Analysis
-
max time kernel
5s -
max time network
36s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
10-07-2021 06:22
Static task
static1
Behavioral task
behavioral1
Sample
repack by xatab.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
repack by xatab.exe
Resource
win10v20210410
Errors
General
-
Target
repack by xatab.exe
-
Size
222KB
-
MD5
e2aaff3cf5f2b9fee6061eddf55620b9
-
SHA1
f780afcca44c836dc48619dece8374882521bbb1
-
SHA256
90413227e6a42728248b5adf7c8930491a3ef2c7ec3b21d93f5da52a8f126f6d
-
SHA512
8827152335018563b4091ed5aebac7d26ff0eae478a848eb8659c9fe9a4ffcd9599457587b3b4310253d85571fe385d3ac4499366e621326092be1b178039834
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-2513283230-931923277-594887482-1000\HOW TO DECRYPT FILES.txt
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
DECRYPTOR V0.2D.EXEMISHA.EXEUPDATE.EXEUPDATE12.EXEpid process 1848 DECRYPTOR V0.2D.EXE 1752 MISHA.EXE 1700 UPDATE.EXE 756 UPDATE12.EXE -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\UPDATE.EXE upx C:\Users\Admin\AppData\Local\Temp\UPDATE.EXE upx C:\Users\Admin\AppData\Local\Temp\UPDATE.EXE upx \Users\Admin\AppData\Local\Temp\UPDATE.EXE upx \Users\Admin\AppData\Local\Temp\UPDATE.EXE upx \Users\Admin\AppData\Local\Temp\UPDATE.EXE upx -
Loads dropped DLL 7 IoCs
Processes:
repack by xatab.exeUPDATE.EXEpid process 1308 repack by xatab.exe 1308 repack by xatab.exe 1308 repack by xatab.exe 1308 repack by xatab.exe 1700 UPDATE.EXE 1700 UPDATE.EXE 1700 UPDATE.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
UPDATE.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run UPDATE.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\q3j7M8QHiu41t8O.exe" UPDATE.EXE -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
MISHA.EXEdescription ioc process File opened for modification \??\PhysicalDrive0 MISHA.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
UPDATE.EXEdescription ioc process File created C:\Program Files\7-Zip\HOW TO DECRYPT FILES.txt UPDATE.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 564 756 WerFault.exe UPDATE12.EXE -
Modifies registry class 10 IoCs
Processes:
UPDATE.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\q3j7M8QHiu41t8O.exe,0" UPDATE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV\shell UPDATE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV\shell\open UPDATE.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "KCXHETCINNVXNCV" UPDATE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV\DefaultIcon UPDATE.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV\ = "CRYPTED!" UPDATE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV\shell\open\command UPDATE.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\q3j7M8QHiu41t8O.exe" UPDATE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd UPDATE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV UPDATE.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 564 WerFault.exe 564 WerFault.exe 564 WerFault.exe 564 WerFault.exe 564 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
