Resubmissions
20-01-2022 19:26
220120-x5jhrsbcdl 1017-01-2022 16:56
220117-vf67esbcd8 1017-01-2022 16:16
220117-tqyscsbedr 1009-12-2021 23:18
211209-299yqseee9 1Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17-01-2022 16:56
Static task
static1
Behavioral task
behavioral1
Sample
3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
Resource
win10v2004-en-20220112
General
-
Target
3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
-
Size
2.2MB
-
MD5
aea5d3cced6725f37e2c3797735e6467
-
SHA1
087497940a41d96e4e907b6dc92f75f4a38d861a
-
SHA256
3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83
-
SHA512
5489753ae1c3ba0dbd3e0ce1b78b0ccba045e534e77fb87c80d56b16229f928c46a15721020142bbc6bd4d1ba5c295f4bec3596efa7b46c906889c156dadbd66
Malware Config
Extracted
C:\RECOVER-sykffle-FILES.txt
http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21
http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=LWJr7bVcSMGcY5YdPVmFb0ZON%2BF7%2Bau322FPnwcE9LwdS6oF%2BqsTezNE%2BJ3CeIrVWP04sFKfZyDthKAU9FNF54clf32wnXRakIh6nUeIjJL4Gn%2FYPHs5cVfPKaMFdTRGKKFP1JWeQ2Fne7wWRfD0eCgmTAKCagsjtwAQMfzZJfV1wKtj%2BRVh87pyjXP%2BA1G7IBmjVgEbLP1dWQR4XdYwvaaM%2FE1ge51BV3MJEcg5rHmsnCK%2BFjqDeJR5sEbdckGW7cxZ1aVBMAScg8WU%2FI3uFbntzOvipK4%2BFofW0p81%2F23Ssz7qmAQuRCEYcLWT0nt87F%2Fq6HYV09Q9YoOjlrvPKw%3D%3D
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 21 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
woof.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\CheckpointPush.raw.sykffle woof.exe File renamed C:\Users\Admin\Pictures\ConnectInvoke.tiff => C:\Users\Admin\Pictures\ConnectInvoke.tiff.sykffle woof.exe File opened for modification C:\Users\Admin\Pictures\ExitWait.crw.sykffle woof.exe File renamed C:\Users\Admin\Pictures\ExpandConvertTo.png => C:\Users\Admin\Pictures\ExpandConvertTo.png.sykffle woof.exe File opened for modification C:\Users\Admin\Pictures\SyncRestore.tif.sykffle woof.exe File renamed C:\Users\Admin\Pictures\TestCopy.crw => C:\Users\Admin\Pictures\TestCopy.crw.sykffle woof.exe File opened for modification C:\Users\Admin\Pictures\ConvertFromUse.png.sykffle woof.exe File opened for modification C:\Users\Admin\Pictures\NewSuspend.tif.sykffle woof.exe File renamed C:\Users\Admin\Pictures\ResumeBackup.tif => C:\Users\Admin\Pictures\ResumeBackup.tif.sykffle woof.exe File opened for modification C:\Users\Admin\Pictures\ResumeBackup.tif.sykffle woof.exe File opened for modification C:\Users\Admin\Pictures\SetMerge.crw.sykffle woof.exe File renamed C:\Users\Admin\Pictures\SyncRestore.tif => C:\Users\Admin\Pictures\SyncRestore.tif.sykffle woof.exe File opened for modification C:\Users\Admin\Pictures\ConnectInvoke.tiff woof.exe File renamed C:\Users\Admin\Pictures\CheckpointPush.raw => C:\Users\Admin\Pictures\CheckpointPush.raw.sykffle woof.exe File opened for modification C:\Users\Admin\Pictures\ConnectInvoke.tiff.sykffle woof.exe File renamed C:\Users\Admin\Pictures\ConvertFromUse.png => C:\Users\Admin\Pictures\ConvertFromUse.png.sykffle woof.exe File renamed C:\Users\Admin\Pictures\ExitWait.crw => C:\Users\Admin\Pictures\ExitWait.crw.sykffle woof.exe File renamed C:\Users\Admin\Pictures\SetMerge.crw => C:\Users\Admin\Pictures\SetMerge.crw.sykffle woof.exe File opened for modification C:\Users\Admin\Pictures\ExpandConvertTo.png.sykffle woof.exe File renamed C:\Users\Admin\Pictures\NewSuspend.tif => C:\Users\Admin\Pictures\NewSuspend.tif.sykffle woof.exe File opened for modification C:\Users\Admin\Pictures\TestCopy.crw.sykffle woof.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
woof.exedescription ioc process File opened (read-only) \??\Z: woof.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
woof.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\Admin\\Desktop\\RECOVER-sykffle-FILES.txt.png" woof.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\RECOVER-sykffle-FILES.txt.png" woof.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1648 vssadmin.exe 1340 vssadmin.exe -
Modifies Control Panel 1 IoCs
Processes:
woof.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\WallpaperStyle = "0" woof.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 5 IoCs
