Analysis
-
max time kernel
1795s -
max time network
1740s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
08-03-2022 16:58
Behavioral task
behavioral1
Sample
RIP_YOUR_PC_LOL.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
RIP_YOUR_PC_LOL.exe
Resource
win10-20220223-en
Behavioral task
behavioral3
Sample
RIP_YOUR_PC_LOL.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral4
Sample
RIP_YOUR_PC_LOL.exe
Resource
win11-20220223-en
General
-
Target
RIP_YOUR_PC_LOL.exe
-
Size
22.5MB
-
MD5
52867174362410d63215d78e708103ea
-
SHA1
7ae4e1048e4463a4201bdeaf224c5b6face681bf
-
SHA256
37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a
-
SHA512
89e17e147d3f073e479e85d0b0321f6264bbc2aa84c930ed645e8f5cde3f1e58812c3db1ba0f10bee6ce7ac0731e1e3de6747a9b3c4d63a564dd8d904bd726ab
Malware Config
Signatures
-
Drops file in Windows directory 35 IoCs
Processes:
aspnet_regiis.exeSMConfigInstaller.exeWFServicesReg.exeWFServicesReg.exeLinqWebConfig.exeNgen.exeLinqWebConfig.exeaspnet_regiis.exeNgen.exeSMConfigInstaller.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\WSFE63C.tmp aspnet_regiis.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\web.config SMConfigInstaller.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\WSFCDC3.tmp WFServicesReg.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\web.config WFServicesReg.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config WFServicesReg.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\WSFD833.tmp LinqWebConfig.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\web_hightrust.config LinqWebConfig.exe File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\config\WSFE64C.tmp aspnet_regiis.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat Ngen.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config SMConfigInstaller.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\WSFD748.tmp LinqWebConfig.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\WSFE0FC.tmp aspnet_regiis.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\web_hightrust.config LinqWebConfig.exe File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat Ngen.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat Ngen.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\WSFCDC4.tmp WFServicesReg.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\machine.config WFServicesReg.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\web.config WFServicesReg.exe File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat Ngen.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\web.config SMConfigInstaller.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config SMConfigInstaller.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\web.config WFServicesReg.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\WSFD797.tmp LinqWebConfig.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\web_mediumtrust.config LinqWebConfig.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\WSFCDB2.tmp WFServicesReg.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\WSFCDC5.tmp WFServicesReg.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config WFServicesReg.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\web_mediumtrust.config LinqWebConfig.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log Ngen.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\web.config SMConfigInstaller.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\WSFB623.tmp WFServicesReg.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\WSFB624.tmp WFServicesReg.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\machine.config SMConfigInstaller.