shutdown.exeshutdown.exeWerFault.exedescription pid process Token: SeShutdownPrivilege 1880 shutdown.exe Token: SeRemoteShutdownPrivilege 1880 shutdown.exe Token: SeShutdownPrivilege 1824 shutdown.exe Token: SeRemoteShutdownPrivilege 1824 shutdown.exe Token: SeDebugPrivilege 564 WerFault.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
repack by xatab.exeMISHA.EXEUPDATE12.EXEdescription pid process target process PID 1308 wrote to memory of 1848 1308 repack by xatab.exe DECRYPTOR V0.2D.EXE PID 1308 wrote to memory of 1848 1308 repack by xatab.exe DECRYPTOR V0.2D.EXE PID 1308 wrote to memory of 1848 1308 repack by xatab.exe DECRYPTOR V0.2D.EXE PID 1308 wrote to memory of 1848 1308 repack by xatab.exe DECRYPTOR V0.2D.EXE PID 1308 wrote to memory of 1752 1308 repack by xatab.exe MISHA.EXE PID 1308 wrote to memory of 1752 1308 repack by xatab.exe MISHA.EXE PID 1308 wrote to memory of 1752 1308 repack by xatab.exe MISHA.EXE PID 1308 wrote to memory of 1752 1308 repack by xatab.exe MISHA.EXE PID 1752 wrote to memory of 1880 1752 MISHA.EXE shutdown.exe PID 1752 wrote to memory of 1880 1752 MISHA.EXE shutdown.exe PID 1752 wrote to memory of 1880 1752 MISHA.EXE shutdown.exe PID 1752 wrote to memory of 1880 1752 MISHA.EXE shutdown.exe PID 1308 wrote to memory of 1700 1308 repack by xatab.exe UPDATE.EXE PID 1308 wrote to memory of 1700 1308 repack by xatab.exe UPDATE.EXE PID 1308 wrote to memory of 1700 1308 repack by xatab.exe UPDATE.EXE PID 1308 wrote to memory of 1700 1308 repack by xatab.exe UPDATE.EXE PID 1308 wrote to memory of 1700 1308 repack by xatab.exe UPDATE.EXE PID 1308 wrote to memory of 1700 1308 repack by xatab.exe UPDATE.EXE PID 1308 wrote to memory of 1700 1308 repack by xatab.exe UPDATE.EXE PID 1752 wrote to memory of 1824 1752 MISHA.EXE shutdown.exe PID 1752 wrote to memory of 1824 1752 MISHA.EXE shutdown.exe PID 1752 wrote to memory of 1824 1752 MISHA.EXE shutdown.exe PID 1752 wrote to memory of 1824 1752 MISHA.EXE shutdown.exe PID 1308 wrote to memory of 756 1308 repack by xatab.exe UPDATE12.EXE PID 1308 wrote to memory of 756 1308 repack by xatab.exe UPDATE12.EXE PID 1308 wrote to memory of 756 1308 repack by xatab.exe UPDATE12.EXE PID 1308 wrote to memory of 756 1308 repack by xatab.exe UPDATE12.EXE PID 756 wrote to memory of 564 756 UPDATE12.EXE WerFault.exe PID 756 wrote to memory of 564 756 UPDATE12.EXE WerFault.exe PID 756 wrote to memory of 564 756 UPDATE12.EXE WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\repack by xatab.exe"C:\Users\Admin\AppData\Local\Temp\repack by xatab.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DECRYPTOR V0.2D.EXE"C:\Users\Admin\AppData\Local\Temp\DECRYPTOR V0.2D.EXE"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\MISHA.EXE"C:\Users\Admin\AppData\Local\Temp\MISHA.EXE"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\shutdown.exeC:\Windows\System32\shutdown.exe -r -f -t 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\shutdown.exeshutdown.exe -r -f -t 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\UPDATE.EXE"C:\Users\Admin\AppData\Local\Temp\UPDATE.