Analysis
-
max time kernel
137s -
max time network
154s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
01-08-2021 19:34
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v20210410
General
-
Target
sample.exe
-
Size
67KB
-
MD5
598c53bfef81e489375f09792e487f1a
-
SHA1
80a29bd2c349a8588edf42653ed739054f9a10f5
-
SHA256
22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6
-
SHA512
6a82ad5009588d2fa343bef8d9d2a02e2e76eec14979487a929a96a6b6965e82265a69ef8dd29a01927e9713468de3aedd7b5ee5e79839a1a50649855a160c35
Malware Config
Extracted
C:\oSPvdHTvI.README.txt
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV
Signatures
-
Modifies extensions of user files 19 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\OptimizeReset.tiff => C:\Users\Admin\Pictures\OptimizeReset.tiff.oSPvdHTvI sample.exe File renamed C:\Users\Admin\Pictures\PopInstall.crw => C:\Users\Admin\Pictures\PopInstall.crw.oSPvdHTvI sample.exe File opened for modification C:\Users\Admin\Pictures\PopInstall.crw.oSPvdHTvI sample.exe File opened for modification C:\Users\Admin\Pictures\ReceiveReset.raw.oSPvdHTvI sample.exe File renamed C:\Users\Admin\Pictures\SwitchSkip.raw => C:\Users\Admin\Pictures\SwitchSkip.raw.oSPvdHTvI sample.exe File renamed C:\Users\Admin\Pictures\WatchUnprotect.png => C:\Users\Admin\Pictures\WatchUnprotect.png.oSPvdHTvI sample.exe File opened for modification C:\Users\Admin\Pictures\OptimizeReset.tiff sample.exe File opened for modification C:\Users\Admin\Pictures\FindShow.tiff.oSPvdHTvI sample.exe File opened for modification C:\Users\Admin\Pictures\StopUndo.raw.oSPvdHTvI sample.exe File opened for modification C:\Users\Admin\Pictures\WatchUnprotect.png.oSPvdHTvI sample.exe File renamed C:\Users\Admin\Pictures\FindShow.tiff => C:\Users\Admin\Pictures\FindShow.tiff.oSPvdHTvI sample.exe File renamed C:\Users\Admin\Pictures\AssertBlock.tiff => C:\Users\Admin\Pictures\AssertBlock.tiff.oSPvdHTvI sample.exe File opened for modification C:\Users\Admin\Pictures\SwitchSkip.raw.oSPvdHTvI sample.exe File opened for modification C:\Users\Admin\Pictures\AssertBlock.tiff sample.exe File opened for modification C:\Users\Admin\Pictures\FindShow.tiff sample.exe File opened for modification C:\Users\Admin\Pictures\OptimizeReset.tiff.oSPvdHTvI sample.exe File renamed C:\Users\Admin\Pictures\ReceiveReset.raw => C:\Users\Admin\Pictures\ReceiveReset.raw.oSPvdHTvI sample.exe File renamed C:\Users\Admin\Pictures\StopUndo.raw => C:\Users\Admin\Pictures\StopUndo.raw.oSPvdHTvI sample.exe File opened for modification C:\Users\Admin\Pictures\AssertBlock.tiff.oSPvdHTvI sample.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
sample.exedescription ioc process File opened (read-only) \??\Z: sample.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\oSPvdHTvI.bmp" sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\oSPvdHTvI.bmp" sample.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
sample.exepid process 1696 sample.exe 1696 sample.exe 1696 sample.exe 1696 sample.exe 1696 sample.exe 1696 sample.exe -
Modifies Control Panel 3 IoCs
Processes:
sample.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallpaperStyle = "10" sample.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International sample.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2704 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
sample.exepid process 1696 sample.exe 1696 sample.exe 1696 sample.exe 1696 sample.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
sample.exevssvc.exedescription pid process Token: SeBackupPrivilege 1696 sample.exe Token: SeDebugPrivilege 1696 sample.exe Token: 36 1696 sample.exe Token: SeImpersonatePrivilege 1696 sample.exe Token: SeIncBasePriorityPrivilege 1696 sample.exe Token: SeIncreaseQuotaPrivilege 1696 sample.exe Token: 33 1696 sample.exe Token: SeManageVolumePrivilege 1696 sample.exe Token: SeProfSingleProcessPrivilege 1696 sample.exe Token: SeRestorePrivilege 1696 sample.exe Token: SeSecurityPrivilege 1696 sample.exe Token: SeSystemProfilePrivilege 1696 sample.exe Token: SeTakeOwnershipPrivilege 1696 sample.exe Token: SeShutdownPrivilege 1696 sample.exe Token: SeBackupPrivilege 3764 vssvc.exe Token: SeRestorePrivilege 3764 vssvc.exe Token: SeAuditPrivilege 3764 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\oSPvdHTvI.README.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\oSPvdHTvI.README.txtMD5
f66968c47a64569e2281f65a95991be0
SHA1ef9e3e80bfbea4c3021b226cb8cd00687013b8a8
SHA2564b950c763006e7c4569df8742855cec31bf82f835bd7e2bdcb5f128db34c82bf
SHA512cb4ace1b3e891ab100b3950c6bc133b216e91c8978a3af1ffd75617b606bb7ceb0133f44d37a30a827655e5b84b016d736a732f5f37635bb727e1a5b722cad24
-
memory/1696-114-0x0000000002993000-0x0000000002995000-memory.dmpFilesize
8KB
-
memory/1696-115-0x0000000002990000-0x0000000002991000-memory.dmpFilesize
4KB