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\WSFD7E4.tmp LinqWebConfig.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log Ngen.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000002b5b8d01cc3769600000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800002b5b8d010000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809002b5b8d01000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002b5b8d0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002b5b8d0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
vssvc.exesrtasks.exevssvc.exedescription pid process Token: SeBackupPrivilege 312 vssvc.exe Token: SeRestorePrivilege 312 vssvc.exe Token: SeAuditPrivilege 312 vssvc.exe Token: SeBackupPrivilege 220 srtasks.exe Token: SeRestorePrivilege 220 srtasks.exe Token: SeSecurityPrivilege 220 srtasks.exe Token: SeTakeOwnershipPrivilege 220 srtasks.exe Token: SeBackupPrivilege 220 srtasks.exe Token: SeRestorePrivilege 220 srtasks.exe Token: SeSecurityPrivilege 220 srtasks.exe Token: SeTakeOwnershipPrivilege 220 srtasks.exe Token: SeBackupPrivilege 312 vssvc.exe Token: SeRestorePrivilege 312 vssvc.exe Token: SeAuditPrivilege 312 vssvc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
RIP_YOUR_PC_LOL.exefondue.exeFonDUE.EXEdescription pid process target process PID 1404 wrote to memory of 3376 1404 RIP_YOUR_PC_LOL.exe fondue.exe PID 1404 wrote to memory of 3376 1404 RIP_YOUR_PC_LOL.exe fondue.exe PID 1404 wrote to memory of 3376 1404 RIP_YOUR_PC_LOL.exe fondue.exe PID 3376 wrote to memory of 3960 3376 fondue.exe FonDUE.EXE PID 3376 wrote to memory of 3960 3376 fondue.exe FonDUE.EXE PID 3960 wrote to memory of 3880 3960 FonDUE.EXE OptionalFeatures.EXE PID 3960 wrote to memory of 3880 3960 FonDUE.EXE OptionalFeatures.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe"C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\OptionalFeatures.EXE"C:\Windows\system32\OptionalFeatures.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵
-
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe" /c:install /f:basic1⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe" /c:install /f:basic1⤵
- Drops file in Windows directory
-
C:\Windows\WinSxS\x86_netfx35cdf-csd_cdf_installer_31bf3856ad364e35_10.0.19041.1_none_b22e8a4512f5879a\WFServicesReg.exe"C:\Windows\WinSxS\x86_netfx35cdf-csd_cdf_installer_31bf3856ad364e35_10.0.19041.1_none_b22e8a4512f5879a\WFServicesReg.exe" /c /b /v /m /i1⤵
- Drops file in Windows directory
-
C:\Windows\WinSxS\amd64_netfx35cdf-csd_cdf_installer_31bf3856ad364e35_10.0.19041.1_none_0e4d25c8cb52f8d0\WFServicesReg.exe"C:\Windows\WinSxS\amd64_netfx35cdf-csd_cdf_installer_31bf3856ad364e35_10.0.19041.1_none_0e4d25c8cb52f8d0\WFServicesReg.exe" /c /b /v /m /i1⤵
- Drops file in Windows directory
-
C:\Windows\WinSxS\x86_netfx35linq-linqwebconfig_31bf3856ad364e35_10.0.19041.1_none_b0df27a8cf08799e\LinqWebConfig.exe"C:\Windows\WinSxS\x86_netfx35linq-linqwebconfig_31bf3856ad364e35_10.0.19041.1_none_b0df27a8cf08799e\LinqWebConfig.exe" C:\Windows\Microsoft.NET\Framework1⤵
- Drops file in Windows directory
-
C:\Windows\WinSxS\amd64_netfx35linq-linqwebconfig_31bf3856ad364e35_10.0.19041.1_none_0cfdc32c8765ead4\LinqWebConfig.exe"C:\Windows\WinSxS\amd64_netfx35linq-linqwebconfig_31bf3856ad364e35_10.0.19041.1_none_0cfdc32c8765ead4\LinqWebConfig.exe" C:\Windows\Microsoft.NET\Framework641⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe" -update1⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe" -update1⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\Ngen.exe Update /Queue /Delay1⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\Ngen.exe Update /Queue /Delay1⤵
