Overview
overview
10Static
static
8trojan/1.exe
windows7_x64
10trojan/1.exe
windows10-2004_x64
10trojan/10.exe
windows7_x64
10trojan/10.exe
windows10-2004_x64
8trojan/2.exe
windows7_x64
3trojan/2.exe
windows10-2004_x64
5trojan/3.exe
windows7_x64
10trojan/3.exe
windows10-2004_x64
10trojan/4.exe
windows7_x64
8trojan/4.exe
windows10-2004_x64
8trojan/5.exe
windows7_x64
8trojan/5.exe
windows10-2004_x64
8trojan/6.exe
windows7_x64
10trojan/6.exe
windows10-2004_x64
10trojan/7.exe
windows7_x64
10trojan/7.exe
windows10-2004_x64
10trojan/8.exe
windows7_x64
trojan/8.exe
windows10-2004_x64
10trojan/9.exe
windows7_x64
8trojan/9.exe
windows10-2004_x64
8Analysis
-
max time kernel
205s -
max time network
218s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-07-2022 09:24
Static task
static1
Behavioral task
behavioral1
Sample
trojan/1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
trojan/1.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
trojan/10.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
trojan/10.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
trojan/2.exe
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
trojan/2.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
trojan/3.exe
Resource
win7-20220414-en
Behavioral task
behavioral8
Sample
trojan/3.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral9
Sample
trojan/4.exe
Resource
win7-20220414-en
Behavioral task
behavioral10
Sample
trojan/4.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral11
Sample
trojan/5.exe
Resource
win7-20220414-en
Behavioral task
behavioral12
Sample
trojan/5.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral13
Sample
trojan/6.exe
Resource
win7-20220414-en
Behavioral task
behavioral14
Sample
trojan/6.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral15
Sample
trojan/7.exe
Resource
win7-20220414-en
Behavioral task
behavioral16
Sample
trojan/7.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral17
Sample
trojan/8.exe
Resource
win7-20220414-en
Behavioral task
behavioral18
Sample
trojan/8.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral19
Sample
trojan/9.exe
Resource
win7-20220414-en
Behavioral task
behavioral20
Sample
trojan/9.exe
Resource
win10v2004-20220414-en
General
-
Target
trojan/8.exe
-
Size
235KB
-
MD5
6ad37fb0ae1f564119c32ad238f5013e
-
SHA1
cd168d13400f213c11d2fb6f1517b998c21308be
-
SHA256
058e4cb879be1a2f49a95d2e92d53b22d22af2591c408f4b027e33bd198edf1e
-
SHA512
977e9cdab8e5629279d25073c5b84fb54cdc230ea1658cfdbe8d43793dcaa0eca8d7dfdcd858fae694c11f77c91cc600e86a1c6b4fd6834c6ade21c11f7b7be2
Malware Config
Extracted
C:\Users\Admin\Desktop\README.txt
17RaYJ7ULTZARS5nsroGUVRc7g2kF18azM
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
2375415649.exepid process 2304 2375415649.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2375415649.exe8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 2375415649.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 8.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2375415649.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Windows\\System32\\notepad.exe C:\\Users\\Admin\\Desktop\\README.txt" 2375415649.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 3676 taskkill.exe 768 taskkill.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "33" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 5108 notepad.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
taskkill.exetaskkill.exeshutdown.exedescription pid process Token: SeDebugPrivilege 3676 taskkill.exe Token: SeDebugPrivilege 768 taskkill.exe Token: SeShutdownPrivilege 2452 shutdown.exe Token: SeRemoteShutdownPrivilege 2452 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 2760 LogonUI.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
