Analysis
-
max time kernel
1612s -
max time network
1801s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
23-08-2021 11:14
Static task
static1
Behavioral task
behavioral1
Sample
53936fcc62ed6e3515b3515531993d92be1d3aca9049f30a2ab2e0805cc45b8d.bin.sample.dll
Resource
win7v20210410
Behavioral task
behavioral2
Sample
53936fcc62ed6e3515b3515531993d92be1d3aca9049f30a2ab2e0805cc45b8d.bin.sample.dll
Resource
win10v20210410
General
-
Target
53936fcc62ed6e3515b3515531993d92be1d3aca9049f30a2ab2e0805cc45b8d.bin.sample.dll
-
Size
122KB
-
MD5
9cfb3b75ab491fa2fb2598914a7558f4
-
SHA1
6ba4bfef1a07ef5ba8df319e183dbc253ab45ad8
-
SHA256
53936fcc62ed6e3515b3515531993d92be1d3aca9049f30a2ab2e0805cc45b8d
-
SHA512
7799e9afdc0be4473e0e2bd9d524e7b6b6de041c5b9b30a5441d50ae0bb700aa516ed891f6151f1c40d1184d7b5e1eb45d05dfc58834732413466425751e1d54
Malware Config
Extracted
C:\vcy2u828-readme.txt
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9EF24CB4BA8A76AC
http://decoder.re/9EF24CB4BA8A76AC
Signatures
-
suricata: ET MALWARE Known Sinkhole Response Header
suricata: ET MALWARE Known Sinkhole Response Header
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
regsvr32.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\RemoveStart.tiff regsvr32.exe File renamed C:\Users\Admin\Pictures\InitializeStep.tif => \??\c:\users\admin\pictures\InitializeStep.tif.vcy2u828 regsvr32.exe File renamed C:\Users\Admin\Pictures\RemoveStart.tiff => \??\c:\users\admin\pictures\RemoveStart.tiff.vcy2u828 regsvr32.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
regsvr32.exedescription ioc process File opened (read-only) \??\Z: regsvr32.exe File opened (read-only) \??\D: regsvr32.exe File opened (read-only) \??\J: regsvr32.exe File opened (read-only) \??\Q: regsvr32.exe File opened (read-only) \??\U: regsvr32.exe File opened (read-only) \??\V: regsvr32.exe File opened (read-only) \??\Y: regsvr32.exe File opened (read-only) \??\X: regsvr32.exe File opened (read-only) \??\E: regsvr32.exe File opened (read-only) \??\F: regsvr32.exe File opened (read-only) \??\L: regsvr32.exe File opened (read-only) \??\P: regsvr32.exe File opened (read-only) \??\W: regsvr32.exe File opened (read-only) \??\G: regsvr32.exe File opened (read-only) \??\M: regsvr32.exe File opened (read-only) \??\S: regsvr32.exe File opened (read-only) \??\T: regsvr32.exe File opened (read-only) \??\N: regsvr32.exe File opened (read-only) \??\O: regsvr32.exe File opened (read-only) \??\R: regsvr32.exe File opened (read-only) \??\A: regsvr32.exe File opened (read-only) \??\B: regsvr32.exe File opened (read-only) \??\H: regsvr32.exe File opened (read-only) \??\I: regsvr32.exe File opened (read-only) \??\K: regsvr32.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4hay8.bmp" regsvr32.exe -
Drops file in Program Files directory 47 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification \??\c:\program files\ConfirmRead.ppsx regsvr32.exe File opened for modification \??\c:\program files\ConvertGroup.csv regsvr32.exe File opened for modification \??\c:\program files\DenyCopy.otf regsvr32.exe File opened for modification \??\c:\program files\FindRename.au3 regsvr32.exe File opened for modification \??\c:\program files\InvokeClose.mpeg3 regsvr32.exe File opened for modification \??\c:\program files\InvokeDismount.svgz regsvr32.exe File opened for modification \??\c:\program files\OptimizeInstall.wmx regsvr32.exe File opened for modification \??\c:\program files\CloseRevoke.mp4 regsvr32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\tmp regsvr32.exe File opened for modification \??\c:\program files\SwitchStop.nfo regsvr32.exe File opened for modification \??\c:\program files\InstallSet.emz regsvr32.exe File opened for modification \??\c:\program files\PopConfirm.doc regsvr32.exe File opened for modification \??\c:\program files\RevokeMount.vb regsvr32.exe File opened for modification \??\c:\program files\RevokeShow.ppsx regsvr32.exe File opened for modification \??\c:\program files\StopUnprotect.wmf regsvr32.exe File opened for modification \??\c:\program files\CopyResize.mp2v regsvr32.exe File opened for modification \??\c:\program files\PingBlock.wps regsvr32.exe File opened for modification \??\c:\program files\ResumeUnpublish.mhtml regsvr32.exe File opened for modification \??\c:\program files\WaitReset.emf regsvr32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\vcy2u828-readme.txt regsvr32.exe File opened for modification \??\c:\program files\OutStart.dwg regsvr32.exe File opened for modification \??\c:\program files\ClearRegister.xml regsvr32.exe File opened for modification \??\c:\program files\CompareConnect.xps regsvr32.exe File opened for modification \??\c:\program files\RenameCopy.vsw regsvr32.exe File opened for modification \??\c:\program files\TestNew.pptx regsvr32.exe File opened for modification \??\c:\program files\TraceInvoke.xps regsvr32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\tmp regsvr32.exe File created \??\c:\program files\vcy2u828-readme.txt regsvr32.exe File opened for modification \??\c:\program files\ResolveUnregister.xlsx regsvr32.exe File opened for modification \??\c:\program files\SplitEnable.css regsvr32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\vcy2u828-readme.txt regsvr32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\vcy2u828-readme.txt regsvr32.exe File created \??\c:\program files (x86)\tmp regsvr32.exe File opened for modification \??\c:\program files\ResolveApprove.vstx regsvr32.exe File opened for modification \??\c:\program files\UnregisterCopy.rar regsvr32.exe File opened for modification \??\c:\program files\ReceiveInvoke.search-ms regsvr32.exe File opened for modification \??\c:\program files\ConfirmUnpublish.jpeg regsvr32.exe File opened for modification \??\c:\program files\EnterProtect.ods regsvr32.exe File opened for modification \??\c:\program files\RequestCompare.jpg regsvr32.exe File opened for modification \??\c:\program files\RequestProtect.xlsm regsvr32.exe File opened for modification \??\c:\program files\SendDeny.mht regsvr32.exe File created \??\c:\program files (x86)\microsoft sql server compact edition\v3.5\tmp regsvr32.exe File created \??\c:\program files\tmp regsvr32.exe File opened for modification \??\c:\program files\MeasureDebug.odt regsvr32.exe File opened for modification \??\c:\program files\RegisterEdit.pcx regsvr32.exe File opened for modification \??\c:\program files\RepairSave.vb regsvr32.exe File created \??\c:\program files (x86)\vcy2u828-readme.txt regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
regsvr32.exepid process 1172 regsvr32.exe 1172 regsvr32.exe 1172 regsvr32.exe 1172 regsvr32.exe 1172 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
regsvr32.exevssvc.exedescription pid process Token: SeDebugPrivilege 1172 regsvr32.exe Token: SeTakeOwnershipPrivilege 1172 regsvr32.exe Token: SeBackupPrivilege 1176 vssvc.exe Token: SeRestorePrivilege 1176 vssvc.exe Token: SeAuditPrivilege 1176 vssvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 2004 wrote to memory of 1172 2004 regsvr32.exe regsvr32.exe PID 2004 wrote to memory of 1172 2004 regsvr32.exe regsvr32.exe PID 2004 wrote to memory of 1172 2004 regsvr32.exe regsvr32.exe PID 2004 wrote to memory of 1172 2004 regsvr32.exe regsvr32.exe PID 2004 wrote to memory of 1172 2004 regsvr32.exe regsvr32.exe PID 2004 wrote to memory of 1172 2004 regsvr32.exe regsvr32.exe PID 2004 wrote to memory of 1172 2004 regsvr32.exe regsvr32.exe PID 1172 wrote to memory of 1932 1172 regsvr32.exe netsh.exe PID 1172 wrote to memory of 1932 1172 regsvr32.exe netsh.exe PID 1172 wrote to memory of 1932 1172 regsvr32.exe netsh.exe PID 1172 wrote to memory of 1932 1172 regsvr32.exe netsh.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\53936fcc62ed6e3515b3515531993d92be1d3aca9049f30a2ab2e0805cc45b8d.bin.sample.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\53936fcc62ed6e3515b3515531993d92be1d3aca9049f30a2ab2e0805cc45b8d.bin.sample.dll2⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes3⤵PID:1932
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:744
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1176