Overview

overview

10

Static

static

main.exe

windows7_x64

10

main.exe

windows10-2004_x64

9

Analysis

  • max time kernel
    30s
  • max time network
    66s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-04-2022 13:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    main.exe

  • Size

    33.9MB

  • MD5

    4d3712c7e5c35bf7ec8a74b171389a4f

  • SHA1

    8f1e5ecdafb2ca68ee48b065ecd38f6790dfef3d

  • SHA256

    ba591d8b11be9b59dfa8fb5fdc6ba9c9e5f96db4d2be323d7a3cdf9c04f935bb

  • SHA512

    31939f394536d8912eed9267b1b09fc65f461c25d5343b6eabeb7638749be36945dd2e907bcd6766a17a83ee285ea1e8afa86fac4fc3a6379837e12c7acf0fbd

Score
9/10
bootkitevasionpersistenceransomwareupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 5 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 7 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 23 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\main.exe
    "C:\Users\Admin\AppData\Local\Temp\main.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4084
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6508.tmp\6509.tmp\650A.bat C:\Users\Admin\AppData\Local\Temp\main.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2344
      • C:\Users\Admin\AppData\Roaming\main.exe
        main.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\Windows\SysWOW64\attrib.exe
          attrib C:\Windows\GTCY +S +H
          4⤵
          • Drops file in Windows directory
          • Views/modifies file attributes
          PID:4676
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32 main.jpg main
          4⤵
          • Loads dropped DLL
          • Writes to the Master Boot Record (MBR)
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • Modifies Control Panel
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2468
          • C:\Windows\SysWOW64\notepad.exe
            notepad.exe a.txt
            5⤵
              PID:4416
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32 TerminatorFrame.dll,ClearSectorAndESP
              5⤵
                PID:8
                • C:\Windows\system32\rundll32.exe
                  rundll32 TerminatorFrame.dll,ClearSectorAndESP
                  6⤵
                    PID:3948
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
          1⤵
            PID:3000
          • C:\Windows\system32\LogonUI.exe
            "LogonUI.exe" /flags:0x4 /state0:0xa3a26055 /state1:0x41c64e6d
            1⤵
              PID:1804

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Hidden Files and Directories

            2
            T1158

            Bootkit

            1
            T1067

            Privilege Escalation

            Defense Evasion

            Hidden Files and Directories

            2
            T1158

            Modify Registry

            1
            T1112

            Credential Access

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            2
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Defacement

            1
            T1491

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\6508.tmp\6509.tmp\650A.bat
              Filesize

              42B

              MD5

              36ee24058af6f016194737abc855c0ff

              SHA1

              70ba47ce52330fe2ccae4a64d8f925486c80d3d2

              SHA256

              e7c36d8464f76e1996089f7ff0768c6918ddca562020d179cf69bf546bdb86d0

              SHA512

              023fa8339b5cc8bb70dff98bf50e7c88abfe13a2854d9d1580cf2b583087bb866b7151e05bc55484c5faed16956022263c5aa94063981199c6c4354c03567570

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\E_N60005\iext.fnr
              Filesize

              204KB

              MD5

              856495a1605bfc7f62086d482b502c6f

              SHA1

              86ecc67a784bc69157d664850d489aab64f5f912

              SHA256

              8c8254cb49f7287b97c7f952c81edabc9f11f3fa3f02f265e67d5741998cf0bf

              SHA512

              35a6e580cd362c64f1e1f9c3439660bd980ec437bd8cabbdc49479ceb833cd8cb6c82d2fb747516d5cfcf2af0ba540bc01640171fbe3b4d0e0a3eeeaa69dd1d9

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\E_N60005\iext.fnr
              Filesize

              204KB

              MD5

              856495a1605bfc7f62086d482b502c6f

              SHA1

              86ecc67a784bc69157d664850d489aab64f5f912

              SHA256

              8c8254cb49f7287b97c7f952c81edabc9f11f3fa3f02f265e67d5741998cf0bf

              SHA512

              35a6e580cd362c64f1e1f9c3439660bd980ec437bd8cabbdc49479ceb833cd8cb6c82d2fb747516d5cfcf2af0ba540bc01640171fbe3b4d0e0a3eeeaa69dd1d9

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\E_N60005\krnln.fnr
              Filesize