8.execmd.exe2375415649.execmd.execmd.exedescription pid process target process PID 992 wrote to memory of 2304 992 8.exe 2375415649.exe PID 992 wrote to memory of 2304 992 8.exe 2375415649.exe PID 992 wrote to memory of 2304 992 8.exe 2375415649.exe PID 992 wrote to memory of 2276 992 8.exe cmd.exe PID 992 wrote to memory of 2276 992 8.exe cmd.exe PID 992 wrote to memory of 2276 992 8.exe cmd.exe PID 2276 wrote to memory of 3676 2276 cmd.exe taskkill.exe PID 2276 wrote to memory of 3676 2276 cmd.exe taskkill.exe PID 2276 wrote to memory of 3676 2276 cmd.exe taskkill.exe PID 2304 wrote to memory of 5108 2304 2375415649.exe notepad.exe PID 2304 wrote to memory of 5108 2304 2375415649.exe notepad.exe PID 2304 wrote to memory of 5108 2304 2375415649.exe notepad.exe PID 2304 wrote to memory of 1192 2304 2375415649.exe cmd.exe PID 2304 wrote to memory of 1192 2304 2375415649.exe cmd.exe PID 2304 wrote to memory of 1192 2304 2375415649.exe cmd.exe PID 2304 wrote to memory of 1972 2304 2375415649.exe cmd.exe PID 2304 wrote to memory of 1972 2304 2375415649.exe cmd.exe PID 2304 wrote to memory of 1972 2304 2375415649.exe cmd.exe PID 1192 wrote to memory of 768 1192 cmd.exe taskkill.exe PID 1192 wrote to memory of 768 1192 cmd.exe taskkill.exe PID 1192 wrote to memory of 768 1192 cmd.exe taskkill.exe PID 1972 wrote to memory of 2452 1972 cmd.exe shutdown.exe PID 1972 wrote to memory of 2452 1972 cmd.exe shutdown.exe PID 1972 wrote to memory of 2452 1972 cmd.exe shutdown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\trojan\8.exe"C:\Users\Admin\AppData\Local\Temp\trojan\8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\237541564982705\2375415649.exe"C:\Users\Admin\AppData\Roaming\237541564982705\2375415649.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\README.txt3⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 2375415649.exe /f & erase C:\Users\Admin\AppData\Roaming\237541564982705\2375415649.exe & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 2375415649.exe /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -s -f -t 53⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\shutdown.exeshutdown -s -f -t 54⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 8.exe /f & erase C:\Users\Admin\AppData\Local\Temp\trojan\8.exe & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 8.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a12055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\237541564982705\2375415649.exeFilesize
235KB
MD56ad37fb0ae1f564119c32ad238f5013e
SHA1cd168d13400f213c11d2fb6f1517b998c21308be
SHA256058e4cb879be1a2f49a95d2e92d53b22d22af2591c408f4b027e33bd198edf1e
SHA512977e9cdab8e5629279d25073c5b84fb54cdc230ea1658cfdbe8d43793dcaa0eca8d7dfdcd858fae694c11f77c91cc600e86a1c6b4fd6834c6ade21c11f7b7be2
-
C:\Users\Admin\AppData\Roaming\237541564982705\2375415649.exeFilesize
235KB
MD56ad37fb0ae1f564119c32ad238f5013e
SHA1cd168d13400f213c11d2fb6f1517b998c21308be
SHA256058e4cb879be1a2f49a95d2e92d53b22d22af2591c408f4b027e33bd198edf1e
SHA512977e9cdab8e5629279d25073c5b84fb54cdc230ea1658cfdbe8d43793dcaa0eca8d7dfdcd858fae694c11f77c91cc600e86a1c6b4fd6834c6ade21c11f7b7be2
-
C:\Users\Admin\Desktop\README.txtFilesize
1KB
MD554b7daaabcee534a3d3b9fb25d2078ae
SHA1b02e0a2445ad3b57e9e3c34e57bb09ad3047ecf9
SHA256d8bdd73367a187d416b534b846ff4c2d41986e7f56fb5658749564abc35f8a53
SHA512f99c1a56fee9a93763856716cc62ca2ccbbb669c84c78ad9c069cedef1db85c6bc1f89d803eb2d221e4a24c1dafcfeb70fc7afcf6c8be1c96cdfe5562f078d47
-
memory/768-139-0x0000000000000000-mapping.dmp
-
memory/1192-137-0x0000000000000000-mapping.dmp
-
memory/1972-138-0x0000000000000000-mapping.dmp
-
memory/2276-133-0x0000000000000000-mapping.dmp
-
memory/2304-130-0x0000000000000000-mapping.dmp
-
memory/2452-140-0x0000000000000000-mapping.dmp
-
memory/3676-134-0x0000000000000000-mapping.dmp
-
memory/5108-135-0x0000000000000000-mapping.dmp