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\UPDATE12.EXE"C:\Users\Admin\AppData\Local\Temp\UPDATE12.EXE"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 756 -s 5243⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DECRYPTOR V0.2D.EXEMD5
921c02dd77c3725fa59905cae1d62ef4
SHA1209e0fe763362b71399c079a441459bde0e8ba74
SHA2568e0f3044d45b6ba6a1eab878f9197670bc7b2d93b61ef7830f97b5bb918c8c12
SHA512c207cd799f4244d4d550e2df5a4625cdaf0e230cbf43e36a5f02e7ab786ede53d9069e4d615f144b84c3c79b955194ad64015b3f3adf235a0278de4664dd60d5
-
C:\Users\Admin\AppData\Local\Temp\DECRYPTOR V0.2D.EXEMD5
921c02dd77c3725fa59905cae1d62ef4
SHA1209e0fe763362b71399c079a441459bde0e8ba74
SHA2568e0f3044d45b6ba6a1eab878f9197670bc7b2d93b61ef7830f97b5bb918c8c12
SHA512c207cd799f4244d4d550e2df5a4625cdaf0e230cbf43e36a5f02e7ab786ede53d9069e4d615f144b84c3c79b955194ad64015b3f3adf235a0278de4664dd60d5
-
C:\Users\Admin\AppData\Local\Temp\MISHA.EXEMD5
3702ab9f6561e836d97e1bc28f68543e
SHA15ebdcfb324eb0cca288c63e8f8d8b0fa3c92cbe8
SHA25658019901083bce520e1e454ecc82e46f4de32dc721b546ab1e418328ef93f860
SHA512d1bcc7649941b913000dd6d88d76d0eee6883fb81774c46c06e1043e9da026864cd3cb6c7b6aeda8079e264a95afab1c6732b1e8aba4f589379803c0a071562f
-
C:\Users\Admin\AppData\Local\Temp\UPDATE.EXEMD5
e4bb04fe99f81331aa57a5c17b4c9111
SHA1989f8c30ceade5cc839100e673f0818c2070a107
SHA256c70ed86ee62c96b7e5e78874810bc3050a2ecb6cda159bb556f830da720bd835
SHA5122beea8f344f0cae1e2f6eb8b3420a3764db9c9361d86673a9a10971b1dfc9dafd616b8b26f79d27d3cbd7351d274c67b29ba114300f6cc78fa0a92afb1baec6c
-
C:\Users\Admin\AppData\Local\Temp\UPDATE.EXEMD5
e4bb04fe99f81331aa57a5c17b4c9111
SHA1989f8c30ceade5cc839100e673f0818c2070a107
SHA256c70ed86ee62c96b7e5e78874810bc3050a2ecb6cda159bb556f830da720bd835
SHA5122beea8f344f0cae1e2f6eb8b3420a3764db9c9361d86673a9a10971b1dfc9dafd616b8b26f79d27d3cbd7351d274c67b29ba114300f6cc78fa0a92afb1baec6c
-
C:\Users\Admin\AppData\Local\Temp\UPDATE12.EXEMD5
5d85c23d3bcbba39ad63b98be64a688f
SHA1bd7651d157480f122f106ae4991947c5f008d0cf
SHA25606ed693d7f86ea5b484efb53ef469292a69d682fe0a68b0dd7a69fad6a736ada
SHA51282ed8436517aa412064ebe426f4125aa485996650f863d88fb8e7cd4c18cc4394441fde4ab9d24606a558d56e07d4c6f185978fe55ca27dfcac6d25c824856a3
-
C:\Users\Admin\AppData\Local\Temp\UPDATE12.EXEMD5
5d85c23d3bcbba39ad63b98be64a688f
SHA1bd7651d157480f122f106ae4991947c5f008d0cf
SHA25606ed693d7f86ea5b484efb53ef469292a69d682fe0a68b0dd7a69fad6a736ada
SHA51282ed8436517aa412064ebe426f4125aa485996650f863d88fb8e7cd4c18cc4394441fde4ab9d24606a558d56e07d4c6f185978fe55ca27dfcac6d25c824856a3
-
\Users\Admin\AppData\Local\Temp\DECRYPTOR V0.2D.EXEMD5
921c02dd77c3725fa59905cae1d62ef4
SHA1209e0fe763362b71399c079a441459bde0e8ba74
SHA2568e0f3044d45b6ba6a1eab878f9197670bc7b2d93b61ef7830f97b5bb918c8c12
