Analysis
-
max time kernel
155s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-01-2022 03:59
Static task
static1
Behavioral task
behavioral1
Sample
3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exe
Resource
win10-en-20211208
General
-
Target
3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exe
-
Size
32KB
-
MD5
0793e40192cb5916d1aeb03e045ddd58
-
SHA1
4f07512ff629cae2e4175a3e1e4235fa8cee3bfe
-
SHA256
3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565
-
SHA512
2b5bfbfc151861dead86d241ad3a6afb76142cb4a6fd2811abfebab4f3026af92f0aee25865d778672a3c8cf0f3496f707a1efba1212067a2471d66b1a7b3226
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,c:\\Windows\\bfsvcm.exe," 3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exe -
Processes:
resource yara_rule behavioral1/memory/1640-55-0x0000000000400000-0x000000000041B396-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unlock = "\"c:\\Windows\\notepad.exe\" c:\\ReadMe.TxT" 3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exe -
Modifies WinLogon 2 TTPs 3 IoCs
Processes:
3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Hacked = "7NG5RM3NT1F1WTE8" 3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Attention!!! Your files are encrypted !!!" 3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "To recover files, follow the prompts in the text file \"Readme\"" 3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exe -
Drops file in Windows directory 2 IoCs
Processes:
3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exedescription ioc process File created \??\c:\Windows\bfsvcm.exe 3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exe File opened for modification \??\c:\Windows\bfsvcm.exe 3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1528 taskkill.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" 3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" 3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetaskkill.exedescription pid process Token: SeDebugPrivilege 304 tasklist.exe Token: SeDebugPrivilege 1528 taskkill.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.execmd.execmd.exedescription pid process target process PID 1640 wrote to memory of 1028 1640 3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exe cmd.exe PID 1640 wrote to memory of 1028 1640 3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exe cmd.exe PID 1640 wrote to memory of 1028 1640 3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exe cmd.exe PID 1640 wrote to memory of 1028 1640 3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exe cmd.exe PID 1028 wrote to memory of 1384 1028 cmd.exe cmd.exe PID 1028 wrote to memory of 1384 1028 cmd.exe cmd.exe PID 1028 wrote to memory of 1384 1028 cmd.exe cmd.exe PID 1028 wrote to memory of 1384 1028 cmd.exe cmd.exe PID 1384 wrote to memory of 304 1384 cmd.exe tasklist.exe PID 1384 wrote to memory of 304 1384 cmd.exe tasklist.exe PID 1384 wrote to memory of 304 1384 cmd.exe tasklist.exe PID 1384 wrote to memory of 304 1384 cmd.exe tasklist.exe PID 1028 wrote to memory of 836 1028 cmd.exe cmd.exe PID 1028 wrote to memory of 836 1028 cmd.exe cmd.exe PID 1028 wrote to memory of 836 1028 cmd.exe cmd.exe PID 1028 wrote to memory of 836 1028 cmd.exe cmd.exe PID 1028 wrote to memory of 2008 1028 cmd.exe find.exe PID 1028 wrote to memory of 2008 1028 cmd.exe find.exe PID 1028 wrote to memory of 2008 1028 cmd.exe find.exe PID 1028 wrote to memory of 2008 1028 cmd.exe find.exe PID 1028 wrote to memory of 2004 1028 cmd.exe cmd.exe PID 1028 wrote to memory of 2004 1028 cmd.exe cmd.exe PID 1028 wrote to memory of 2004 1028 cmd.exe cmd.exe PID 1028 wrote to memory of 2004 1028 cmd.exe cmd.exe PID 1028 wrote to memory of 2012 1028 cmd.exe find.exe PID 1028 wrote to memory of 2012 1028 cmd.exe find.exe PID 1028 wrote to memory of 2012 1028 cmd.exe find.exe PID 1028 wrote to memory of 2012 1028 cmd.exe find.exe PID 1028 wrote to memory of 1060 1028 cmd.exe cmd.exe PID 1028 wrote to memory of 1060 1028 cmd.exe cmd.exe PID 1028 wrote to memory of 1060 1028 cmd.exe cmd.exe PID 1028 wrote to memory of 1060 1028 cmd.exe cmd.exe PID 1028 wrote to memory of 1252 1028 cmd.exe find.exe PID 1028 wrote to memory of 1252 1028 cmd.exe find.exe PID 1028 wrote to memory of 1252 1028 cmd.exe find.exe PID 1028 wrote to memory of 1252 1028 cmd.exe find.exe PID 1028 wrote to memory of 1528 1028 cmd.exe taskkill.exe PID 1028 wrote to memory of 1528 1028 cmd.exe taskkill.exe PID 1028 wrote to memory of 1528 1028 cmd.exe taskkill.exe PID 1028 wrote to memory of 1528 1028 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exe"C:\Users\Admin\AppData\Local\Temp\3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\W.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "WINDOWTITLE eq 342213780" /FO CSV3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "WINDOWTITLE eq 342213780" /FO CSV4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set WhiteList=Microsoft.ActiveDirectory.WebServices.exe:cmd.exe:find.exe:conhost.exe:explorer.exe:ctfmon.exe:dllhost.exe:lsass.exe:services.exe:smss.exe:tasklist.exe:winlogon.exe:wmiprvse.exe:msdts.exe:bfsvc.exe:AdapterTroubleshooter.exe:alg.exe:dwm.exe:issch.exe:rundll32.exe:spoolsv.exe:wininit.exe:wmiprvse.exe:wudfhost.exe:taskmgr.exe:rdpclip.exe:logonui.exe:lsm.exe:spoolsv.exe:dwm.exe:dfssvc.exe:csrss.exe:svchost.exe:3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565.exe:/FO CSV') Do (Echo :"3⤵
-
C:\Windows\SysWOW64\find.exeFind /I ":%~p:"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Echo :"3⤵
-
C:\Windows\SysWOW64\find.exeFind /I ":%~p:"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Echo :"3⤵
-
C:\Windows\SysWOW64\find.exeFind /I ":):"3⤵
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM ")"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\W.batMD5
cd86964cdae6daa2fd67c7a29376b4b7
SHA1eafed9c23b60ae5e9d8c0e73f7d69c1b4ea74819
SHA2568957c1c743faff67fb124e8e491e6fe5e66ee2b018d23dbeb4483aca2a650327
SHA512309bd081d6088e2bb4d6edc0ac9036adc988ef603ac9a4b18e2a889de5180466412ae234c2c46654933d288cf26ec25c9445520904eff2f8112c545dcb7018f9
-
memory/1640-64-0x0000000000370000-0x0000000000371000-memory.dmpFilesize
4KB
-
memory/1640-61-0x00000000002B0000-0x00000000002DD000-memory.dmpFilesize
180KB
-
memory/1640-65-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB
-
memory/1640-60-0x00000000003A0000-0x00000000003A1000-memory.dmpFilesize
4KB
-
memory/1640-66-0x0000000000390000-0x0000000000391000-memory.dmpFilesize
4KB
-
memory/1640-62-0x0000000000360000-0x0000000000361000-memory.dmpFilesize
4KB
-
memory/1640-63-0x0000000000360000-0x0000000000369000-memory.dmpFilesize
36KB
-
memory/1640-58-0x00000000022D0000-0x000000000236F000-memory.dmpFilesize
636KB
-
memory/1640-59-0x00000000003B0000-0x00000000003B1000-memory.dmpFilesize
4KB
-
memory/1640-56-0x0000000000400000-0x000000000041B396-memory.dmpFilesize
108KB
-
memory/1640-54-0x0000000075431000-0x0000000075433000-memory.dmpFilesize
8KB
-
memory/1640-67-0x0000000002370000-0x000000000249D000-memory.dmpFilesize
1.2MB
-
memory/1640-68-0x0000000000510000-0x000000000052F000-memory.dmpFilesize
124KB
-
memory/1640-70-0x0000000000470000-0x0000000000476000-memory.dmpFilesize
24KB
-
memory/1640-69-0x00000000027E0000-0x00000000028E9000-memory.dmpFilesize
1.0MB
-
memory/1640-71-0x000000007EFA0000-0x000000007EFA1000-memory.dmpFilesize
4KB
-
memory/1640-55-0x0000000000400000-0x000000000041B396-memory.dmpFilesize
108KB