Overview

overview

10

Static

static

10

RIP_YOUR_PC_LOL.exe

windows7_x64

10

RIP_YOUR_PC_LOL.exe

windows10_x64

1

RIP_YOUR_PC_LOL.exe

windows10-2004_x64

4

RIP_YOUR_PC_LOL.exe

windows11_x64

Analysis

  • max time kernel
    1693s
  • max time network
    1719s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    08-03-2022 10:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RIP_YOUR_PC_LOL.exe

  • Size

    22.5MB

  • MD5

    52867174362410d63215d78e708103ea

  • SHA1

    7ae4e1048e4463a4201bdeaf224c5b6face681bf

  • SHA256

    37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a

  • SHA512

    89e17e147d3f073e479e85d0b0321f6264bbc2aa84c930ed645e8f5cde3f1e58812c3db1ba0f10bee6ce7ac0731e1e3de6747a9b3c4d63a564dd8d904bd726ab

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 35 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe
    "C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3800
    • C:\Windows\SysWOW64\fondue.exe
      "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Windows\system32\FonDUE.EXE
        "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3820
        • C:\Windows\system32\OptionalFeatures.EXE
          "C:\Windows\system32\OptionalFeatures.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
          4⤵
            PID:4024
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k wsappx -p
      1⤵
        PID:3736
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious use of AdjustPrivilegeToken
        PID:3948
      • C:\Windows\system32\srtasks.exe
        C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2160
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k wusvcs -p
        1⤵
          PID:628
        • C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe
          "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe" /c:install /f:basic
          1⤵
          • Drops file in Windows directory
          PID:560
        • C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe
          "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe" /c:install /f:basic
          1⤵
          • Drops file in Windows directory
          PID:2328
        • C:\Windows\WinSxS\x86_netfx35cdf-csd_cdf_installer_31bf3856ad364e35_10.0.19041.1_none_b22e8a4512f5879a\WFServicesReg.exe
          "C:\Windows\WinSxS\x86_netfx35cdf-csd_cdf_installer_31bf3856ad364e35_10.0.19041.1_none_b22e8a4512f5879a\WFServicesReg.exe" /c /b /v /m /i
          1⤵
          • Drops file in Windows directory
          PID:4028
        • C:\Windows\WinSxS\amd64_netfx35cdf-csd_cdf_installer_31bf3856ad364e35_10.0.19041.1_none_0e4d25c8cb52f8d0\WFServicesReg.exe
          "C:\Windows\WinSxS\amd64_netfx35cdf-csd_cdf_installer_31bf3856ad364e35_10.0.19041.1_none_0e4d25c8cb52f8d0\WFServicesReg.exe" /c /b /v /m /i
          1⤵
          • Drops file in Windows directory
          PID:64
        • C:\Windows\WinSxS\x86_netfx35linq-linqwebconfig_31bf3856ad364e35_10.0.19041.1_none_b0df27a8cf08799e\LinqWebConfig.exe
          "C:\Windows\WinSxS\x86_netfx35linq-linqwebconfig_31bf3856ad364e35_10.0.19041.1_none_b0df27a8cf08799e\LinqWebConfig.exe" C:\Windows\Microsoft.NET\Framework
          1⤵
          • Drops file in Windows directory
          PID:3620
        • C:\Windows\WinSxS\amd64_netfx35linq-linqwebconfig_31bf3856ad364e35_10.0.19041.1_none_0cfdc32c8765ead4\LinqWebConfig.exe
          "C:\Windows\WinSxS\amd64_netfx35linq-linqwebconfig_31bf3856ad364e35_10.0.19041.1_none_0cfdc32c8765ead4\LinqWebConfig.exe" C:\Windows\Microsoft.NET\Framework64
          1⤵
          • Drops file in Windows directory
          PID:1984
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe" -update
          1⤵
          • Drops file in Windows directory
          PID:2620
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe" -update
          1⤵
          • Drops file in Windows directory
          PID:2960
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\Ngen.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\Ngen.exe Update /Queue /Delay
          1⤵
          • Drops file in Windows directory
          PID:3812
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Ngen.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Ngen.exe Update /Queue /Delay
          1⤵
          • Drops file in Windows directory
          PID:2828
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1800
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k wsappx -p
          1⤵
            PID:3504

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          Peripheral Device Discovery

          1
          T1120

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\machine.config
            MD5

            3cb28fe9da6b565d55e7b7c39cf64bd9

            SHA1

            604312a0a604da7d2a900590f1ee5f80e9e5e070

            SHA256

            d47fed6394d5efb9c0cbde62b487c4428e64b7383e9cb5b88a3af39da9d9a6fc

            SHA512

            77d9ed8c51c72eeede0fe803f9dee4f4c1f81cd23e8de3a0bef702c918dc04c4001d91f15bc43fd14b04d7d90a5d5db6dd4aa56c8146d91f7d158241ebe0385c

            Download Submit
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\machine.config
            MD5