SHA512c207cd799f4244d4d550e2df5a4625cdaf0e230cbf43e36a5f02e7ab786ede53d9069e4d615f144b84c3c79b955194ad64015b3f3adf235a0278de4664dd60d5
-
\Users\Admin\AppData\Local\Temp\MISHA.EXEMD5
3702ab9f6561e836d97e1bc28f68543e
SHA15ebdcfb324eb0cca288c63e8f8d8b0fa3c92cbe8
SHA25658019901083bce520e1e454ecc82e46f4de32dc721b546ab1e418328ef93f860
SHA512d1bcc7649941b913000dd6d88d76d0eee6883fb81774c46c06e1043e9da026864cd3cb6c7b6aeda8079e264a95afab1c6732b1e8aba4f589379803c0a071562f
-
\Users\Admin\AppData\Local\Temp\UPDATE.EXEMD5
e4bb04fe99f81331aa57a5c17b4c9111
SHA1989f8c30ceade5cc839100e673f0818c2070a107
SHA256c70ed86ee62c96b7e5e78874810bc3050a2ecb6cda159bb556f830da720bd835
SHA5122beea8f344f0cae1e2f6eb8b3420a3764db9c9361d86673a9a10971b1dfc9dafd616b8b26f79d27d3cbd7351d274c67b29ba114300f6cc78fa0a92afb1baec6c
-
\Users\Admin\AppData\Local\Temp\UPDATE.EXEMD5
e4bb04fe99f81331aa57a5c17b4c9111
SHA1989f8c30ceade5cc839100e673f0818c2070a107
SHA256c70ed86ee62c96b7e5e78874810bc3050a2ecb6cda159bb556f830da720bd835
SHA5122beea8f344f0cae1e2f6eb8b3420a3764db9c9361d86673a9a10971b1dfc9dafd616b8b26f79d27d3cbd7351d274c67b29ba114300f6cc78fa0a92afb1baec6c
-
\Users\Admin\AppData\Local\Temp\UPDATE.EXEMD5
e4bb04fe99f81331aa57a5c17b4c9111
SHA1989f8c30ceade5cc839100e673f0818c2070a107
SHA256c70ed86ee62c96b7e5e78874810bc3050a2ecb6cda159bb556f830da720bd835
SHA5122beea8f344f0cae1e2f6eb8b3420a3764db9c9361d86673a9a10971b1dfc9dafd616b8b26f79d27d3cbd7351d274c67b29ba114300f6cc78fa0a92afb1baec6c
-
\Users\Admin\AppData\Local\Temp\UPDATE.EXEMD5
e4bb04fe99f81331aa57a5c17b4c9111
SHA1989f8c30ceade5cc839100e673f0818c2070a107
SHA256c70ed86ee62c96b7e5e78874810bc3050a2ecb6cda159bb556f830da720bd835
SHA5122beea8f344f0cae1e2f6eb8b3420a3764db9c9361d86673a9a10971b1dfc9dafd616b8b26f79d27d3cbd7351d274c67b29ba114300f6cc78fa0a92afb1baec6c
-
\Users\Admin\AppData\Local\Temp\UPDATE12.EXEMD5
5d85c23d3bcbba39ad63b98be64a688f
SHA1bd7651d157480f122f106ae4991947c5f008d0cf
SHA25606ed693d7f86ea5b484efb53ef469292a69d682fe0a68b0dd7a69fad6a736ada
SHA51282ed8436517aa412064ebe426f4125aa485996650f863d88fb8e7cd4c18cc4394441fde4ab9d24606a558d56e07d4c6f185978fe55ca27dfcac6d25c824856a3
-
memory/564-82-0x0000000000000000-mapping.dmp
-
memory/564-84-0x000007FEFC141000-0x000007FEFC143000-memory.dmpFilesize
8KB
-
memory/756-79-0x00000000008E0000-0x00000000008E1000-memory.dmpFilesize
4KB
-
memory/756-75-0x0000000000000000-mapping.dmp
-
memory/1308-60-0x0000000076281000-0x0000000076283000-memory.dmpFilesize
8KB
-
memory/1520-89-0x00000000027C0000-0x00000000027C1000-memory.dmpFilesize
4KB
-
memory/1664-91-0x0000000002920000-0x0000000002921000-memory.dmpFilesize
4KB
-
memory/1700-70-0x0000000000000000-mapping.dmp
-
memory/1752-66-0x0000000000000000-mapping.dmp
-
memory/1824-71-0x0000000000000000-mapping.dmp
-
memory/1848-81-0x0000000000E80000-0x0000000000E81000-memory.dmpFilesize
4KB
-
memory/1848-62-0x0000000000000000-mapping.dmp
-
memory/1880-69-0x0000000000000000-mapping.dmp