              1.2MB

              MD5

              1eece63319e7c5f6718562129b1572f1

              SHA1

              089ea3a605639eb1292f6a2a9720f0b2801b0b6e

              SHA256

              4bed8a6e4e1548fddee40927b438132b47ef2aca6e9beb06b89fcf7714726310

              SHA512

              13537d1dd80fa87b6b908361957e8c434ca547a575c8c8aab43423063e60cb5523fb1843a467ae73db4a64d278c06b831551e78ae6d895201f7ef0c5b162c1ab

              Download Submit
            • C:\Users\Admin\AppData\Roaming\main.exe
              Filesize

              35.5MB

              MD5

              62c8475d111bc96d1c0cccce7b52fbdd

              SHA1

              826cf3be24354ea803778389bbe225f9794fc296

              SHA256

              42d9cbb0e0ee3c866e5557dfdb85e1157b658f3b481e2606ec43b1562a82019f

              SHA512

              7c98f7d9f750fd251776752ba47e3d5cd3ce957207dee7bf012bc0456d3142c2aeddf55cc0060fbf2f5cb981594aef39d3e939add5013f1eb5aaf44c3a35a3b1

              Download Submit
            • C:\Users\Admin\AppData\Roaming\main.exe
              Filesize

              35.5MB

              MD5

              62c8475d111bc96d1c0cccce7b52fbdd

              SHA1

              826cf3be24354ea803778389bbe225f9794fc296

              SHA256

              42d9cbb0e0ee3c866e5557dfdb85e1157b658f3b481e2606ec43b1562a82019f

              SHA512

              7c98f7d9f750fd251776752ba47e3d5cd3ce957207dee7bf012bc0456d3142c2aeddf55cc0060fbf2f5cb981594aef39d3e939add5013f1eb5aaf44c3a35a3b1

              Download Submit
            • C:\Users\Admin\AppData\Roaming\main.jpg
              Filesize

              34.6MB

              MD5

              04fd6752910cf0bdd66ebdc0f3fb996c

              SHA1

              834bb096c2d586cb11f5990e21da46eb9ad224e6

              SHA256

              22dd56f4c54635dd0f1626431e8bdc07b21ef025aadbc96292ddac69497ad425

              SHA512

              68ac226b0ce6e45ec4cd24538bb86779c25cb8e683082a33abf174e5360537f50289a20d626781b725a9760b5f202036c29624253bc250254a3fd650b4fd74ac

              Download Submit
            • C:\Users\Admin\AppData\Roaming\main.jpg
              Filesize

              34.6MB

              MD5

              04fd6752910cf0bdd66ebdc0f3fb996c

              SHA1

              834bb096c2d586cb11f5990e21da46eb9ad224e6

              SHA256

              22dd56f4c54635dd0f1626431e8bdc07b21ef025aadbc96292ddac69497ad425

              SHA512

              68ac226b0ce6e45ec4cd24538bb86779c25cb8e683082a33abf174e5360537f50289a20d626781b725a9760b5f202036c29624253bc250254a3fd650b4fd74ac

              Download Submit
            • C:\Windows\SysWOW64\ExtraDll.dll
              Filesize

              97KB

              MD5

              c35425ad1f0c32225d307310deccc335

              SHA1

              b2e347b244e40ffa113dffaffd1895777e3ac30a

              SHA256

              48773d597155dc39dd172c26867972da89dd61fcee0d138433eda26a2d8633b7

              SHA512

              47b6a7447fcc4f9f21018f608fcbdb5650f16cbd869cae5d4ed5d9b88ca1e944de1cac10e9a252aa7b210f1a31456c0ed91728b8a7e24def99d7e3f9683e2bae

              Download Submit
            • C:\Windows\SysWOW64\TerminatorFrame.dll
              Filesize

              124KB

              MD5

              2ea1b5c1c3588590459e47f080863d0e

              SHA1

              115ed159f95b569a9ae66dc1ff479fedb35af945

              SHA256

              fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602

              SHA512

              40f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925

              Download Submit
            • C:\Windows\SysWOW64\TerminatorFrame.dll
              Filesize

              124KB

              MD5

              2ea1b5c1c3588590459e47f080863d0e

              SHA1

              115ed159f95b569a9ae66dc1ff479fedb35af945

              SHA256

              fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602

              SHA512

              40f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925

              Download Submit
            • C:\Windows\SysWOW64\TerminatorFrame.dll
              Filesize

