Analysis
-
max time kernel
146s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-01-2022 03:58
Static task
static1
Behavioral task
behavioral1
Sample
cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe
Resource
win10-en-20211208
General
-
Target
cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe
-
Size
32KB
-
MD5
d7a713e57405859e14321f8bebd9916b
-
SHA1
d2de0e59242a540a633a4ce8be7e7310b0eca618
-
SHA256
cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e
-
SHA512
ae51405fb97d3ec289d5f033b7dde2d7cd27acc6a51b8000fe426b4cbf0c37f38c11e7524012e6da4736746e30aa4d4fee15f7adfd2dea59b9305b4af43d805b
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,c:\\Windows\\bfsvcm.exe," cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe -
Processes:
resource yara_rule behavioral1/memory/740-55-0x0000000000400000-0x000000000041B3BE-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unlock = "\"c:\\Windows\\notepad.exe\" c:\\ReadMe.TxT" cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe -
Modifies WinLogon 2 TTPs 3 IoCs
Processes:
cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "To recover files, follow the prompts in the text file \"Readme\"" cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Hacked = "F182KCSWOTQG32Lb" cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Attention!!! Your files are encrypted !!!" cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe -
Drops file in Windows directory 2 IoCs
Processes:
cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exedescription ioc process File created \??\c:\Windows\bfsvcm.exe cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe File opened for modification \??\c:\Windows\bfsvcm.exe cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1392 taskkill.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1684 tasklist.exe Token: SeDebugPrivilege 1392 taskkill.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.execmd.execmd.exedescription pid process target process PID 740 wrote to memory of 1356 740 cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe cmd.exe PID 740 wrote to memory of 1356 740 cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe cmd.exe PID 740 wrote to memory of 1356 740 cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe cmd.exe PID 740 wrote to memory of 1356 740 cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe cmd.exe PID 1356 wrote to memory of 1456 1356 cmd.exe cmd.exe PID 1356 wrote to memory of 1456 1356 cmd.exe cmd.exe PID 1356 wrote to memory of 1456 1356 cmd.exe cmd.exe PID 1356 wrote to memory of 1456 1356 cmd.exe cmd.exe PID 1456 wrote to memory of 1684 1456 cmd.exe tasklist.exe PID 1456 wrote to memory of 1684 1456 cmd.exe tasklist.exe PID 1456 wrote to memory of 1684 1456 cmd.exe tasklist.exe PID 1456 wrote to memory of 1684 1456 cmd.exe tasklist.exe PID 1356 wrote to memory of 1468 1356 cmd.exe cmd.exe PID 1356 wrote to memory of 1468 1356 cmd.exe cmd.exe PID 1356 wrote to memory of 1468 1356 cmd.exe cmd.exe PID 1356 wrote to memory of 1468 1356 cmd.exe cmd.exe PID 1356 wrote to memory of 1480 1356 cmd.exe find.exe PID 1356 wrote to memory of 1480 1356 cmd.exe find.exe PID 1356 wrote to memory of 1480 1356 cmd.exe find.exe PID 1356 wrote to memory of 1480 1356 cmd.exe find.exe PID 1356 wrote to memory of 1280 1356 cmd.exe cmd.exe PID 1356 wrote to memory of 1280 1356 cmd.exe cmd.exe PID 1356 wrote to memory of 1280 1356 cmd.exe cmd.exe PID 1356 wrote to memory of 1280 1356 cmd.exe cmd.exe PID 1356 wrote to memory of 1524 1356 cmd.exe find.exe PID 1356 wrote to memory of 1524 1356 cmd.exe find.exe