Analysis
-
max time kernel
327s -
max time network
1741s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-08-2021 06:01
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
rkill.exe
Resource
win7v20210410
Behavioral task
behavioral4
Sample
rkill.exe
Resource
win10v20210410
General
-
Target
rkill.exe
-
Size
1.7MB
-
MD5
6d622dcc87edc9a7b10d35372ade816b
-
SHA1
47d98825b03c507b85dec02a2297e03ebc925f30
-
SHA256
d4ac5b3c525a5fd94019d80ff81b552e73b19b1bd0a554b9609cdd5e1b00955a
-
SHA512
ed06f872a7c66ffeeb8cb8f6fedca06ccabf623f9cd188c4c7105428e8d6521ef8da0bac0564e14d2da914d2846369a9c04577a8cf7fb80cb62831e5497f2a58
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
rkill64.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts rkill64.exe -
Executes dropped EXE 1 IoCs
Processes:
rkill64.exepid process 1796 rkill64.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
Notepad.exepid process 3464 Notepad.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rkill64.exepid process 1796 rkill64.exe 1796 rkill64.exe 1796 rkill64.exe 1796 rkill64.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rkill.exerkill64.exedescription pid process Token: SeDebugPrivilege 500 rkill.exe Token: SeDebugPrivilege 1796 rkill64.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
rkill.exerkill64.exedescription pid process target process PID 500 wrote to memory of 1796 500 rkill.exe rkill64.exe PID 500 wrote to memory of 1796 500 rkill.exe rkill64.exe PID 1796 wrote to memory of 3464 1796 rkill64.exe Notepad.exe PID 1796 wrote to memory of 3464 1796 rkill64.exe Notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\rkill.exe"C:\Users\Admin\AppData\Local\Temp\rkill.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:500 -
C:\Users\Admin\AppData\Local\Temp\rkill64.exeC:\Users\Admin\AppData\Local\Temp\rkill.exe2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\System32\Notepad.exeNotepad.exe C:\Users\Admin\Desktop\Rkill.txt3⤵
- Opens file in notepad (likely ransom note)
PID:3464
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ae368c10327fe7a8e5c875360e529b35
SHA1d69fad67631f48f2eee9109a368eb176356da531
SHA256797f0917162e74e64f556fd467cc13d10401e826309c3ed889574889a96b88c7
SHA512e7e6e4d29dfdc537b21fdffc6c1ac0674b55fdf6c61e5fecfbdde1fa271903db1291c50bac3263bc9f4ee7797689542f29770e0d98b8180453c39bc6058a5c67
-
MD5
8989455b52020697f278a936af204810
SHA1e26839c0484fd230ff15b977aca7dfd66a8d6630
SHA256ae009c3ecbf0dc03e07be3ed705b7583aab1f46744f951cd1ba2226cf60516d4
SHA512828c105797283522219e8dad4203101f23588db7ec31533a9fe15c38cba2d2089ab9cc09e809c74a4900ae02d60a6b42706fd489f2f484837d71a01b0e70d3a5
-
MD5
3d675c87881cf139dfd0655746f9c31e
SHA1dd27694e0461e8469f7b9b5ea9959bdce62d7acd
SHA256f816e92b9dbe97fdf4a87a619178dd07f471b509f724eedd1600812016dd2a2d
SHA5120da92fcc131b8c55c3a4c6fe8784e187c2dbd4c05104a826b038305aa3a44c397ce0b6403cd29178fcdefade9ff06f897530ecc3e72bcafa9a33baed5b084349