Analysis
-
max time kernel
151s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29-09-2022 12:33
Static task
static1
Behavioral task
behavioral1
Sample
HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe
Resource
win10v2004-20220812-en
General
-
Target
HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe
-
Size
216KB
-
MD5
d06622833d3ee1c907d90bccec01ec74
-
SHA1
dcdc748bb8a8cb4d16c2d88e40fbd634b2396d42
-
SHA256
5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b
-
SHA512
119822dcc655cf9a9bd708992811cdb46d216ca5e77fb1f461290e37545cb348ea0ccd232ee1fb1c42d4ad91ec16aa93bbdf75829807c61934d97a8f84feb735
-
SSDEEP
3072:o7DtWs7prq6+ouCpk2mpcWJ0r+QNTBf8JMzmmsoltIrRuw+mqv9j1MWLQKq7:o7Jpldk1cWQRNTB0izmDAtS
Malware Config
Extracted
C:\Users\Admin\Desktop\readme.txt
CobraLocker@mail2tor.com
http://mail2tor2zyjdctd.onion/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
BabaYaga.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" BabaYaga.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
BabaYaga.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" BabaYaga.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
BabaYaga.exesomething.exepid process 1900 BabaYaga.exe 1060 something.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
BabaYaga.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExitRestore.png => C:\Users\Admin\Pictures\ExitRestore.png.enc BabaYaga.exe File renamed C:\Users\Admin\Pictures\InitializeMount.crw => C:\Users\Admin\Pictures\InitializeMount.crw.enc BabaYaga.exe File renamed C:\Users\Admin\Pictures\InvokeGrant.raw => C:\Users\Admin\Pictures\InvokeGrant.raw.enc BabaYaga.exe -
Possible privilege escalation attempt 10 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exepid process 240 takeown.exe 1552 icacls.exe 1612 takeown.exe 1924 icacls.exe 2008 takeown.exe 1556 takeown.exe 1464 icacls.exe 1696 takeown.exe 1684 icacls.exe 1748 icacls.exe -
Loads dropped DLL 2 IoCs
Processes:
HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exepid process 1768 HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe 1768 HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe -
Modifies file permissions 1 TTPs 10 IoCs
Processes:
icacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exepid process 1464 icacls.exe 1696 takeown.exe 240 takeown.exe 1748 icacls.exe 1552 icacls.exe 1612 takeown.exe 1556 takeown.exe 2008 takeown.exe 1924 icacls.exe 1684 icacls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 692 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
BabaYaga.exepid process 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe 1900 BabaYaga.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
takeown.exetaskkill.exetakeown.exetakeown.exetakeown.exetakeown.exeBabaYaga.exedescription pid process Token: SeTakeOwnershipPrivilege 1556 takeown.exe Token: SeDebugPrivilege 692 taskkill.exe Token: SeTakeOwnershipPrivilege 1696 takeown.exe Token: SeTakeOwnershipPrivilege 240 takeown.exe Token: SeTakeOwnershipPrivilege 2008 takeown.exe Token: SeTakeOwnershipPrivilege 1612 takeown.exe Token: SeDebugPrivilege 1900 BabaYaga.exe Token: SeDebugPrivilege 1900 BabaYaga.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exesomething.execmd.exedescription pid process target process PID 1768 wrote to memory of 1900 1768 HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe BabaYaga.exe PID 1768 wrote to memory of 1900 1768 HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe BabaYaga.exe PID 1768 wrote to memory of 1900 1768 HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe BabaYaga.exe PID 1768 wrote to memory of 1900 1768 HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe BabaYaga.exe PID 1768 wrote to memory of 1060 1768 HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe something.exe PID 1768 wrote to memory of 1060 1768 HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe something.exe PID 1768 wrote to memory of 1060 1768 HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe something.exe PID 1768 wrote to memory of 1060 1768 HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe something.exe PID 