Analysis
-
max time kernel
8s -
max time network
7s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
10-07-2021 06:22
Static task
static1
Behavioral task
behavioral1
Sample
repack by xatab.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
repack by xatab.exe
Resource
win10v20210410
Errors
General
-
Target
repack by xatab.exe
-
Size
222KB
-
MD5
e2aaff3cf5f2b9fee6061eddf55620b9
-
SHA1
f780afcca44c836dc48619dece8374882521bbb1
-
SHA256
90413227e6a42728248b5adf7c8930491a3ef2c7ec3b21d93f5da52a8f126f6d
-
SHA512
8827152335018563b4091ed5aebac7d26ff0eae478a848eb8659c9fe9a4ffcd9599457587b3b4310253d85571fe385d3ac4499366e621326092be1b178039834
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\HOW TO DECRYPT FILES.txt
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
DECRYPTOR V0.2D.EXEMISHA.EXEUPDATE.EXEUPDATE12.EXEpid process 1880 DECRYPTOR V0.2D.EXE 2056 MISHA.EXE 2356 UPDATE.EXE 2664 UPDATE12.EXE -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\UPDATE.EXE upx C:\Users\Admin\AppData\Local\Temp\UPDATE.EXE upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
UPDATE.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run UPDATE.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\q3j7M8QHiu41t8O.exe" UPDATE.EXE -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
MISHA.EXEdescription ioc process File opened for modification \??\PhysicalDrive0 MISHA.EXE -
Drops file in Program Files directory 64 IoCs
Processes:
UPDATE.EXEdescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\an.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\ba.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\ku.txt UPDATE.EXE File created C:\Program Files\Common Files\microsoft shared\ink\et-EE\HOW TO DECRYPT FILES.txt UPDATE.EXE File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\HOW TO DECRYPT FILES.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\bn.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\de.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\kk.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\tt.txt UPDATE.EXE File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\HOW TO DECRYPT FILES.txt UPDATE.EXE File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\HOW TO DECRYPT FILES.txt UPDATE.EXE File created C:\Program Files\7-Zip\Lang\HOW TO DECRYPT FILES.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\el.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\sk.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\va.txt UPDATE.EXE File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\HOW TO DECRYPT FILES.txt UPDATE.EXE File created C:\Program Files\Common Files\microsoft shared\ink\fr-CA\HOW TO DECRYPT FILES.txt UPDATE.EXE File created C:\Program Files\Common Files\microsoft shared\ink\da-DK\HOW TO DECRYPT FILES.txt UPDATE.EXE File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\HOW TO DECRYPT FILES.txt UPDATE.EXE File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-correct.avi UPDATE.EXE File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-delete.avi UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\ms.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\ug.txt UPDATE.EXE File opened for modification C:\Program Files\Common Files\microsoft shared\ink\FlickAnimation.avi UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\cy.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\fur.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\lv.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\sl.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\be.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\id.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\mng.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\ps.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\gu.txt UPDATE.EXE File created C:\Program Files\Common Files\microsoft shared\ink\HOW TO DECRYPT FILES.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\ne.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\nn.txt UPDATE.EXE File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\HOW TO DECRYPT FILES.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\ast.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt UPDATE.EXE File created C:\Program Files\Common Files\microsoft shared\ink\hu-HU\HOW TO DECRYPT FILES.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\eo.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\ru.txt UPDATE.EXE File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-split.avi UPDATE.EXE File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\HOW TO DECRYPT FILES.txt UPDATE.EXE File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\delete.avi UPDATE.EXE File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\HOW TO DECRYPT FILES.txt UPDATE.EXE File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\HOW TO DECRYPT FILES.txt UPDATE.EXE File created C:\Program Files\Common Files\microsoft shared\ink\en-GB\HOW TO DECRYPT FILES.txt UPDATE.EXE File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\correct.avi UPDATE.EXE File opened for modification C:\Program Files\7-Zip\History.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\hi.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\it.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\mr.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\az.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\ky.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\ta.txt UPDATE.EXE File created C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\HOW TO DECRYPT FILES.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\pt.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\uk.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt UPDATE.EXE File opened for modification C:\Program Files\7-Zip\readme.txt UPDATE.EXE File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\HOW TO DECRYPT FILES.txt UPDATE.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4048 2664 WerFault.exe UPDATE12.EXE -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe -
Modifies registry class 10 IoCs
Processes:
UPDATE.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\q3j7M8QHiu41t8O.exe" UPDATE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd UPDATE.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\q3j7M8QHiu41t8O.exe,0" UPDATE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV\shell\open\command UPDATE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV\DefaultIcon UPDATE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV\shell UPDATE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV\shell\open UPDATE.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "KCXHETCINNVXNCV" UPDATE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV UPDATE.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV\ = "CRYPTED!" UPDATE.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
shutdown.exeshutdown.exedescription pid process Token: SeShutdownPrivilege 2496 shutdown.exe Token: SeRemoteShutdownPrivilege 2496 shutdown.exe Token: SeShutdownPrivilege 2644 shutdown.exe Token: SeRemoteShutdownPrivilege 2644 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 220 LogonUI.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
repack by xatab.exeMISHA.EXEdescription pid process target process PID 3424 wrote to memory of 1880 3424 repack by xatab.exe DECRYPTOR V0.2D.EXE PID 3424 wrote to memory of 1880 3424 repack by xatab.exe DECRYPTOR V0.2D.EXE PID 3424 wrote to memory of 1880 3424 repack by xatab.exe DECRYPTOR V0.2D.EXE PID 3424 wrote to memory of 2056 3424 repack by xatab.exe MISHA.EXE PID 3424 wrote to memory of 2056 3424 repack by xatab.exe MISHA.EXE PID 3424 wrote to memory of 2056 3424 repack by xatab.exe MISHA.EXE PID 3424 wrote to memory of 2356 3424 repack by xatab.exe UPDATE.EXE PID 3424 wrote to memory of 2356 3424 repack by xatab.exe UPDATE.EXE PID 3424 wrote to memory of 2356 3424 repack by xatab.exe UPDATE.EXE PID 2056 wrote to memory of 2496 2056 MISHA.EXE shutdown.exe PID 2056 wrote to memory of 2496 2056 MISHA.EXE shutdown.exe PID 2056 wrote to memory of 2496 2056 MISHA.EXE shutdown.exe PID 2056 wrote to memory of 2644 2056 MISHA.EXE shutdown.exe PID 2056 wrote to memory of 2644 2056 MISHA.EXE shutdown.exe PID 2056 wrote to memory of 2644 2056 MISHA.EXE shutdown.exe PID 3424 wrote to memory of 2664 3424 repack by xatab.exe UPDATE12.EXE PID 3424 wrote to memory of 2664 3424 repack by xatab.exe UPDATE12.