE12.EXE	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\repack by xatab.exe
"C:\Users\Admin\AppData\Local\Temp\repack by xatab.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308

C:\Users\Admin\AppData\Local\Temp\DECRYPTOR V0.2D.EXE
"C:\Users\Admin\AppData\Local\Temp\DECRYPTOR V0.2D.EXE"
2⤵
- Executes dropped EXE
PID:1848

C:\Users\Admin\AppData\Local\Temp\MISHA.EXE
"C:\Users\Admin\AppData\Local\Temp\MISHA.EXE"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\shutdown.exe
C:\Windows\System32\shutdown.exe -r -f -t 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\SysWOW64\shutdown.exe
shutdown.exe -r -f -t 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Users\Admin\AppData\Local\Temp\UPDATE.EXE
"C:\Users\Admin\AppData\Local\Temp\UPDATE.EXE"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
PID:1700

C:\Users\Admin\AppData\Local\Temp\UPDATE12.EXE
"C:\Users\Admin\AppData\Local\Temp\UPDATE12.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 756 -s 524
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1520

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DECRYPTOR V0.2D.EXE
MD5
921c02dd77c3725fa59905cae1d62ef4

SHA1
209e0fe763362b71399c079a441459bde0e8ba74

SHA256
8e0f3044d45b6ba6a1eab878f9197670bc7b2d93b61ef7830f97b5bb918c8c12

SHA512
c207cd799f4244d4d550e2df5a4625cdaf0e230cbf43e36a5f02e7ab786ede53d9069e4d615f144b84c3c79b955194ad64015b3f3adf235a0278de4664dd60d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DECRYPTOR V0.2D.EXE
MD5
921c02dd77c3725fa59905cae1d62ef4

SHA1
209e0fe763362b71399c079a441459bde0e8ba74

SHA256
8e0f3044d45b6ba6a1eab878f9197670bc7b2d93b61ef7830f97b5bb918c8c12

SHA512
c207cd799f4244d4d550e2df5a4625cdaf0e230cbf43e36a5f02e7ab786ede53d9069e4d615f144b84c3c79b955194ad64015b3f3adf235a0278de4664dd60d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MISHA.EXE
MD5
3702ab9f6561e836d97e1bc28f68543e

SHA1
5ebdcfb324eb0cca288c63e8f8d8b0fa3c92cbe8

SHA256
58019901083bce520e1e454ecc82e46f4de32dc721b546ab1e418328ef93f860

SHA512
d1bcc7649941b913000dd6d88d76d0eee6883fb81774c46c06e1043e9da026864cd3cb6c7b6aeda8079e264a95afab1c6732b1e8aba4f589379803c0a071562f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPDATE.EXE
MD5
e4bb04fe99f81331aa57a5c17b4c9111

SHA1
989f8c30ceade5cc839100e673f0818c2070a107

SHA256
c70ed86ee62c96b7e5e78874810bc3050a2ecb6cda159bb556f830da720bd835

SHA512
2beea8f344f0cae1e2f6eb8b3420a3764db9c9361d86673a9a10971b1dfc9dafd616b8b26f79d27d3cbd7351d274c67b29ba114300f6cc78fa0a92afb1baec6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPDATE.EXE
MD5
e4bb04fe99f81331aa57a5c17b4c9111

SHA1
989f8c30ceade5cc839100e673f0818c2070a107

SHA256
c70ed86ee62c96b7e5e78874810bc3050a2ecb6cda159bb556f830da720bd835

SHA512
2beea8f344f0cae1e2f6eb8b3420a3764db9c9361d86673a9a10971b1dfc9dafd616b8b26f79d27d3cbd7351d274c67b29ba114300f6cc78fa0a92afb1baec6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPDATE12.EXE
MD5
5d85c23d3bcbba39ad63b98be64a688f

SHA1
bd7651d157480f122f106ae4991947c5f008d0cf

SHA256
06ed693d7f86ea5b484efb53ef469292a69d682fe0a68b0dd7a69fad6a736ada

SHA512
82ed8436517aa412064ebe426f4125aa485996650f863d88fb8e7cd4c18cc4394441fde4ab9d24606a558d56e07d4c6f185978fe55ca27dfcac6d25c824856a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPDATE12.EXE
MD5
5d85c23d3bcbba39ad63b98be64a688f

SHA1
bd7651d157480f122f106ae4991947c5f008d0cf

SHA256
06ed693d7f86ea5b484efb53ef469292a69d682fe0a68b0dd7a69fad6a736ada

SHA512
82ed8436517aa412064ebe426f4125aa485996650f863d88fb8e7cd4c18cc4394441fde4ab9d24606a558d56e07d4c6f185978fe55ca27dfcac6d25c824856a3