              124KB

              MD5

              2ea1b5c1c3588590459e47f080863d0e

              SHA1

              115ed159f95b569a9ae66dc1ff479fedb35af945

              SHA256

              fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602

              SHA512

              40f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925

              Download Submit
            • C:\Windows\SysWOW64\TerminatorFrame.dll
              Filesize

              124KB

              MD5

              2ea1b5c1c3588590459e47f080863d0e

              SHA1

              115ed159f95b569a9ae66dc1ff479fedb35af945

              SHA256

              fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602

              SHA512

              40f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925

              Download Submit
            • C:\Windows\SysWOW64\TerminatorFrame.dll
              Filesize

              124KB

              MD5

              2ea1b5c1c3588590459e47f080863d0e

              SHA1

              115ed159f95b569a9ae66dc1ff479fedb35af945

              SHA256

              fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602

              SHA512

              40f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925

              Download Submit
            • C:\Windows\SysWOW64\TerminatorFrame.dll
              Filesize

              124KB

              MD5

              2ea1b5c1c3588590459e47f080863d0e

              SHA1

              115ed159f95b569a9ae66dc1ff479fedb35af945

              SHA256

              fc98308900c4b94273b0f61cba62985532605ccd639b1c5767d04dafad1c5602

              SHA512

              40f2bbf514a2e9b2c79bef2c74de546dd1c8e33a74c66c3ee71431df4e22bfba20f0781f06bb0748ea486955dddee07624c6e49b94a0d24e017a37ff80d7f925

              Download Submit
            • C:\Windows\SysWOW64\WinIo32.dll
              Filesize

              44KB

              MD5

              3d6d4fc73df2bc1cb980737db7251cdd

              SHA1

              0991e15fde440736fa430e4dffd831ee47a0bd88

              SHA256

              bac149f1a558920abe36f93a6e2fe7337f04b0222b86d49296b29a899a795099

              SHA512

              bcb73020fcb1304dfa17ea247be6a43c95f10121c685ae5e4ff4644b456d67618fa38e78b6ffe3c8c9265ca5dba025e8f4ae324e2510f8a14ec1258d41bfb7c3

              Download Submit
            • C:\Windows\SysWOW64\WinIo32.dll
              Filesize

              44KB

              MD5

              3d6d4fc73df2bc1cb980737db7251cdd

              SHA1

              0991e15fde440736fa430e4dffd831ee47a0bd88

              SHA256

              bac149f1a558920abe36f93a6e2fe7337f04b0222b86d49296b29a899a795099

              SHA512

              bcb73020fcb1304dfa17ea247be6a43c95f10121c685ae5e4ff4644b456d67618fa38e78b6ffe3c8c9265ca5dba025e8f4ae324e2510f8a14ec1258d41bfb7c3

              Download Submit
            • C:\Windows\SysWOW64\a.txt
              Filesize

              225B

              MD5

              eef729da9ce86bb8729de561fa9fa7c9

              SHA1

              ae172eecb15c595e9a5d79262d79d274afdba06d

              SHA256

              76ee455843a398114437e92714529665a6bf5acc575811232e419cf8076fb9c9

              SHA512

              d46b109021a196987e374253988fd3f1d56586a25fde0898b667a756bf7637c057366fbeebc91533740e3783bed6bc1dcd306192240fe6fd35b853568879f766

              Download Submit
            • memory/8-147-0x0000000000000000-mapping.dmp
              Download
            • memory/2344-130-0x0000000000000000-mapping.dmp
              Download
            • memory/2468-141-0x0000000000000000-mapping.dmp
              Download
            • memory/2468-157-0x0000000003000000-0x000000000301E000-memory.dmp
              Filesize

              120KB

              Download
            • memory/2996-132-0x0000000000000000-mapping.dmp
              Download
            • memory/2996-138-0x0000000004710000-0x0000000004751000-memory.dmp
              Filesize

              260KB

              Download
            • memory/3948-153-0x0000000000000000-mapping.dmp
              Download
            • memory/4416-145-0x0000000000000000-mapping.dmp
              Download
            • memory/4676-140-0x0000000000000000-mapping.dmp
              Download