abac9b724c6d13aa90b5484b7c424c1505f9f7d58504954bb3ed9b718a448991

Analysis

max time kernel
205s
max time network
218s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
07-07-2022 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trojan/8.exe
Size

235KB
MD5

6ad37fb0ae1f564119c32ad238f5013e
SHA1

cd168d13400f213c11d2fb6f1517b998c21308be
SHA256

058e4cb879be1a2f49a95d2e92d53b22d22af2591c408f4b027e33bd198edf1e
SHA512

977e9cdab8e5629279d25073c5b84fb54cdc230ea1658cfdbe8d43793dcaa0eca8d7dfdcd858fae694c11f77c91cc600e86a1c6b4fd6834c6ade21c11f7b7be2

Score

10^/10

persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README.txt

Ransom Note

--------------------------------------------------- ____ _ __ __ _ | _ \ (_) ___ ___ \ \ / / (_) _ __ _ _ ___ | |_) | | | / __| / _ \ \ \ / / | | | '__| | | | | / __| | __/ | | | (__ | (_) | \ V / | | | | | |_| | \__ \ |_| |_| \___| \___/ \_/ |_| |_| \__,_| |___/ --------------------------------------------------- Pico v1.1 Your files are encrypted. This means you cannot access your files if they are encrypted you can't watch, edit, use them. Try something funny and we will delete all your files. All your files are encrypted with. 256-bit encryption is refers to the length of the encryption key used to encrypt a data stream or file. A hacker or cracker will require 2256 different combinations to break a 256-bit encrypted message, which is virtually impossible to be broken by even the fastest computers. After 2 minutes of receiving the payment, the decryption tool will be send to you. To decrypt your files, follow next steps: 1. Send 100 (0.02 BTC) to the Bitcoin Wallet or other paying method if requested. Bitcoin wallet: 17RaYJ7ULTZARS5nsroGUVRc7g2kF18azM 2. Send your MachineID to Discord picocode#8523 MactineID: 6bb404a8-25bc-4cef-a831-797f8d1e89c0 --------------------------------------------------- Do not waste your time, files can only be decrypted by our decode tool. If you paid the tool will get send by discord to you.

Wallets

17RaYJ7ULTZARS5nsroGUVRc7g2kF18azM

Signatures

Executes dropped EXE 1 IoCs

Processes:

2375415649.exe

pid process

2304 2375415649.exe

pid	process
2304	2375415649.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2375415649.exe8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	2375415649.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	8.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2375415649.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Windows\\System32\\notepad.exe C:\\Users\\Admin\\Desktop\\README.txt"	2375415649.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3676 taskkill.exe
768 taskkill.exe

pid	process
3676	taskkill.exe
768	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "33"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

5108 notepad.exe

pid	process
5108	notepad.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

taskkill.exetaskkill.exeshutdown.exe

description	pid	process
Token: SeDebugPrivilege	3676	taskkill.exe
Token: SeDebugPrivilege	768	taskkill.exe
Token: SeShutdownPrivilege	2452	shutdown.exe
Token: SeRemoteShutdownPrivilege	2452	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

