Malware Analysis Report

2024-10-16 03:14

Sample ID 220609-er1wsagdc2
Target quickbuck.exe
SHA256 1283836cc0ed21b535ca654611d87e766538b81b02e61289ecc94188602aaf2a
Tags
hive ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1283836cc0ed21b535ca654611d87e766538b81b02e61289ecc94188602aaf2a

Threat Level: Known bad

The file quickbuck.exe was found to be: Known bad.

Malicious Activity Summary

hive ransomware

Hive

Deletes shadow copies

Executes dropped EXE

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-09 04:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-09 04:11

Reported

2022-06-09 04:16

Platform

win10v2004-20220414-en

Max time kernel

268s

Max time network

278s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quickbuck.exe"

Signatures

Hive

ransomware hive

Deletes shadow copies

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WINWORD.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\taskmgr.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\quickbuck.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quickbuck.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quickbuck.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quickbuck.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quickbuck.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quickbuck.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quickbuck.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quickbuck.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quickbuck.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quickbuck.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quickbuck.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quickbuck.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WINWORD.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WINWORD.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WINWORD.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WINWORD.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quickbuck.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quickbuck.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quickbuck.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quickbuck.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quickbuck.exe

"C:\Users\Admin\AppData\Local\Temp\quickbuck.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Users\Admin\AppData\Local\Temp\quickbuck.exe

quickbuck.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Local\Temp\quickbuck.exe

quickbuck.exe run

C:\Users\Admin\AppData\Local\Temp\WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\WINWORD.EXE stage quickbuck.exe run --disable-macro-simulation

C:\Windows\system32\cmd.exe

cmd.exe /c "quickbuck.exe run --disable-macro-simulation"

C:\Users\Admin\AppData\Local\Temp\quickbuck.exe

quickbuck.exe run --disable-macro-simulation

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /for=norealvolume /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ransomware-simulator-note.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ransomware-simulator-note.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.msn.com udp
US 204.79.197.203:443 api.msn.com tcp
IE 20.54.110.249:443 tcp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
NL 104.80.225.205:443 storesdk.dsx.mp.microsoft.com tcp
NL 104.80.225.205:443 storesdk.dsx.mp.microsoft.com tcp
NL 104.80.225.205:443 storesdk.dsx.mp.microsoft.com tcp
US 8.8.8.8:53 store-images.s-microsoft.com udp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp

Files

memory/5036-130-0x0000000000000000-mapping.dmp

memory/224-131-0x0000000000000000-mapping.dmp

memory/4532-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\WINWORD.EXE

MD5 5764e41fede27bf9c984242c2b7bfd33
SHA1 e5b4178bdebf7a59e97c56235cff472b18440359
SHA256 1283836cc0ed21b535ca654611d87e766538b81b02e61289ecc94188602aaf2a
SHA512 a3610ca12b1ebfd0a618fae7c0e8f655d879156a0b850c4dd8e0e8827d6719f67ad5facad7496aac3adcafbf79f0195adb5ab62d900202f07ed4ec380e516379

C:\Users\Admin\AppData\Local\Temp\WINWORD.EXE

MD5 5764e41fede27bf9c984242c2b7bfd33
SHA1 e5b4178bdebf7a59e97c56235cff472b18440359
SHA256 1283836cc0ed21b535ca654611d87e766538b81b02e61289ecc94188602aaf2a
SHA512 a3610ca12b1ebfd0a618fae7c0e8f655d879156a0b850c4dd8e0e8827d6719f67ad5facad7496aac3adcafbf79f0195adb5ab62d900202f07ed4ec380e516379

memory/2104-135-0x0000000000000000-mapping.dmp

memory/3240-136-0x0000000000000000-mapping.dmp

memory/2256-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\Desktop\ransomware-simulator-note.txt

MD5 79cc7032c1e40b959f09bdab991dadde
SHA1 6b3f5b9902856f7a72efad1a781ecc4debcaec95
SHA256 f292053578c0c2e0feefae5e6d64091c74d3e6de693801feed19fa2f8614321d
SHA512 a46cf65089a71c1e2b280795cf44be51565da8ae11382061f719712b0644339319bbecb59879eb3df5dcef4b892be6b9a6ab82a78cde628ca533256891891ce6