Processes:
woof.exewoof.exewoof.exewoof.exewoof.exepid process 1532 woof.exe 396 woof.exe 1664 woof.exe 1668 woof.exe 240 woof.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
woof.exepid process 240 woof.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
cmd.exepid process 668 cmd.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
WMIC.exevssvc.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1372 WMIC.exe Token: SeSecurityPrivilege 1372 WMIC.exe Token: SeTakeOwnershipPrivilege 1372 WMIC.exe Token: SeLoadDriverPrivilege 1372 WMIC.exe Token: SeSystemProfilePrivilege 1372 WMIC.exe Token: SeSystemtimePrivilege 1372 WMIC.exe Token: SeProfSingleProcessPrivilege 1372 WMIC.exe Token: SeIncBasePriorityPrivilege 1372 WMIC.exe Token: SeCreatePagefilePrivilege 1372 WMIC.exe Token: SeBackupPrivilege 1372 WMIC.exe Token: SeRestorePrivilege 1372 WMIC.exe Token: SeShutdownPrivilege 1372 WMIC.exe Token: SeDebugPrivilege 1372 WMIC.exe Token: SeSystemEnvironmentPrivilege 1372 WMIC.exe Token: SeRemoteShutdownPrivilege 1372 WMIC.exe Token: SeUndockPrivilege 1372 WMIC.exe Token: SeManageVolumePrivilege 1372 WMIC.exe Token: 33 1372 WMIC.exe Token: 34 1372 WMIC.exe Token: 35 1372 WMIC.exe Token: SeIncreaseQuotaPrivilege 1372 WMIC.exe Token: SeSecurityPrivilege 1372 WMIC.exe Token: SeTakeOwnershipPrivilege 1372 WMIC.exe Token: SeLoadDriverPrivilege 1372 WMIC.exe Token: SeSystemProfilePrivilege 1372 WMIC.exe Token: SeSystemtimePrivilege 1372 WMIC.exe Token: SeProfSingleProcessPrivilege 1372 WMIC.exe Token: SeIncBasePriorityPrivilege 1372 WMIC.exe Token: SeCreatePagefilePrivilege 1372 WMIC.exe Token: SeBackupPrivilege 1372 WMIC.exe Token: SeRestorePrivilege 1372 WMIC.exe Token: SeShutdownPrivilege 1372 WMIC.exe Token: SeDebugPrivilege 1372 WMIC.exe Token: SeSystemEnvironmentPrivilege 1372 WMIC.exe Token: SeRemoteShutdownPrivilege 1372 WMIC.exe Token: SeUndockPrivilege 1372 WMIC.exe Token: SeManageVolumePrivilege 1372 WMIC.exe Token: 33 1372 WMIC.exe Token: 34 1372 WMIC.exe Token: 35 1372 WMIC.exe Token: SeBackupPrivilege 1604 vssvc.exe Token: SeRestorePrivilege 1604 vssvc.exe Token: SeAuditPrivilege 1604 vssvc.exe Token: SeBackupPrivilege 1628 vssvc.exe Token: SeRestorePrivilege 1628 vssvc.exe Token: SeAuditPrivilege 1628 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exewoof.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 668 wrote to memory of 1532 668 cmd.exe woof.exe PID 668 wrote to memory of 1532 668 cmd.exe woof.exe PID 668 wrote to memory of 1532 668 cmd.exe woof.exe PID 668 wrote to memory of 1532 668 cmd.exe woof.exe PID 668 wrote to memory of 396 668 cmd.exe woof.exe PID 668 wrote to memory of 396 668 cmd.exe woof.exe PID 668 wrote to memory of 396 668 cmd.exe woof.exe PID 668 wrote to memory of 396 668 cmd.exe woof.exe PID 668 wrote to memory of 1664 668 cmd.exe woof.exe PID 668 wrote to memory of 1664 668 cmd.exe woof.exe PID 668 wrote to memory of 1664 668 cmd.exe woof.exe PID 668 wrote to memory of 1664 668 cmd.exe woof.exe PID 668 wrote to memory of 1668 668 cmd.exe woof.exe PID 668 wrote to memory of 1668 668 cmd.exe woof.exe PID 668 wrote to memory of 1668 668 cmd.exe woof.exe PID 668 wrote to memory of 1668 668 cmd.exe woof.exe PID 668 wrote to memory of 240 668 cmd.exe woof.exe PID 668 wrote to memory of 240 668 cmd.exe woof.exe PID 668 wrote to memory of 240 668 cmd.exe woof.exe PID 668 wrote to memory of 240 668 cmd.exe woof.exe PID 240 wrote to memory of 1164 240 woof.exe cmd.exe PID 240 wrote to memory of 1164 240 woof.exe cmd.exe PID 240 wrote to memory of 1164 240 woof.exe cmd.exe PID 240 wrote to memory of 1164 240 woof.exe cmd.exe PID 1164 wrote to memory of 1372 1164 cmd.exe WMIC.exe PID 1164 wrote to memory of 1372 1164 cmd.exe WMIC.exe PID 1164 wrote to memory of 1372 1164 cmd.exe WMIC.exe PID 1164 wrote to memory of 1372 1164 cmd.exe WMIC.exe PID 240 wrote to memory of 2016 240 woof.exe cmd.exe PID 240 wrote to memory of 2016 240 woof.exe cmd.exe PID 240 wrote to memory of 2016 240 woof.exe cmd.exe PID 240 wrote to memory of 2016 240 woof.exe cmd.exe PID 2016 wrote to memory of 1560 2016 cmd.exe fsutil.exe PID 2016 wrote