47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90

General

Target

HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
Size

218KB
MD5

325229663face78b4494f54eb2c77524
SHA1

00d64f749b359ec6d304cbd918118755762ddaa5
SHA256

47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90
SHA512

83fc59059ed4a03ae0b7b592d4b5fa15bc70180a5a792ad8f8b68c2d0c42556ea1f257e38aab2229dd640aced588998460ffea75c02243d61b477bce74c1f5d0
SSDEEP

6144:aZSNIPmoXWBoqiNab5jYDy375Qvq5ybpaJDr:hiPyBj5jGy3FkNwJv

Score

10^/10

evasion persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty"	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe

Disables Task Manager via registry modification
evasion

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\GrantUse.tiff	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
File created	C:\Users\Admin\Pictures\SplitConnect.tif.kfuald	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
File created	C:\Users\Admin\Pictures\UnlockUnregister.crw.kfuald	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
File created	C:\Users\Admin\Pictures\UseRename.raw.kfuald	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
File created	C:\Users\Admin\Pictures\DebugUndo.png.kfuald	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
File created	C:\Users\Admin\Pictures\ExpandProtect.crw.kfuald	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
File created	C:\Users\Admin\Pictures\GrantOut.raw.kfuald	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
File created	C:\Users\Admin\Pictures\GrantUse.tiff.kfuald	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe

Drops desktop.ini file(s) 5 IoCs

Processes:

HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe

pid	process
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe

description pid process

Token: SeDebugPrivilege 808 HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe

description	pid	process
Token: SeDebugPrivilege	808	HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Diztakun.gen-47f5c7a0c27b925d9c1513ac73eecab3953327beda396fea0b2bbbe15467cb90.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/808-132-0x0000000000670000-0x00000000006AC000-memory.dmp

Filesize
240KB

Download
memory/808-133-0x00007FF8148F0000-0x00007FF8153B1000-memory.dmp

Filesize
10.8MB

Download
memory/808-134-0x00007FF8148F0000-0x00007FF8153B1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads