Analysis
-
max time kernel
25s -
max time network
15s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
06-01-2022 12:29
Static task
static1
Behavioral task
behavioral1
Sample
update.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
update.exe
Resource
win10-en-20211208
General
-
Target
update.exe
-
Size
5.7MB
-
MD5
9608c8b6c8d80fdc67b99edd3c53d3d2
-
SHA1
37b11d3d7b7a1d18daafd6c63b33526860aaefe6
-
SHA256
8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0
-
SHA512
4c98ff99686f2b54648c0926fbc1e92522520b11d1447a0fdf2aa11e25de2c109a0e55ae8f736404a3feed7288cb257cd57812ecdaeae41051a6ec3a0f6bfa15
Malware Config
Signatures
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
update.exedescription ioc process File renamed C:\Users\Admin\Pictures\StartHide.crw => C:\Users\Admin\Pictures\StartHide.crw.nightsky update.exe File renamed C:\Users\Admin\Pictures\ResolveInstall.png => C:\Users\Admin\Pictures\ResolveInstall.png.nightsky update.exe File opened for modification C:\Users\Admin\Pictures\ResolveInstall.png.nightsky update.exe File renamed C:\Users\Admin\Pictures\MeasureNew.tif => C:\Users\Admin\Pictures\MeasureNew.tif.nightsky update.exe File opened for modification C:\Users\Admin\Pictures\ReadCompress.raw.nightsky update.exe File renamed C:\Users\Admin\Pictures\ReadCompress.raw => C:\Users\Admin\Pictures\ReadCompress.raw.nightsky update.exe File opened for modification C:\Users\Admin\Pictures\MeasureNew.tif.nightsky update.exe File opened for modification C:\Users\Admin\Pictures\StartHide.crw.nightsky update.exe File renamed C:\Users\Admin\Pictures\NewTrace.raw => C:\Users\Admin\Pictures\NewTrace.raw.nightsky update.exe File opened for modification C:\Users\Admin\Pictures\NewTrace.raw.nightsky update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
update.exepid process 1620 update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
mshta.exepid process 1332 mshta.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\update.exe"C:\Users\Admin\AppData\Local\Temp\update.exe"1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\NightSkyReadMe.hta"1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\NightSkyReadMe.htaMD5
77271f4222f5c197f203d16052e09015
SHA1c549b429ec037ff0e085dcee7b8ed636fc258f22
SHA25629e255933d04e25882cca4d0be597b4eaa36ee729b62ca93fe4789b0283641e3
SHA5121ecd1cc449fdfbbae5312988904bc8e0b2799fdf28ce902e9788320c94c60e7ecde1f5245c7e312a9e2e14d17db227b1a1dca0c94c7f670c4a8a0ecc22fd5a0d
-
memory/1620-54-0x000000013FC70000-0x00000001405C0000-memory.dmpFilesize
9.3MB
-
memory/1620-57-0x0000000077B90000-0x0000000077B92000-memory.dmpFilesize
8KB