Resubmissions
03-11-2022 09:46
221103-lrnd1sghc5 322-09-2022 15:06
220922-sgtavafedj 314-10-2021 16:48
211014-vbeavaaad5 822-09-2021 05:58
210922-gpdpksecgk 822-09-2021 05:36
210922-gax5nsecdn 8Analysis
-
max time kernel
90s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-09-2021 05:36
Static task
static1
Behavioral task
behavioral1
Sample
manual64.dll
Resource
win10v20210408
General
-
Target
manual64.dll
-
Size
184KB
-
MD5
d35a5caf8af43432ec2f5a2318b20597
-
SHA1
8fd8f62a848a1d9c1ff18c7bc16e8a6d2c67c37e
-
SHA256
c74873d7b8cc622379ed49bd0b0e477167ae176aa329b01338666ec4c1a4426b
-
SHA512
7de9c021c2e64c564ba8ac5c0f1914718c240a382bc717dd7e93122a0a51c849c263ae0438eae5c324ca1e5c3d346c2a09ab7fc63bbaa598e3973943a5d84263
Malware Config
Signatures
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File renamed C:\Users\Admin\Pictures\CheckpointClear.png => \??\c:\Users\Admin\Pictures\CheckpointClear.png.quantum rundll32.exe File renamed C:\Users\Admin\Pictures\HideGrant.raw => \??\c:\Users\Admin\Pictures\HideGrant.raw.quantum rundll32.exe File renamed C:\Users\Admin\Pictures\LimitPing.png => \??\c:\Users\Admin\Pictures\LimitPing.png.quantum rundll32.exe File renamed C:\Users\Admin\Pictures\ResetCompress.png => \??\c:\Users\Admin\Pictures\ResetCompress.png.quantum rundll32.exe File renamed C:\Users\Admin\Pictures\ResizeWrite.raw => \??\c:\Users\Admin\Pictures\ResizeWrite.raw.quantum rundll32.exe File renamed C:\Users\Admin\Pictures\UseOut.tif => \??\c:\Users\Admin\Pictures\UseOut.tif.quantum rundll32.exe File renamed C:\Users\Admin\Pictures\DisableRegister.tif => \??\c:\Users\Admin\Pictures\DisableRegister.tif.quantum rundll32.exe File renamed C:\Users\Admin\Pictures\DismountFind.png => \??\c:\Users\Admin\Pictures\DismountFind.png.quantum rundll32.exe File renamed C:\Users\Admin\Pictures\EnterCopy.crw => \??\c:\Users\Admin\Pictures\EnterCopy.crw.quantum rundll32.exe File renamed C:\Users\Admin\Pictures\JoinPush.crw => \??\c:\Users\Admin\Pictures\JoinPush.crw.quantum rundll32.exe File renamed C:\Users\Admin\Pictures\MoveOpen.raw => \??\c:\Users\Admin\Pictures\MoveOpen.raw.quantum rundll32.exe -
Drops desktop.ini file(s) 24 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\Users\Public\Downloads\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Videos\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Contacts\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Desktop\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Downloads\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Music\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\AccountPictures\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Documents\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Pictures\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Documents\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Favorites\Links\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\OneDrive\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Searches\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Videos\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Music\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Favorites\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Links\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Pictures\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Saved Games\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Desktop\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Libraries\desktop.ini rundll32.exe -
Drops file in Program Files directory 2 IoCs
Processes:
rundll32.exedescription ioc process File created \??\c:\Program Files\README_TO_DECRYPT.html rundll32.exe File created \??\c:\Program Files (x86)\README_TO_DECRYPT.html rundll32.exe -
Modifies registry class 5 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\.quantum\shell\Open\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\.quantum rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\.quantum\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\.quantum\shell\Open rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 4648 rundll32.exe 4648 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exedescription pid process Token: SeRestorePrivilege 4648 rundll32.exe Token: SeDebugPrivilege 4648 rundll32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
rundll32.execmd.exedescription pid process target process PID 4648 wrote to memory of 4740 4648 rundll32.exe cmd.exe PID 4648 wrote to memory of 4740 4648 rundll32.exe cmd.exe PID 4740 wrote to memory of 4784 4740 cmd.exe attrib.exe PID 4740 wrote to memory of 4784 4740 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\manual64.dll,#11⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\00018A49.bat" "C:\Users\Admin\AppData\Local\Temp\manual64.dll""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\manual64.dll"3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\00018A49.batMD5
348cae913e496198548854f5ff2f6d1e
SHA1a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611
-
memory/4648-114-0x000001CD72340000-0x000001CD72432000-memory.dmpFilesize
968KB
-
memory/4740-115-0x0000000000000000-mapping.dmp
-
memory/4784-117-0x0000000000000000-mapping.dmp