Overview

overview

10

Static

static

xxx.exe

windows7_x64

10

xxx.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    236s
  • max time network
    215s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    13-02-2022 03:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xxx.exe

  • Size

    38KB

  • MD5

    2e936942613b9ef1a90b5216ef830fbf

  • SHA1

    32c2ecf9703aec725034ab4a8a4c7b2944c1f0b7

  • SHA256

    e097cde0f76df948f039584045acfa6bd7ef863141560815d12c3c6e6452dce4

  • SHA512

    e0c456502fb397b212fd480cda44cb404bfde11e1392842d4b81059881e3db8f93d8b72bbdb7d35a95680f89ee91022b7662a1902dc6e21be86db0f3c4389e27

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\NOKOYAWA_readme.txt

Ransom Note
Dear usernamme, your files were encrypted, some are compromised. Be sure, you can't restore it without our help. You need a private key that only we have. Contact us to reach an agreement or we will leak your black shit to media: Brookslambert@protonmail.com Sheppardarmstrong@tutanota.com 亲爱的用户名,您的文件已加密,有些已被泄露。 请确保,如果没有我们的帮助,您将无法恢复它。 您需要一个只有我们拥有的私钥。 联系我们以达成协议,否则我们会将您的黑屎泄露给媒体: Brookslambert@protonmail.com Sheppardarmstrong@tutanota.com
Emails

Brookslambert@protonmail.com

Sheppardarmstrong@tutanota.com

Signatures

  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops desktop.ini file(s) 16 IoCs
  • Drops file in Windows directory 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 49 IoCs
  • Opens file in notepad (likely ransom note) 3 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\xxx.exe
    "C:\Users\Admin\AppData\Local\Temp\xxx.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    PID:332
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 0
    1⤵
    • Checks processor information in registry
    PID:4044
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\NOKOYAWA_readme.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:3352
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\NOKOYAWA_readme.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:2896
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    PID:3772
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\NOKOYAWA_readme.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:1540
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Desktop\NOKOYAWA_readme.txt
    MD5

    5aea0bfd70679b3285da2ce305e5d992

    SHA1

    bd90c1be51b76fb43dcb46d9781cfbebdf655520

    SHA256

    91b4c8028e4a86fb2fa57ef0e4f01e860ba23c1fe5ed88aa84915e281a57deb5

    SHA512

    c5ef4fa016103775c9581010e845cca0291ce8e33bbc16fa7c4b8059367cddcdc7a02aedc26959fba3437cef70b2167d0f815fc8f3698ba0b85da447c6e0fb96

    Download Submit
  • C:\Users\All Users\USOShared\Logs\User\NotifyIcon.e370fe84-f6af-4ca1-b69e-5d904d8e27be.1.etl
    MD5

    2b936f8b77190c4859eae9af8eaf7d5b

    SHA1

    8f37ae902b62fb39b6eaa4d35b9cb78cb94b2ebd

    SHA256

    2900cc8880ff83848855b63afa5c634626e627b22184bc5d8798bc092492a79e

    SHA512

    b5a64ec43630862162c5211bf6932d9ccd34860d5e850ac081f887d9f9cf45aaf8f644c7ce48eb7e0202d870355343643f8d3dc870872aab2442dfeb5170f5a7

    Download Submit