to memory of 1560 2016 cmd.exe fsutil.exe PID 2016 wrote to memory of 1560 2016 cmd.exe fsutil.exe PID 2016 wrote to memory of 1560 2016 cmd.exe fsutil.exe PID 240 wrote to memory of 1748 240 woof.exe cmd.exe PID 240 wrote to memory of 1748 240 woof.exe cmd.exe PID 240 wrote to memory of 1748 240 woof.exe cmd.exe PID 240 wrote to memory of 1748 240 woof.exe cmd.exe PID 1748 wrote to memory of 1588 1748 cmd.exe fsutil.exe PID 1748 wrote to memory of 1588 1748 cmd.exe fsutil.exe PID 1748 wrote to memory of 1588 1748 cmd.exe fsutil.exe PID 1748 wrote to memory of 1588 1748 cmd.exe fsutil.exe PID 240 wrote to memory of 1736 240 woof.exe cmd.exe PID 240 wrote to memory of 1736 240 woof.exe cmd.exe PID 240 wrote to memory of 1736 240 woof.exe cmd.exe PID 240 wrote to memory of 1736 240 woof.exe cmd.exe PID 240 wrote to memory of 1920 240 woof.exe cmd.exe PID 240 wrote to memory of 1920 240 woof.exe cmd.exe PID 240 wrote to memory of 1920 240 woof.exe cmd.exe PID 240 wrote to memory of 1920 240 woof.exe cmd.exe PID 1736 wrote to memory of 1648 1736 cmd.exe vssadmin.exe PID 1736 wrote to memory of 1648 1736 cmd.exe vssadmin.exe PID 1736 wrote to memory of 1648 1736 cmd.exe vssadmin.exe PID 240 wrote to memory of 808 240 woof.exe cmd.exe PID 240 wrote to memory of 808 240 woof.exe cmd.exe PID 240 wrote to memory of 808 240 woof.exe cmd.exe PID 240 wrote to memory of 808 240 woof.exe cmd.exe PID 808 wrote to memory of 1556 808 cmd.exe ARP.EXE PID 808 wrote to memory of 1556 808 cmd.exe ARP.EXE PID 808 wrote to memory of 1556 808 cmd.exe ARP.EXE PID 808 wrote to memory of 1556 808 cmd.exe ARP.EXE PID 240 wrote to memory of 1944 240 woof.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe"C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe"1⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\woof.exewoof --ui2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Users\Admin\AppData\Local\Temp\woof.exewoof --UI2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Users\Admin\AppData\Local\Temp\woof.exewoof.exe -V2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Users\Admin\AppData\Local\Temp\woof.exewoof.exe --version2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Users\Admin\AppData\Local\Temp\woof.exewoof.exe -asdfadsfadsf2⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c "wmic csproduct get UUID"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get UUID4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c "fsutil behavior set SymlinkEvaluation R2L:1"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fsutil.exefsutil behavior set SymlinkEvaluation R2L:14⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c "fsutil behavior set SymlinkEvaluation R2R:1"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fsutil.exefsutil behavior set SymlinkEvaluation R2R:14⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"3⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f4⤵
-
C:\Windows\system32\cmd.exe"cmd" /c "vssadmin.exe delete shadows /all /quiet"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c "arp -a"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ARP.EXEarp -a4⤵
-
C:\Windows\system32\cmd.exe"cmd" /c "vssadmin.exe delete shadows /all /quiet"3⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/240-58-0x0000000000000000-mapping.dmp
-
memory/396-55-0x0000000000000000-mapping.dmp
-
memory/808-68-0x0000000000000000-mapping.dmp
-
memory/1164-59-0x0000000000000000-mapping.dmp
-
memory/1340-71-0x0000000000000000-mapping.dmp
-
memory/1372-60-0x0000000000000000-mapping.dmp
-
memory/1532-54-0x0000000000000000-mapping.dmp
-
memory/1556-69-0x0000000000000000-mapping.dmp
-
memory/1560-62-0x0000000000000000-mapping.dmp
-
memory/1588-64-0x0000000000000000-mapping.dmp
-
memory/1648-67-0x0000000000000000-mapping.dmp
-
memory/1664-56-0x0000000000000000-mapping.dmp
-
memory/1668-57-0x0000000000000000-mapping.dmp
-
memory/1736-65-0x0000000000000000-mapping.dmp
-
memory/1748-63-0x0000000000000000-mapping.dmp
-
memory/1920-66-0x0000000000000000-mapping.dmp
-
memory/1944-70-0x0000000000000000-mapping.dmp
-
memory/2016-61-0x0000000000000000-mapping.dmp