Download Submit
\Users\Admin\AppData\Local\Temp\DECRYPTOR V0.2D.EXE
MD5
921c02dd77c3725fa59905cae1d62ef4

SHA1
209e0fe763362b71399c079a441459bde0e8ba74

SHA256
8e0f3044d45b6ba6a1eab878f9197670bc7b2d93b61ef7830f97b5bb918c8c12

SHA512
c207cd799f4244d4d550e2df5a4625cdaf0e230cbf43e36a5f02e7ab786ede53d9069e4d615f144b84c3c79b955194ad64015b3f3adf235a0278de4664dd60d5

Download Submit
\Users\Admin\AppData\Local\Temp\MISHA.EXE
MD5
3702ab9f6561e836d97e1bc28f68543e

SHA1
5ebdcfb324eb0cca288c63e8f8d8b0fa3c92cbe8

SHA256
58019901083bce520e1e454ecc82e46f4de32dc721b546ab1e418328ef93f860

SHA512
d1bcc7649941b913000dd6d88d76d0eee6883fb81774c46c06e1043e9da026864cd3cb6c7b6aeda8079e264a95afab1c6732b1e8aba4f589379803c0a071562f

Download Submit
\Users\Admin\AppData\Local\Temp\UPDATE.EXE
MD5
e4bb04fe99f81331aa57a5c17b4c9111

SHA1
989f8c30ceade5cc839100e673f0818c2070a107

SHA256
c70ed86ee62c96b7e5e78874810bc3050a2ecb6cda159bb556f830da720bd835

SHA512
2beea8f344f0cae1e2f6eb8b3420a3764db9c9361d86673a9a10971b1dfc9dafd616b8b26f79d27d3cbd7351d274c67b29ba114300f6cc78fa0a92afb1baec6c

Download Submit
\Users\Admin\AppData\Local\Temp\UPDATE.EXE
MD5
e4bb04fe99f81331aa57a5c17b4c9111

SHA1
989f8c30ceade5cc839100e673f0818c2070a107

SHA256
c70ed86ee62c96b7e5e78874810bc3050a2ecb6cda159bb556f830da720bd835

SHA512
2beea8f344f0cae1e2f6eb8b3420a3764db9c9361d86673a9a10971b1dfc9dafd616b8b26f79d27d3cbd7351d274c67b29ba114300f6cc78fa0a92afb1baec6c

Download Submit
\Users\Admin\AppData\Local\Temp\UPDATE.EXE
MD5
e4bb04fe99f81331aa57a5c17b4c9111

SHA1
989f8c30ceade5cc839100e673f0818c2070a107

SHA256
c70ed86ee62c96b7e5e78874810bc3050a2ecb6cda159bb556f830da720bd835

SHA512
2beea8f344f0cae1e2f6eb8b3420a3764db9c9361d86673a9a10971b1dfc9dafd616b8b26f79d27d3cbd7351d274c67b29ba114300f6cc78fa0a92afb1baec6c

Download Submit
\Users\Admin\AppData\Local\Temp\UPDATE.EXE
MD5
e4bb04fe99f81331aa57a5c17b4c9111

SHA1
989f8c30ceade5cc839100e673f0818c2070a107

SHA256
c70ed86ee62c96b7e5e78874810bc3050a2ecb6cda159bb556f830da720bd835

SHA512
2beea8f344f0cae1e2f6eb8b3420a3764db9c9361d86673a9a10971b1dfc9dafd616b8b26f79d27d3cbd7351d274c67b29ba114300f6cc78fa0a92afb1baec6c

Download Submit
\Users\Admin\AppData\Local\Temp\UPDATE12.EXE
MD5
5d85c23d3bcbba39ad63b98be64a688f

SHA1
bd7651d157480f122f106ae4991947c5f008d0cf

SHA256
06ed693d7f86ea5b484efb53ef469292a69d682fe0a68b0dd7a69fad6a736ada

SHA512
82ed8436517aa412064ebe426f4125aa485996650f863d88fb8e7cd4c18cc4394441fde4ab9d24606a558d56e07d4c6f185978fe55ca27dfcac6d25c824856a3

Download Submit
memory/564-82-0x0000000000000000-mapping.dmp

Download
memory/564-84-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

Filesize
8KB

Download
memory/756-79-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/756-75-0x0000000000000000-mapping.dmp

Download
memory/1308-60-0x0000000076281000-0x0000000076283000-memory.dmp

Filesize
8KB

Download
memory/1520-89-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/1664-91-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1700-70-0x0000000000000000-mapping.dmp

Download
memory/1752-66-0x0000000000000000-mapping.dmp

Download
memory/1824-71-0x0000000000000000-mapping.dmp

Download
memory/1848-81-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/1848-62-0x0000000000000000-mapping.dmp

Download
memory/1880-69-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads