Analysis
-
max time kernel
236s -
max time network
215s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
13-02-2022 03:44
Static task
static1
Behavioral task
behavioral1
Sample
xxx.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
xxx.exe
Resource
win10v2004-en-20220112
General
-
Target
xxx.exe
-
Size
38KB
-
MD5
2e936942613b9ef1a90b5216ef830fbf
-
SHA1
32c2ecf9703aec725034ab4a8a4c7b2944c1f0b7
-
SHA256
e097cde0f76df948f039584045acfa6bd7ef863141560815d12c3c6e6452dce4
-
SHA512
e0c456502fb397b212fd480cda44cb404bfde11e1392842d4b81059881e3db8f93d8b72bbdb7d35a95680f89ee91022b7662a1902dc6e21be86db0f3c4389e27
Malware Config
Extracted
C:\NOKOYAWA_readme.txt
Brookslambert@protonmail.com
Sheppardarmstrong@tutanota.com
Signatures
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
xxx.exedescription ioc process File renamed C:\Users\Admin\Pictures\InstallReset.raw => C:\Users\Admin\Pictures\InstallReset.raw.NOKOYAWA xxx.exe File renamed C:\Users\Admin\Pictures\ResolveConfirm.raw => C:\Users\Admin\Pictures\ResolveConfirm.raw.NOKOYAWA xxx.exe File renamed C:\Users\Admin\Pictures\RestartInitialize.tif => C:\Users\Admin\Pictures\RestartInitialize.tif.NOKOYAWA xxx.exe File renamed C:\Users\Admin\Pictures\AssertRemove.tif => C:\Users\Admin\Pictures\AssertRemove.tif.NOKOYAWA xxx.exe File renamed C:\Users\Admin\Pictures\ConvertLock.png => C:\Users\Admin\Pictures\ConvertLock.png.NOKOYAWA xxx.exe File opened for modification C:\Users\Admin\Pictures\EditRepair.tiff xxx.exe File renamed C:\Users\Admin\Pictures\RestartUpdate.png => C:\Users\Admin\Pictures\RestartUpdate.png.NOKOYAWA xxx.exe File renamed C:\Users\Admin\Pictures\EditRepair.tiff => C:\Users\Admin\Pictures\EditRepair.tiff.NOKOYAWA xxx.exe File renamed C:\Users\Admin\Pictures\UpdateWrite.raw => C:\Users\Admin\Pictures\UpdateWrite.raw.NOKOYAWA xxx.exe -
Drops desktop.ini file(s) 16 IoCs
Processes:
xxx.exedescription ioc process File opened for modification C:\Users\Admin\Contacts\desktop.ini xxx.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini xxx.exe File opened for modification C:\Users\Admin\Documents\desktop.ini xxx.exe File opened for modification C:\Users\Admin\Links\desktop.ini xxx.exe File opened for modification C:\Users\Admin\Music\desktop.ini xxx.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini xxx.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini xxx.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini xxx.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini xxx.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini xxx.exe File opened for modification C:\Users\Admin\Videos\desktop.ini xxx.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini xxx.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini xxx.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini xxx.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini xxx.exe File opened for modification C:\Users\Admin\Searches\desktop.ini xxx.exe -
Drops file in Windows directory 2 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4096" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.090623" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.072014" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893740465059143" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4316" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe -
Opens file in notepad (likely ransom note) 3 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXEpid process 2896 NOTEPAD.EXE 1540 NOTEPAD.EXE 3352 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
TiWorker.exedescription pid process Token: SeSecurityPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeSecurityPrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeSecurityPrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeSecurityPrivilege 1088 TiWorker.exe Token: SeBackupPrivilege 1088 TiWorker.exe Token: SeRestorePrivilege 1088 TiWorker.exe Token: SeSecurityPrivilege 1088 TiWorker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\xxx.exe"C:\Users\Admin\AppData\Local\Temp\xxx.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 01⤵
- Checks processor information in registry
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\NOKOYAWA_readme.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\NOKOYAWA_readme.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\NOKOYAWA_readme.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\NOKOYAWA_readme.txtMD5
5aea0bfd70679b3285da2ce305e5d992
SHA1bd90c1be51b76fb43dcb46d9781cfbebdf655520
SHA25691b4c8028e4a86fb2fa57ef0e4f01e860ba23c1fe5ed88aa84915e281a57deb5
SHA512c5ef4fa016103775c9581010e845cca0291ce8e33bbc16fa7c4b8059367cddcdc7a02aedc26959fba3437cef70b2167d0f815fc8f3698ba0b85da447c6e0fb96
-
C:\Users\All Users\USOShared\Logs\User\NotifyIcon.e370fe84-f6af-4ca1-b69e-5d904d8e27be.1.etlMD5
2b936f8b77190c4859eae9af8eaf7d5b
SHA18f37ae902b62fb39b6eaa4d35b9cb78cb94b2ebd
SHA2562900cc8880ff83848855b63afa5c634626e627b22184bc5d8798bc092492a79e
SHA512b5a64ec43630862162c5211bf6932d9ccd34860d5e850ac081f887d9f9cf45aaf8f644c7ce48eb7e0202d870355343643f8d3dc870872aab2442dfeb5170f5a7