2760 LogonUI.exe

pid	process
2760	LogonUI.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

8.execmd.exe2375415649.execmd.execmd.exe

description	pid	process	target process
PID 992 wrote to memory of 2304	992	8.exe	2375415649.exe
PID 992 wrote to memory of 2304	992	8.exe	2375415649.exe
PID 992 wrote to memory of 2304	992	8.exe	2375415649.exe
PID 992 wrote to memory of 2276	992	8.exe	cmd.exe
PID 992 wrote to memory of 2276	992	8.exe	cmd.exe
PID 992 wrote to memory of 2276	992	8.exe	cmd.exe
PID 2276 wrote to memory of 3676	2276	cmd.exe	taskkill.exe
PID 2276 wrote to memory of 3676	2276	cmd.exe	taskkill.exe
PID 2276 wrote to memory of 3676	2276	cmd.exe	taskkill.exe
PID 2304 wrote to memory of 5108	2304	2375415649.exe	notepad.exe
PID 2304 wrote to memory of 5108	2304	2375415649.exe	notepad.exe
PID 2304 wrote to memory of 5108	2304	2375415649.exe	notepad.exe
PID 2304 wrote to memory of 1192	2304	2375415649.exe	cmd.exe
PID 2304 wrote to memory of 1192	2304	2375415649.exe	cmd.exe
PID 2304 wrote to memory of 1192	2304	2375415649.exe	cmd.exe
PID 2304 wrote to memory of 1972	2304	2375415649.exe	cmd.exe
PID 2304 wrote to memory of 1972	2304	2375415649.exe	cmd.exe
PID 2304 wrote to memory of 1972	2304	2375415649.exe	cmd.exe
PID 1192 wrote to memory of 768	1192	cmd.exe	taskkill.exe
PID 1192 wrote to memory of 768	1192	cmd.exe	taskkill.exe
PID 1192 wrote to memory of 768	1192	cmd.exe	taskkill.exe
PID 1972 wrote to memory of 2452	1972	cmd.exe	shutdown.exe
PID 1972 wrote to memory of 2452	1972	cmd.exe	shutdown.exe
PID 1972 wrote to memory of 2452	1972	cmd.exe	shutdown.exe

C:\Users\Admin\AppData\Local\Temp\trojan\8.exe
"C:\Users\Admin\AppData\Local\Temp\trojan\8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:992

C:\Users\Admin\AppData\Roaming\237541564982705\2375415649.exe
"C:\Users\Admin\AppData\Roaming\237541564982705\2375415649.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\README.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:5108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 2375415649.exe /f & erase C:\Users\Admin\AppData\Roaming\237541564982705\2375415649.exe & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 2375415649.exe /f
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c shutdown -s -f -t 5
3⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\shutdown.exe
shutdown -s -f -t 5
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 8.exe /f & erase C:\Users\Admin\AppData\Local\Temp\trojan\8.exe & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 8.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a12055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\237541564982705\2375415649.exe
Filesize
235KB

MD5
6ad37fb0ae1f564119c32ad238f5013e

SHA1
cd168d13400f213c11d2fb6f1517b998c21308be

SHA256
058e4cb879be1a2f49a95d2e92d53b22d22af2591c408f4b027e33bd198edf1e

SHA512
977e9cdab8e5629279d25073c5b84fb54cdc230ea1658cfdbe8d43793dcaa0eca8d7dfdcd858fae694c11f77c91cc600e86a1c6b4fd6834c6ade21c11f7b7be2

Download Submit
C:\Users\Admin\AppData\Roaming\237541564982705\2375415649.exe
Filesize
235KB

MD5
6ad37fb0ae1f564119c32ad238f5013e

SHA1
cd168d13400f213c11d2fb6f1517b998c21308be

SHA256
058e4cb879be1a2f49a95d2e92d53b22d22af2591c408f4b027e33bd198edf1e

SHA512
977e9cdab8e5629279d25073c5b84fb54cdc230ea1658cfdbe8d43793dcaa0eca8d7dfdcd858fae694c11f77c91cc600e86a1c6b4fd6834c6ade21c11f7b7be2

Download Submit
C:\Users\Admin\Desktop\README.txt
Filesize
1KB

MD5
54b7daaabcee534a3d3b9fb25d2078ae

SHA1
b02e0a2445ad3b57e9e3c34e57bb09ad3047ecf9

SHA256
d8bdd73367a187d416b534b846ff4c2d41986e7f56fb5658749564abc35f8a53

SHA512
f99c1a56fee9a93763856716cc62ca2ccbbb669c84c78ad9c069cedef1db85c6bc1f89d803eb2d221e4a24c1dafcfeb70fc7afcf6c8be1c96cdfe5562f078d47

Download Submit
memory/768-139-0x0000000000000000-mapping.dmp

Download
memory/1192-137-0x0000000000000000-mapping.dmp

Download
memory/1972-138-0x0000000000000000-mapping.dmp

Download
memory/2276-133-0x0000000000000000-mapping.dmp

Download
memory/2304-130-0x0000000000000000-mapping.dmp

Download
memory/2452-140-0x0000000000000000-mapping.dmp

Download
memory/3676-134-0x0000000000000000-mapping.dmp

Download
memory/5108-135-0x0000000000000000-mapping.dmp

Download