Analysis
-
max time kernel
236s -
max time network
215s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
13/02/2022, 03:44
Static task
static1
Behavioral task
behavioral1
Sample
xxx.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
xxx.exe
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
xxx.exe
-
Size
38KB
-
MD5
2e936942613b9ef1a90b5216ef830fbf
-
SHA1
32c2ecf9703aec725034ab4a8a4c7b2944c1f0b7
-
SHA256
e097cde0f76df948f039584045acfa6bd7ef863141560815d12c3c6e6452dce4
-
SHA512
e0c456502fb397b212fd480cda44cb404bfde11e1392842d4b81059881e3db8f93d8b72bbdb7d35a95680f89ee91022b7662a1902dc6e21be86db0f3c4389e27
Score
10/10
Malware Config
Extracted
Path
C:\NOKOYAWA_readme.txt
Ransom Note
Dear usernamme, your files were encrypted, some are compromised.
Be sure, you can't restore it without our help.
You need a private key that only we have.
Contact us to reach an agreement or we will leak your black shit to media:
[email protected]
[email protected]
亲爱的用户名,您的文件已加密,有些已被泄露。
请确保,如果没有我们的帮助,您将无法恢复它。
您需要一个只有我们拥有的私钥。
联系我们以达成协议,否则我们会将您的黑屎泄露给媒体:
[email protected]
[email protected]
Signatures
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\InstallReset.raw => C:\Users\Admin\Pictures\InstallReset.raw.NOKOYAWA xxx.exe File renamed C:\Users\Admin\Pictures\ResolveConfirm.raw => C:\Users\Admin\Pictures\ResolveConfirm.raw.NOKOYAWA xxx.exe File renamed C:\Users\Admin\Pictures\RestartInitialize.tif => C:\Users\Admin\Pictures\RestartInitialize.tif.NOKOYAWA xxx.exe File renamed C:\Users\Admin\Pictures\AssertRemove.tif => C:\Users\Admin\Pictures\AssertRemove.tif.NOKOYAWA xxx.exe File renamed C:\Users\Admin\Pictures\ConvertLock.png => C:\Users\Admin\Pictures\ConvertLock.png.NOKOYAWA xxx.exe File opened for modification C:\Users\Admin\Pictures\EditRepair.tiff xxx.exe File renamed C:\Users\Admin\Pictures\RestartUpdate.png => C:\Users\Admin\Pictures\RestartUpdate.png.NOKOYAWA xxx.exe File renamed C:\Users\Admin\Pictures\EditRepair.tiff => C:\Users\Admin\Pictures\EditRepair.tiff.NOKOYAWA xxx.exe File renamed C:\Users\Admin\Pictures\UpdateWrite.raw => C:\Users\Admin\Pictures\UpdateWrite.raw.NOKOYAWA xxx.exe -
Drops desktop.ini file(s) 16 IoCs
description ioc Process File opened for modification C:\Users\Admin\Contacts\desktop.ini xxx.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini xxx.exe File opened for modification C:\Users\Admin\Documents\desktop.ini xxx.exe File opened for modification C:\Users\Admin\Links\desktop.ini xxx.exe File opened for modification C:\Users\Admin\Music\desktop.ini xxx.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini xxx.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini xxx.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini xxx.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini xxx.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini xxx.exe File opened for modification C:\Users\Admin\Videos\desktop.ini xxx.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini xxx.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini xxx.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini xxx.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini xxx.exe File opened for modification C:\Users\Admin\Searches\desktop.ini xxx.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4096" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.090623" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.072014" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893740465059143" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4316" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe -
Opens file in notepad (likely ransom note) 3 IoCs
pid Process 2896 NOTEPAD.EXE 1540 NOTEPAD.EXE 3352 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeSecurityPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeSecurityPrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeSecurityPrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeSecurityPrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeSecurityPrivilege 1088 TiWorker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\xxx.exe"C:\Users\Admin\AppData\Local\Temp\xxx.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
PID:332
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 01⤵
- Checks processor information in registry
PID:4044
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\NOKOYAWA_readme.txt1⤵
- Opens file in notepad (likely ransom note)
PID:3352
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\NOKOYAWA_readme.txt1⤵
- Opens file in notepad (likely ransom note)
PID:2896
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3772
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\NOKOYAWA_readme.txt1⤵
- Opens file in notepad (likely ransom note)
PID:1540
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1088