Overview

overview

10

Static

static

Setup.exe

windows7_x64

10

Setup.exe

windows10_x64

10

rkill.exe

windows7_x64

10

rkill.exe

windows10_x64

8

Analysis

  • max time kernel
    327s
  • max time network
    1741s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    11-08-2021 06:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rkill.exe

  • Size

    1.7MB

  • MD5

    6d622dcc87edc9a7b10d35372ade816b

  • SHA1

    47d98825b03c507b85dec02a2297e03ebc925f30

  • SHA256

    d4ac5b3c525a5fd94019d80ff81b552e73b19b1bd0a554b9609cdd5e1b00955a

  • SHA512

    ed06f872a7c66ffeeb8cb8f6fedca06ccabf623f9cd188c4c7105428e8d6521ef8da0bac0564e14d2da914d2846369a9c04577a8cf7fb80cb62831e5497f2a58

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rkill.exe
    "C:\Users\Admin\AppData\Local\Temp\rkill.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:500
    • C:\Users\Admin\AppData\Local\Temp\rkill64.exe
      C:\Users\Admin\AppData\Local\Temp\rkill.exe
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Windows\System32\Notepad.exe
        Notepad.exe C:\Users\Admin\Desktop\Rkill.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:3464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\rkill64.exe
    MD5

    ae368c10327fe7a8e5c875360e529b35

    SHA1

    d69fad67631f48f2eee9109a368eb176356da531

    SHA256

    797f0917162e74e64f556fd467cc13d10401e826309c3ed889574889a96b88c7

    SHA512

    e7e6e4d29dfdc537b21fdffc6c1ac0674b55fdf6c61e5fecfbdde1fa271903db1291c50bac3263bc9f4ee7797689542f29770e0d98b8180453c39bc6058a5c67

    Download Submit

  • C:\Users\Admin\Desktop\Rkill.txt
    MD5

    8989455b52020697f278a936af204810

    SHA1

    e26839c0484fd230ff15b977aca7dfd66a8d6630

    SHA256

    ae009c3ecbf0dc03e07be3ed705b7583aab1f46744f951cd1ba2226cf60516d4

    SHA512

    828c105797283522219e8dad4203101f23588db7ec31533a9fe15c38cba2d2089ab9cc09e809c74a4900ae02d60a6b42706fd489f2f484837d71a01b0e70d3a5

    Download Submit

  • C:\Users\Admin\Desktop\Rkill.txt
    MD5

    3d675c87881cf139dfd0655746f9c31e

    SHA1

    dd27694e0461e8469f7b9b5ea9959bdce62d7acd

    SHA256

    f816e92b9dbe97fdf4a87a619178dd07f471b509f724eedd1600812016dd2a2d

    SHA512

    0da92fcc131b8c55c3a4c6fe8784e187c2dbd4c05104a826b038305aa3a44c397ce0b6403cd29178fcdefade9ff06f897530ecc3e72bcafa9a33baed5b084349

    Download Submit

  • memory/1796-114-0x0000000000000000-mapping.dmp

    Download

  • memory/3464-117-0x0000000000000000-mapping.dmp

    Download