Overview

overview

10

Static

static

kings.exe

windows7_x64

10

kings.exe

windows10_x64

10

Analysis

  • max time kernel
    18s
  • max time network
    14s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    26/01/2022, 22:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    kings.exe

  • Size

    72KB

  • MD5

    5c754da92f7301dc2e44c65df7c2f0ca

  • SHA1

    13fb3bcb9bceb9b8448004b650b37968df84eb70

  • SHA256

    36e4a3de5c4395d295bdf1d70a215d9669b626c58083ec2d8ab29513830faaa6

  • SHA512

    13a2eb67b9e401bf2b61bb0e91fee87cbbf08aa9c05ad58b49914c43ba0c86980a8360bb93ec843ef729a08d74357cd5dcac30ac9d2343b64285d32be9ab23b6

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\RestoreFiles.txt

Ransom Note
Hello, friends! Your system has been compromised by our team.We have blocked your files and also uploaded useful data from your computers(doc, docx, pdf, xls and other office extensions) to our servers. You have 2 days to contact us to discuss the terms of payment for our services to restore your files.If you do not contact us or refuse to pay, we will place your stolen files in the public domain. Do not change the file namesand extensions.Do not try to decrypt the files yourself, they are encrypted using a good encryption algorithm. Main Mail: [email protected] Backup mail(if we don't reply 24 hours): [email protected] At the first contact, you can write to both emails for reliability.

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 15 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\kings.exe
    "C:\Users\Admin\AppData\Local\Temp\kings.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:868
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1336
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1304
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1756
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:576
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\RestoreFiles.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:1008

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/868-54-0x0000000075761000-0x0000000075763000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1008-55-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

    Filesize

    8KB

    Download