Analysis
-
max time kernel
148s -
max time network
166s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-01-2022 03:58
Static task
static1
Behavioral task
behavioral1
Sample
d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe
Resource
win10-en-20211208
General
-
Target
d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe
-
Size
116KB
-
MD5
1dc550eaf37331a8febe5d9f4176269e
-
SHA1
d77c9d5d3e916bbf97f33aeca8eadad8b517e68c
-
SHA256
d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612
-
SHA512
b35b55c550ec583bf71554872e1410aac9ad1ef7711491f168069c229f56e19fb00712a2a7b1e4552ecb7905ca5ab12482ab2e071079de004cd5cb89c7ad4d85
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,c:\\Windows\\bfsvcm.exe," d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unlock = "\"c:\\Windows\\notepad.exe\" c:\\ReadMe.TxT" d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe -
Modifies WinLogon 2 TTPs 3 IoCs
Processes:
d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Hacked = "RK227FcEKTcTGRUC" d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Attention!!! Your files are encrypted !!!" d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "To recover files, follow the prompts in the text file \"Readme\"" d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe -
Drops file in Windows directory 2 IoCs
Processes:
d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exedescription ioc process File opened for modification \??\c:\Windows\bfsvcm.exe d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe File created \??\c:\Windows\bfsvcm.exe d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1796 taskkill.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1356 tasklist.exe Token: SeDebugPrivilege 1796 taskkill.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.execmd.execmd.exedescription pid process target process PID 1396 wrote to memory of 1368 1396 d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe cmd.exe PID 1396 wrote to memory of 1368 1396 d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe cmd.exe PID 1396 wrote to memory of 1368 1396 d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe cmd.exe PID 1396 wrote to memory of 1368 1396 d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe cmd.exe PID 1368 wrote to memory of 1360 1368 cmd.exe cmd.exe PID 1368 wrote to memory of 1360 1368 cmd.exe cmd.exe PID 1368 wrote to memory of 1360 1368 cmd.exe cmd.exe PID 1368 wrote to memory of 1360 1368 cmd.exe cmd.exe PID 1360 wrote to memory of 1356 1360 cmd.exe tasklist.exe PID 1360 wrote to memory of 1356 1360 cmd.exe tasklist.exe PID 1360 wrote to memory of 1356 1360 cmd.exe tasklist.exe PID 1360 wrote to memory of 1356 1360 cmd.exe tasklist.exe PID 1368 wrote to memory of 620 1368 cmd.exe cmd.exe PID 1368 wrote to memory of 620 1368 cmd.exe cmd.exe PID 1368 wrote to memory of 620 1368 cmd.exe cmd.exe PID 1368 wrote to memory of 620 1368 cmd.exe cmd.exe PID 1368 wrote to memory of 432 1368 cmd.exe find.exe PID 1368 wrote to memory of 432 1368 cmd.exe find.exe PID 1368 wrote to memory of 432 1368 cmd.exe find.exe PID 1368 wrote to memory of 432 1368 cmd.exe find.exe PID 1368 wrote to memory of 1160 1368 cmd.exe cmd.exe PID 1368 wrote to memory of 1160 1368 cmd.exe cmd.exe PID 1368 wrote to memory of 1160 1368 cmd.exe cmd.exe PID 1368 wrote to memory of 1160 1368 cmd.exe cmd.exe PID 1368 wrote to memory of 1148 1368 cmd.exe find.exe PID 1368 wrote to memory of 1148 1368 cmd.exe find.exe PID 1368 wrote to memory of 1148 1368 cmd.exe find.exe PID 1368 wrote to memory of 1148 1368 cmd.exe find.exe PID 1368 wrote to memory of 1140 1368 cmd.exe cmd.exe PID 1368 wrote to memory of 1140 1368 cmd.exe cmd.exe PID 1368 wrote to memory of 1140 1368 cmd.exe cmd.exe PID 1368 wrote to memory of 1140 1368 cmd.exe cmd.exe PID 1368 wrote to memory of 1172 1368 cmd.exe find.exe PID 1368 wrote to memory of 1172 1368 cmd.exe find.exe PID 1368 wrote to memory of 1172 1368 cmd.exe find.exe PID 1368 wrote to memory of 1172 1368 cmd.exe find.exe PID 1368 wrote to memory of 1796 1368 cmd.exe taskkill.exe PID 1368 wrote to memory of 1796 1368 cmd.exe taskkill.exe PID 1368 wrote to memory of 1796 1368 cmd.exe taskkill.exe PID 1368 wrote to memory of 1796 1368 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe"C:\Users\Admin\AppData\Local\Temp\d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\W.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "WINDOWTITLE eq 32003784" /FO CSV3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "WINDOWTITLE eq 32003784" /FO CSV4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set WhiteList=Microsoft.ActiveDirectory.WebServices.exe:cmd.exe:find.exe:conhost.exe:explorer.exe:ctfmon.exe:dllhost.exe:lsass.exe:services.exe:smss.exe:tasklist.exe:winlogon.exe:wmiprvse.exe:msdts.exe:bfsvc.exe:AdapterTroubleshooter.exe:alg.exe:dwm.exe:issch.exe:rundll32.exe:spoolsv.exe:wininit.exe:wmiprvse.exe:wudfhost.exe:taskmgr.exe:rdpclip.exe:logonui.exe:lsm.exe:spoolsv.exe:dwm.exe:dfssvc.exe:csrss.exe:svchost.exe:d69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612.exe:/FO CSV') Do (Echo :"3⤵
-
C:\Windows\SysWOW64\find.exeFind /I ":%~p:"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Echo :"3⤵
-
C:\Windows\SysWOW64\find.exeFind /I ":%~p:"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Echo :"3⤵
-
C:\Windows\SysWOW64\find.exeFind /I ":):"3⤵
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM ")"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\W.batMD5
62fa10e1e6f750ca1d2e5ca28aa1fa02
SHA1c2045eb954e6f5ce13e7c585539eb80f991ff789
SHA256a1f21c9b3f9166480632b403660db82b92dc688abce20638f4a9962da7f5bf19
SHA5125377bb73316581c4794227c0efd1914cb525a355bfd2c64e5be88014984dc1411366800cbc4281d91b6b78dcda0cf71478020d0a420a294a1204c5f508571898
-
memory/1396-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB
-
memory/1396-55-0x0000000001DB0000-0x0000000001E79000-memory.dmpFilesize
804KB
-
memory/1396-59-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/1396-60-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/1396-58-0x00000000001B0000-0x00000000001B9000-memory.dmpFilesize
36KB
-
memory/1396-61-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/1396-57-0x0000000001F30000-0x000000000205D000-memory.dmpFilesize
1.2MB
-
memory/1396-62-0x0000000002060000-0x000000000207F000-memory.dmpFilesize
124KB
-
memory/1396-63-0x0000000002640000-0x0000000002749000-memory.dmpFilesize
1.0MB
-
memory/1396-64-0x00000000001F0000-0x00000000001F6000-memory.dmpFilesize
24KB