1d871d84ee02630558411e47c81ef2aa8bef8f6cd8daaf594f133f545f772c26

General

Target

Rasomware2.0.exe
Size

824KB
MD5

7d17a868abac9de81fe79087eee31471
SHA1

2d3f58ea051db43964243b8aefb7279e45e7bda9
SHA256

1d871d84ee02630558411e47c81ef2aa8bef8f6cd8daaf594f133f545f772c26
SHA512

85ec6c3cf0908b306712041fc9d971d27349641245c29f126e01443dcc6ccd78530c789b15d345938c194009c890b42f7c95bc65deae1ef7372e5744651f9540

Score

10^/10

evasion persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs
persistence

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

Rasomware2.0.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" Rasomware2.0.exe
Disables Task Manager via registry modification
evasion
Drops desktop.ini file(s) 1 IoCs

Processes:

Rasomware2.0.exe

description ioc process

File created C:\Users\Admin\Downloads\desktop.ini Rasomware2.0.exe
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
ransomware

Defacement
T1491

Modify Registry
T1112

Processes:

Rasomware2.0.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper Rasomware2.0.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1992 960 WerFault.exe Rasomware2.0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty"	Rasomware2.0.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\desktop.ini	Rasomware2.0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper	Rasomware2.0.exe

pid	pid_target	process	target process
1992	960	WerFault.exe	Rasomware2.0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Rasomware2.0.exe

pid	process
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe
960	Rasomware2.0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1992 WerFault.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Rasomware2.0.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 960 Rasomware2.0.exe
Token: SeDebugPrivilege 1992 WerFault.exe

pid	process
1992	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	960	Rasomware2.0.exe
Token: SeDebugPrivilege	1992	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Rasomware2.0.exe

description	pid	process	target process
PID 960 wrote to memory of 1992	960	Rasomware2.0.exe	WerFault.exe
PID 960 wrote to memory of 1992	960	Rasomware2.0.exe	WerFault.exe
PID 960 wrote to memory of 1992	960	Rasomware2.0.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Rasomware2.0.exe
"C:\Users\Admin\AppData\Local\Temp\Rasomware2.0.exe"
1⤵
- Modifies WinLogon for persistence
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 960 -s 708
  2⤵
  - Program crash
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/960-54-0x0000000000A30000-0x0000000000B04000-memory.dmp

Filesize
848KB

Download
memory/960-55-0x0000000000A30000-0x0000000000B04000-memory.dmp

Filesize
848KB

Download
memory/960-56-0x0000000002030000-0x0000000002032000-memory.dmp

Filesize
8KB

Download
memory/960-58-0x0000000002037000-0x0000000002056000-memory.dmp

Filesize
124KB

Download
memory/960-57-0x0000000002032000-0x0000000002033000-memory.dmp

Filesize
4KB

Download
memory/1992-59-0x0000000000000000-mapping.dmp

Download
memory/1992-60-0x000007FEFC0E1000-0x000007FEFC0E3000-memory.dmp

Filesize
8KB

Download
memory/1992-61-0x0000000001D60000-0x0000000001D61000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing