a9027c6070365053c3cb91261991c71f1d3a63707df8467e413847f344b3af4d

Analysis

max time kernel
299s
max time network
295s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2022 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TrashMalwares-main/MS-RickRoll.exe
Size

19.6MB
MD5

f2ac7d7d538e97ffb162fe63ca395a05
SHA1

a283014d55873fba0f00fc4b030581254610639a
SHA256

ccbb3d3838216d5a5881fc256c10d5d560885cc18a14a76461c9fe872af3bf0f
SHA512

50784fb9705733e45541eeb9df83e73d8f530bffd87ad99ae37c23c8a9c216d583a193f58046ea49e5c727d5aa9154d583911706feda56531ea45f3438194e96
SSDEEP

393216:+rl0rPQCLXuOSk2+t7DPQCLXuOSk2+t7Vl01:w6dLrNJtvdLrNJtJ

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

mbr.exe._cache_mbr.exeSynaptics.exe

pid process

2440 mbr.exe
4876 ._cache_mbr.exe
1112 Synaptics.exe

pid	process
2440	mbr.exe
4876	._cache_mbr.exe
1112	Synaptics.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MS-RickRoll.exembr.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	MS-RickRoll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	mbr.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mbr.exe._cache_mbr.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	mbr.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	._cache_mbr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TrashMalwares-main\\._cache_mbr.exe"	._cache_mbr.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

._cache_mbr.exe

description ioc process

File opened for modification \??\PhysicalDrive0 ._cache_mbr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	._cache_mbr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4340 schtasks.exe

pid	process
4340	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

Processes:

mbr.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mbr.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2068 EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mbr.exe

pid	process
2068	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

MS-RickRoll.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1904	MS-RickRoll.exe
Token: SeDebugPrivilege	1904	MS-RickRoll.exe
Token: 33	3384	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3384	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

2068 EXCEL.EXE
2068 EXCEL.EXE
2068 EXCEL.EXE
2068 EXCEL.EXE
2068 EXCEL.EXE

pid	process
2068	EXCEL.EXE
2068	EXCEL.EXE
2068	EXCEL.EXE
2068	EXCEL.EXE
2068	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MS-RickRoll.exembr.exe._cache_mbr.exe

description	pid	process	target process
PID 1904 wrote to memory of 2440	1904	MS-RickRoll.exe	mbr.exe
PID 1904 wrote to memory of 2440	1904	MS-RickRoll.exe	mbr.exe
PID 1904 wrote to memory of 2440	1904	MS-RickRoll.exe	mbr.exe
PID 2440 wrote to memory of 4876	2440	mbr.exe	._cache_mbr.exe
PID 2440 wrote to memory of 4876	2440	mbr.exe	._cache_mbr.exe
PID 2440 wrote to memory of 4876	2440	mbr.exe	._cache_mbr.exe
PID 4876 wrote to memory of 4340	4876	._cache_mbr.exe	schtasks.exe
PID 4876 wrote to memory of 4340	4876	._cache_mbr.exe	schtasks.exe
PID 4876 wrote to memory of 4340	4876	._cache_mbr.exe	schtasks.exe
PID 2440 wrote to memory of 1112	2440	mbr.exe	Synaptics.exe
PID 2440 wrote to memory of 1112	2440	mbr.exe	Synaptics.exe
PID 2440 wrote to memory of 1112	2440	mbr.exe	Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MS-RickRoll.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\MS-RickRoll.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904

C:\mbr.exe
"C:\mbr.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2440

C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_mbr.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_mbr.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:4876

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
3⤵
- Executes dropped EXE
PID:1112

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_mbr.exe"
1⤵
- Creates scheduled task(s)
PID:4340

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2068

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x460 0x45c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
Filesize
753KB

MD5
d39c83fa94398010bc7a281fcd781369

SHA1
cf0352fe8bd177507456f65c54c806fe1ca85507

SHA256
e173266e3d9af60add936ab2b0de936d1e35fa85556ea5c60bad7c75e818c4e3

SHA512
5688c1d2a02fa4d2da2d3711a3cea12e6f8585eb9d7d28df0fc5f835be075e371e5ac1f991352beb9a71b9fcd1f32f744e7af7b8068095f1bffceebdb711daa4

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
Filesize
753KB

MD5
d39c83fa94398010bc7a281fcd781369

SHA1
cf0352fe8bd177507456f65c54c806fe1ca85507

SHA256
e173266e3d9af60add936ab2b0de936d1e35fa85556ea5c60bad7c75e818c4e3

SHA512
5688c1d2a02fa4d2da2d3711a3cea12e6f8585eb9d7d28df0fc5f835be075e371e5ac1f991352beb9a71b9fcd1f32f744e7af7b8068095f1bffceebdb711daa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\LX3M63yy.xlsm
Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_mbr.exe
Filesize
150KB

MD5
578650d2b82375bb0f6be3a9108585b0

SHA1
8f25b9a24254c2ec99ee5625c70a0ae7067dc68b

SHA256
5ee16b324a60878ccef849bec862a4fa551cb304d8ce4056d49df10fb8ec9f2f

SHA512
4c46d53bab8df399a63b33ac4c4bba2c99663b31fcd3ebb6bd01a9ccf1648a61a7034879fafced99adb9c60388590efb4462e404b9d5da7d8e2e60b480ffc657

Download Submit
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\._cache_mbr.exe
Filesize
150KB

MD5
578650d2b82375bb0f6be3a9108585b0

SHA1
8f25b9a24254c2ec99ee5625c70a0ae7067dc68b

SHA256
5ee16b324a60878ccef849bec862a4fa551cb304d8ce4056d49df10fb8ec9f2f

SHA512
4c46d53bab8df399a63b33ac4c4bba2c99663b31fcd3ebb6bd01a9ccf1648a61a7034879fafced99adb9c60388590efb4462e404b9d5da7d8e2e60b480ffc657

Download Submit
C:\mbr.exe
Filesize
904KB

MD5
c85aa1da29f23a5a711e2793d0630b5a

SHA1
e079ef1963a710db2e35380e508eef86ff371fb1

SHA256
a19c688c6bebe44cc77ecf6bd998bb4f1799cefc91c5bd32cc8d6381e0177139

SHA512
162e75f513518d5979f3c4a0e7ca6bf4b4333646bebee73a703c43c67c735f6ed244db25674f786881061418600123e92265e51e9ee5b6d34669ef71b72038cc

Download Submit
C:\mbr.exe
Filesize
904KB

MD5
c85aa1da29f23a5a711e2793d0630b5a

SHA1
e079ef1963a710db2e35380e508eef86ff371fb1

SHA256
a19c688c6bebe44cc77ecf6bd998bb4f1799cefc91c5bd32cc8d6381e0177139

SHA512
162e75f513518d5979f3c4a0e7ca6bf4b4333646bebee73a703c43c67c735f6ed244db25674f786881061418600123e92265e51e9ee5b6d34669ef71b72038cc

Download Submit
memory/1112-141-0x0000000000000000-mapping.dmp

Download
memory/1904-152-0x00007FFD33290000-0x00007FFD33D51000-memory.dmp

Filesize
10.8MB

Download
memory/1904-165-0x0000000025416000-0x000000002541B000-memory.dmp

Filesize
20KB

Download
memory/1904-174-0x0000000025436000-0x000000002543F000-memory.dmp

Filesize
36KB

Download
memory/1904-173-0x0000000025436000-0x000000002543F000-memory.dmp

Filesize
36KB

Download
memory/1904-172-0x000000002542D000-0x0000000025436000-memory.dmp

Filesize
36KB

Download
memory/1904-171-0x000000002542D000-0x0000000025436000-memory.dmp

Filesize
36KB

Download
memory/1904-170-0x0000000025424000-0x000000002542D000-memory.dmp

Filesize
36KB

Download
memory/1904-169-0x0000000025424000-0x000000002542D000-memory.dmp

Filesize
36KB

Download
memory/1904-168-0x000000002541B000-0x0000000025424000-memory.dmp

Filesize
36KB

Download
memory/1904-167-0x000000002541B000-0x0000000025424000-memory.dmp

Filesize
36KB

Download
memory/1904-166-0x0000000025416000-0x000000002541B000-memory.dmp

Filesize
20KB

Download
memory/1904-133-0x00007FFD33290000-0x00007FFD33D51000-memory.dmp

Filesize
10.8MB

Download
memory/1904-132-0x0000000000E60000-0x0000000002202000-memory.dmp

Filesize
19.6MB

Download
memory/1904-153-0x000000001DEA9000-0x000000001DEAF000-memory.dmp

Filesize
24KB

Download
memory/1904-154-0x000000001DEA9000-0x000000001DEAF000-memory.dmp

Filesize
24KB

Download
memory/1904-155-0x0000000025400000-0x0000000025404000-memory.dmp

Filesize
16KB

Download
memory/1904-156-0x0000000025400000-0x0000000025404000-memory.dmp

Filesize
16KB

Download
memory/1904-157-0x0000000025404000-0x0000000025407000-memory.dmp

Filesize
12KB

Download
memory/1904-158-0x0000000025404000-0x0000000025407000-memory.dmp

Filesize
12KB

Download
memory/1904-159-0x0000000025407000-0x000000002540C000-memory.dmp

Filesize
20KB

Download
memory/1904-160-0x0000000025407000-0x000000002540C000-memory.dmp

Filesize
20KB

Download
memory/1904-161-0x000000002540C000-0x0000000025411000-memory.dmp

Filesize
20KB

Download
memory/1904-162-0x000000002540C000-0x0000000025411000-memory.dmp

Filesize
20KB

Download
memory/1904-163-0x0000000025411000-0x0000000025416000-memory.dmp

Filesize
20KB

Download
memory/1904-164-0x0000000025411000-0x0000000025416000-memory.dmp

Filesize
20KB

Download
memory/2068-150-0x00007FFD0FD40000-0x00007FFD0FD50000-memory.dmp

Filesize
64KB

Download
memory/2068-149-0x00007FFD0FD40000-0x00007FFD0FD50000-memory.dmp

Filesize
64KB

Download
memory/2068-148-0x00007FFD121B0000-0x00007FFD121C0000-memory.dmp

Filesize
64KB

Download
memory/2068-147-0x00007FFD121B0000-0x00007FFD121C0000-memory.dmp

Filesize
64KB

Download
memory/2068-145-0x00007FFD121B0000-0x00007FFD121C0000-memory.dmp

Filesize
64KB

Download
memory/2068-146-0x00007FFD121B0000-0x00007FFD121C0000-memory.dmp

Filesize
64KB

Download
memory/2068-144-0x00007FFD121B0000-0x00007FFD121C0000-memory.dmp

Filesize
64KB

Download
memory/2440-134-0x0000000000000000-mapping.dmp

Download
memory/4340-140-0x0000000000000000-mapping.dmp

Download
memory/4876-137-0x0000000000000000-mapping.dmp

Download