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\repack by xatab.exe"C:\Users\Admin\AppData\Local\Temp\repack by xatab.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DECRYPTOR V0.2D.EXE"C:\Users\Admin\AppData\Local\Temp\DECRYPTOR V0.2D.EXE"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\UPDATE.EXE"C:\Users\Admin\AppData\Local\Temp\UPDATE.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\UPDATE12.EXE"C:\Users\Admin\AppData\Local\Temp\UPDATE12.EXE"2⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2664 -s 7003⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\MISHA.EXE"C:\Users\Admin\AppData\Local\Temp\MISHA.EXE"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\shutdown.exeshutdown.exe -r -f -t 01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\shutdown.exeC:\Windows\System32\shutdown.exe -r -f -t 01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ac8855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DECRYPTOR V0.2D.EXEMD5
921c02dd77c3725fa59905cae1d62ef4
SHA1209e0fe763362b71399c079a441459bde0e8ba74
SHA2568e0f3044d45b6ba6a1eab878f9197670bc7b2d93b61ef7830f97b5bb918c8c12
SHA512c207cd799f4244d4d550e2df5a4625cdaf0e230cbf43e36a5f02e7ab786ede53d9069e4d615f144b84c3c79b955194ad64015b3f3adf235a0278de4664dd60d5
-
C:\Users\Admin\AppData\Local\Temp\DECRYPTOR V0.2D.EXEMD5
921c02dd77c3725fa59905cae1d62ef4
SHA1209e0fe763362b71399c079a441459bde0e8ba74
SHA2568e0f3044d45b6ba6a1eab878f9197670bc7b2d93b61ef7830f97b5bb918c8c12
SHA512c207cd799f4244d4d550e2df5a4625cdaf0e230cbf43e36a5f02e7ab786ede53d9069e4d615f144b84c3c79b955194ad64015b3f3adf235a0278de4664dd60d5
-
C:\Users\Admin\AppData\Local\Temp\MISHA.EXEMD5
3702ab9f6561e836d97e1bc28f68543e
SHA15ebdcfb324eb0cca288c63e8f8d8b0fa3c92cbe8
SHA25658019901083bce520e1e454ecc82e46f4de32dc721b546ab1e418328ef93f860
SHA512d1bcc7649941b913000dd6d88d76d0eee6883fb81774c46c06e1043e9da026864cd3cb6c7b6aeda8079e264a95afab1c6732b1e8aba4f589379803c0a071562f
-
C:\Users\Admin\AppData\Local\Temp\MISHA.EXEMD5
3702ab9f6561e836d97e1bc28f68543e
SHA15ebdcfb324eb0cca288c63e8f8d8b0fa3c92cbe8
SHA25658019901083bce520e1e454ecc82e46f4de32dc721b546ab1e418328ef93f860
SHA512d1bcc7649941b913000dd6d88d76d0eee6883fb81774c46c06e1043e9da026864cd3cb6c7b6aeda8079e264a95afab1c6732b1e8aba4f589379803c0a071562f
-
C:\Users\Admin\AppData\Local\Temp\UPDATE.EXEMD5
e4bb04fe99f81331aa57a5c17b4c9111
SHA1989f8c30ceade5cc839100e673f0818c2070a107
SHA256c70ed86ee62c96b7e5e78874810bc3050a2ecb6cda159bb556f830da720bd835
SHA5122beea8f344f0cae1e2f6eb8b3420a3764db9c9361d86673a9a10971b1dfc9dafd616b8b26f79d27d3cbd7351d274c67b29ba114300f6cc78fa0a92afb1baec6c
-
C:\Users\Admin\AppData\Local\Temp\UPDATE.EXEMD5
e4bb04fe99f81331aa57a5c17b4c9111
SHA1989f8c30ceade5cc839100e673f0818c2070a107
SHA256c70ed86ee62c96b7e5e78874810bc3050a2ecb6cda159bb556f830da720bd835
SHA5122beea8f344f0cae1e2f6eb8b3420a3764db9c9361d86673a9a10971b1dfc9dafd616b8b26f79d27d3cbd7351d274c67b29ba114300f6cc78fa0a92afb1baec6c
-
C:\Users\Admin\AppData\Local\Temp\UPDATE12.EXEMD5
5d85c23d3bcbba39ad63b98be64a688f
SHA1bd7651d157480f122f106ae4991947c5f008d0cf
SHA25606ed693d7f86ea5b484efb53ef469292a69d682fe0a68b0dd7a69fad6a736ada
SHA51282ed8436517aa412064ebe426f4125aa485996650f863d88fb8e7cd4c18cc4394441fde4ab9d24606a558d56e07d4c6f185978fe55ca27dfcac6d25c824856a3
-
C:\Users\Admin\AppData\Local\Temp\UPDATE12.EXEMD5
5d85c23d3bcbba39ad63b98be64a688f
SHA1bd7651d157480f122f106ae4991947c5f008d0cf
SHA25606ed693d7f86ea5b484efb53ef469292a69d682fe0a68b0dd7a69fad6a736ada
SHA51282ed8436517aa412064ebe426f4125aa485996650f863d88fb8e7cd4c18cc4394441fde4ab9d24606a558d56e07d4c6f185978fe55ca27dfcac6d25c824856a3
-
memory/1880-130-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/1880-114-0x0000000000000000-mapping.dmp
-
memory/1880-133-0x0000000004A90000-0x0000000004A91000-memory.dmpFilesize
4KB
-
memory/1880-132-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/2056-117-0x0000000000000000-mapping.dmp
-
memory/2356-119-0x0000000000000000-mapping.dmp
-
memory/2496-121-0x0000000000000000-mapping.dmp
-
memory/2644-122-0x0000000000000000-mapping.dmp
-
memory/2664-123-0x0000000000000000-mapping.dmp
-
memory/2664-128-0x00000000009A0000-0x00000000009A1000-memory.dmpFilesize
4KB