- Drops file in Windows directory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\machine.configMD5
3cb28fe9da6b565d55e7b7c39cf64bd9
SHA1604312a0a604da7d2a900590f1ee5f80e9e5e070
SHA256d47fed6394d5efb9c0cbde62b487c4428e64b7383e9cb5b88a3af39da9d9a6fc
SHA51277d9ed8c51c72eeede0fe803f9dee4f4c1f81cd23e8de3a0bef702c918dc04c4001d91f15bc43fd14b04d7d90a5d5db6dd4aa56c8146d91f7d158241ebe0385c
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\machine.configMD5
00e20c13bbdf23e16a4997de3f5f58f9
SHA1a05f4059bab4a1d7623f158140d423dec6338ba0
SHA256a92dab324e620ad8443387b21a68a233273e465300fd25f49f8ab3bd19f14ba0
SHA512daceefb2fdef2fba550129f3bfe2aa93e8ad22b6098715e8ab5fa704537f2307c21fde966a051d5f2b861b574fc9f8d5f0ae43145f03a6e78633be8dfb213e0a
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\web.configMD5
63541f657dcfdcaa555200e351221f70
SHA15647a2d6f83ce6942a133662e3a9ca65ca15dc2d
SHA256cc0c28125dc7b0392ddbf6b47456227a849c4250595cc113bc547b2c31d7e345
SHA512d51a54a190c6cbfd0fd0c3ea7d934897101775fc684c7e65369f773b903eda3ef3671c92e9a040797a42f1fef6ffa54478748d1f18d4c27281525dcd290e47e0
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.configMD5
3cb28fe9da6b565d55e7b7c39cf64bd9
SHA1604312a0a604da7d2a900590f1ee5f80e9e5e070
SHA256d47fed6394d5efb9c0cbde62b487c4428e64b7383e9cb5b88a3af39da9d9a6fc
SHA51277d9ed8c51c72eeede0fe803f9dee4f4c1f81cd23e8de3a0bef702c918dc04c4001d91f15bc43fd14b04d7d90a5d5db6dd4aa56c8146d91f7d158241ebe0385c
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.configMD5
3cb28fe9da6b565d55e7b7c39cf64bd9
SHA1604312a0a604da7d2a900590f1ee5f80e9e5e070
SHA256d47fed6394d5efb9c0cbde62b487c4428e64b7383e9cb5b88a3af39da9d9a6fc
SHA51277d9ed8c51c72eeede0fe803f9dee4f4c1f81cd23e8de3a0bef702c918dc04c4001d91f15bc43fd14b04d7d90a5d5db6dd4aa56c8146d91f7d158241ebe0385c
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.configMD5
00e20c13bbdf23e16a4997de3f5f58f9
SHA1a05f4059bab4a1d7623f158140d423dec6338ba0
SHA256a92dab324e620ad8443387b21a68a233273e465300fd25f49f8ab3bd19f14ba0
SHA512daceefb2fdef2fba550129f3bfe2aa93e8ad22b6098715e8ab5fa704537f2307c21fde966a051d5f2b861b574fc9f8d5f0ae43145f03a6e78633be8dfb213e0a
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.configMD5
00e20c13bbdf23e16a4997de3f5f58f9
SHA1a05f4059bab4a1d7623f158140d423dec6338ba0
SHA256a92dab324e620ad8443387b21a68a233273e465300fd25f49f8ab3bd19f14ba0
SHA512daceefb2fdef2fba550129f3bfe2aa93e8ad22b6098715e8ab5fa704537f2307c21fde966a051d5f2b861b574fc9f8d5f0ae43145f03a6e78633be8dfb213e0a
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\web.configMD5
63541f657dcfdcaa555200e351221f70
SHA15647a2d6f83ce6942a133662e3a9ca65ca15dc2d
SHA256cc0c28125dc7b0392ddbf6b47456227a849c4250595cc113bc547b2c31d7e345
SHA512d51a54a190c6cbfd0fd0c3ea7d934897101775fc684c7e65369f773b903eda3ef3671c92e9a040797a42f1fef6ffa54478748d1f18d4c27281525dcd290e47e0
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\web.configMD5
63541f657dcfdcaa555200e351221f70
SHA15647a2d6f83ce6942a133662e3a9ca65ca15dc2d
SHA256cc0c28125dc7b0392ddbf6b47456227a849c4250595cc113bc547b2c31d7e345
SHA512d51a54a190c6cbfd0fd0c3ea7d934897101775fc684c7e65369f773b903eda3ef3671c92e9a040797a42f1fef6ffa54478748d1f18d4c27281525dcd290e47e0
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\web.configMD5
46752942767bf6256ce1be54b088fe21
SHA151213eff6f0bea37b78c8f772699fecec19a448b
SHA256bcdbc30aa18ef7d36a3f0d1969e8af96048e69b63eadd493e879fe3107d8d05d
SHA512d4a8c335b8fc4e3af8da1c6dbe8ba5881cdd3e821014adc2ffa8313fd7f563d6f59e1df84ee796e9035dac9d5bd544a0253fd36839ba1cbf9ddaec58831fae60