            00e20c13bbdf23e16a4997de3f5f58f9

            SHA1

            a05f4059bab4a1d7623f158140d423dec6338ba0

            SHA256

            a92dab324e620ad8443387b21a68a233273e465300fd25f49f8ab3bd19f14ba0

            SHA512

            daceefb2fdef2fba550129f3bfe2aa93e8ad22b6098715e8ab5fa704537f2307c21fde966a051d5f2b861b574fc9f8d5f0ae43145f03a6e78633be8dfb213e0a

            Download Submit
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\web.config
            MD5

            63541f657dcfdcaa555200e351221f70

            SHA1

            5647a2d6f83ce6942a133662e3a9ca65ca15dc2d

            SHA256

            cc0c28125dc7b0392ddbf6b47456227a849c4250595cc113bc547b2c31d7e345

            SHA512

            d51a54a190c6cbfd0fd0c3ea7d934897101775fc684c7e65369f773b903eda3ef3671c92e9a040797a42f1fef6ffa54478748d1f18d4c27281525dcd290e47e0

            Download Submit
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config
            MD5

            3cb28fe9da6b565d55e7b7c39cf64bd9

            SHA1

            604312a0a604da7d2a900590f1ee5f80e9e5e070

            SHA256

            d47fed6394d5efb9c0cbde62b487c4428e64b7383e9cb5b88a3af39da9d9a6fc

            SHA512

            77d9ed8c51c72eeede0fe803f9dee4f4c1f81cd23e8de3a0bef702c918dc04c4001d91f15bc43fd14b04d7d90a5d5db6dd4aa56c8146d91f7d158241ebe0385c

            Download Submit
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config
            MD5

            3cb28fe9da6b565d55e7b7c39cf64bd9

            SHA1

            604312a0a604da7d2a900590f1ee5f80e9e5e070

            SHA256

            d47fed6394d5efb9c0cbde62b487c4428e64b7383e9cb5b88a3af39da9d9a6fc

            SHA512

            77d9ed8c51c72eeede0fe803f9dee4f4c1f81cd23e8de3a0bef702c918dc04c4001d91f15bc43fd14b04d7d90a5d5db6dd4aa56c8146d91f7d158241ebe0385c

            Download Submit
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config
            MD5

            00e20c13bbdf23e16a4997de3f5f58f9

            SHA1

            a05f4059bab4a1d7623f158140d423dec6338ba0

            SHA256

            a92dab324e620ad8443387b21a68a233273e465300fd25f49f8ab3bd19f14ba0

            SHA512

            daceefb2fdef2fba550129f3bfe2aa93e8ad22b6098715e8ab5fa704537f2307c21fde966a051d5f2b861b574fc9f8d5f0ae43145f03a6e78633be8dfb213e0a

            Download Submit
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config
            MD5

            00e20c13bbdf23e16a4997de3f5f58f9

            SHA1

            a05f4059bab4a1d7623f158140d423dec6338ba0

            SHA256

            a92dab324e620ad8443387b21a68a233273e465300fd25f49f8ab3bd19f14ba0

            SHA512

            daceefb2fdef2fba550129f3bfe2aa93e8ad22b6098715e8ab5fa704537f2307c21fde966a051d5f2b861b574fc9f8d5f0ae43145f03a6e78633be8dfb213e0a

            Download Submit
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\web.config
            MD5

            71854b8a1f60bf82f5d71fb8ac9ab13b

            SHA1

            85539352e7aa7312c0fb49e1967ced5243918648

            SHA256

            5e1b44f96066ca81d96228f3b6a756ff31f7891018ae34a100a8236398062b7b

            SHA512

            a96ffb7e06b03cd6217d30ba4c3f44010b8da04ac0e79cdfbb10e0d61273e50382845013c6a26bffd03aaf1a46c55b6fc6fcf852a729c745f281a8a2b287e811

            Download Submit
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\web.config
            MD5

            63541f657dcfdcaa555200e351221f70

            SHA1

            5647a2d6f83ce6942a133662e3a9ca65ca15dc2d

            SHA256

            cc0c28125dc7b0392ddbf6b47456227a849c4250595cc113bc547b2c31d7e345

            SHA512

            d51a54a190c6cbfd0fd0c3ea7d934897101775fc684c7e65369f773b903eda3ef3671c92e9a040797a42f1fef6ffa54478748d1f18d4c27281525dcd290e47e0

            Download Submit
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\web.config
            MD5

            46752942767bf6256ce1be54b088fe21

            SHA1

            51213eff6f0bea37b78c8f772699fecec19a448b

            SHA256

            bcdbc30aa18ef7d36a3f0d1969e8af96048e69b63eadd493e879fe3107d8d05d

            SHA512

            d4a8c335b8fc4e3af8da1c6dbe8ba5881cdd3e821014adc2ffa8313fd7f563d6f59e1df84ee796e9035dac9d5bd544a0253fd36839ba1cbf9ddaec58831fae60

            Download Submit