PID 1356 wrote to memory of 1524 1356 cmd.exe find.exe PID 1356 wrote to memory of 1524 1356 cmd.exe find.exe PID 1356 wrote to memory of 1460 1356 cmd.exe cmd.exe PID 1356 wrote to memory of 1460 1356 cmd.exe cmd.exe PID 1356 wrote to memory of 1460 1356 cmd.exe cmd.exe PID 1356 wrote to memory of 1460 1356 cmd.exe cmd.exe PID 1356 wrote to memory of 1476 1356 cmd.exe find.exe PID 1356 wrote to memory of 1476 1356 cmd.exe find.exe PID 1356 wrote to memory of 1476 1356 cmd.exe find.exe PID 1356 wrote to memory of 1476 1356 cmd.exe find.exe PID 1356 wrote to memory of 1392 1356 cmd.exe taskkill.exe PID 1356 wrote to memory of 1392 1356 cmd.exe taskkill.exe PID 1356 wrote to memory of 1392 1356 cmd.exe taskkill.exe PID 1356 wrote to memory of 1392 1356 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe"C:\Users\Admin\AppData\Local\Temp\cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\W.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "WINDOWTITLE eq 2046510897" /FO CSV3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "WINDOWTITLE eq 2046510897" /FO CSV4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set WhiteList=Microsoft.ActiveDirectory.WebServices.exe:cmd.exe:find.exe:conhost.exe:explorer.exe:ctfmon.exe:dllhost.exe:lsass.exe:services.exe:smss.exe:tasklist.exe:winlogon.exe:wmiprvse.exe:msdts.exe:bfsvc.exe:AdapterTroubleshooter.exe:alg.exe:dwm.exe:issch.exe:rundll32.exe:spoolsv.exe:wininit.exe:wmiprvse.exe:wudfhost.exe:taskmgr.exe:rdpclip.exe:logonui.exe:lsm.exe:spoolsv.exe:dwm.exe:dfssvc.exe:csrss.exe:svchost.exe:cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e.exe:/FO CSV') Do (Echo :"3⤵
-
C:\Windows\SysWOW64\find.exeFind /I ":%~p:"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Echo :"3⤵
-
C:\Windows\SysWOW64\find.exeFind /I ":%~p:"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Echo :"3⤵
-
C:\Windows\SysWOW64\find.exeFind /I ":):"3⤵
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM ")"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\W.batMD5
2a4b2d3b1ca3969cb3eaf23c01f333c2
SHA1f64746a1675ecda48d70b440573d79e6ac5fad42
SHA2568eb86b8e9a5e1f7d970d1608f6e8bdcbc1f9b7faa20ea157325f54d3a4d82fbb
SHA512a0f9cb09f68f8bb7b99ca96caebb1cd63aa9bae02f012569561cde1dd332898596e9182cc9e12d34906c629198ff996525c335f75b0ff934139c1d03ecc1fc8d
-
memory/740-65-0x0000000000260000-0x0000000000269000-memory.dmpFilesize
36KB
-
memory/740-62-0x00000000003A0000-0x00000000003A1000-memory.dmpFilesize
4KB
-
memory/740-66-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/740-61-0x00000000003B0000-0x00000000003B1000-memory.dmpFilesize
4KB
-
memory/740-67-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/740-63-0x0000000000230000-0x000000000025D000-memory.dmpFilesize
180KB
-
memory/740-64-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/740-68-0x0000000000390000-0x0000000000391000-memory.dmpFilesize
4KB
-
memory/740-59-0x0000000001FC0000-0x000000000205F000-memory.dmpFilesize
636KB
-
memory/740-57-0x0000000000400000-0x000000000041B3BE-memory.dmpFilesize
108KB
-
memory/740-55-0x0000000000400000-0x000000000041B3BE-memory.dmpFilesize
108KB
-
memory/740-60-0x0000000002470000-0x000000000259D000-memory.dmpFilesize
1.2MB
-
memory/740-69-0x00000000004D0000-0x00000000004EF000-memory.dmpFilesize
124KB
-
memory/740-70-0x00000000003D0000-0x00000000003D6000-memory.dmpFilesize
24KB
-
memory/740-71-0x0000000002780000-0x0000000002889000-memory.dmpFilesize
1.0MB
-
memory/740-72-0x000000007EFA0000-0x000000007EFA1000-memory.dmpFilesize
4KB
-
memory/740-56-0x00000000763B1000-0x00000000763B3000-memory.dmpFilesize
8KB