1060 wrote to memory of 1584 1060 something.exe cmd.exe PID 1060 wrote to memory of 1584 1060 something.exe cmd.exe PID 1060 wrote to memory of 1584 1060 something.exe cmd.exe PID 1060 wrote to memory of 1584 1060 something.exe cmd.exe PID 1768 wrote to memory of 692 1768 HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe taskkill.exe PID 1768 wrote to memory of 692 1768 HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe taskkill.exe PID 1768 wrote to memory of 692 1768 HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe taskkill.exe PID 1768 wrote to memory of 692 1768 HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe taskkill.exe PID 1584 wrote to memory of 1556 1584 cmd.exe takeown.exe PID 1584 wrote to memory of 1556 1584 cmd.exe takeown.exe PID 1584 wrote to memory of 1556 1584 cmd.exe takeown.exe PID 1584 wrote to memory of 1464 1584 cmd.exe icacls.exe PID 1584 wrote to memory of 1464 1584 cmd.exe icacls.exe PID 1584 wrote to memory of 1464 1584 cmd.exe icacls.exe PID 1584 wrote to memory of 1696 1584 cmd.exe takeown.exe PID 1584 wrote to memory of 1696 1584 cmd.exe takeown.exe PID 1584 wrote to memory of 1696 1584 cmd.exe takeown.exe PID 1584 wrote to memory of 1684 1584 cmd.exe icacls.exe PID 1584 wrote to memory of 1684 1584 cmd.exe icacls.exe PID 1584 wrote to memory of 1684 1584 cmd.exe icacls.exe PID 1584 wrote to memory of 240 1584 cmd.exe takeown.exe PID 1584 wrote to memory of 240 1584 cmd.exe takeown.exe PID 1584 wrote to memory of 240 1584 cmd.exe takeown.exe PID 1584 wrote to memory of 1748 1584 cmd.exe icacls.exe PID 1584 wrote to memory of 1748 1584 cmd.exe icacls.exe PID 1584 wrote to memory of 1748 1584 cmd.exe icacls.exe PID 1584 wrote to memory of 1944 1584 cmd.exe attrib.exe PID 1584 wrote to memory of 1944 1584 cmd.exe attrib.exe PID 1584 wrote to memory of 1944 1584 cmd.exe attrib.exe PID 1584 wrote to memory of 2008 1584 cmd.exe takeown.exe PID 1584 wrote to memory of 2008 1584 cmd.exe takeown.exe PID 1584 wrote to memory of 2008 1584 cmd.exe takeown.exe PID 1584 wrote to memory of 1552 1584 cmd.exe icacls.exe PID 1584 wrote to memory of 1552 1584 cmd.exe icacls.exe PID 1584 wrote to memory of 1552 1584 cmd.exe icacls.exe PID 1584 wrote to memory of 596 1584 cmd.exe attrib.exe PID 1584 wrote to memory of 596 1584 cmd.exe attrib.exe PID 1584 wrote to memory of 596 1584 cmd.exe attrib.exe PID 1584 wrote to memory of 1612 1584 cmd.exe takeown.exe PID 1584 wrote to memory of 1612 1584 cmd.exe takeown.exe PID 1584 wrote to memory of 1612 1584 cmd.exe takeown.exe PID 1584 wrote to memory of 1924 1584 cmd.exe icacls.exe PID 1584 wrote to memory of 1924 1584 cmd.exe icacls.exe PID 1584 wrote to memory of 1924 1584 cmd.exe icacls.exe PID 1584 wrote to memory of 1188 1584 cmd.exe attrib.exe PID 1584 wrote to memory of 1188 1584 cmd.exe attrib.exe PID 1584 wrote to memory of 1188 1584 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 1944 attrib.exe 596 attrib.exe 1188 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BabaYaga.exe"C:\Users\Admin\AppData\Local\Temp\BabaYaga.exe"2⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\something.exe"C:\Users\Admin\AppData\Local\Temp\something.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FBDD.tmp\FBDE.tmp\FBDF.bat C:\Users\Admin\AppData\Local\Temp\something.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\winlogon.exe4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\winlogon.exe /grant Admin:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\system32\logonui.exe4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\system32\logonui.exe /grant Admin:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f C:\autoexec.bat4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\autoexec.bat /grant Admin:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\attrib.exeattrib -r -s -h c:\autoexec.bat4⤵
- Views/modifies file attributes
-
C:\Windows\system32\takeown.exetakeown /f C:\boot.ini4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\boot.ini /grant Admin:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\attrib.exeattrib -r -s -h c:\boot.ini4⤵
- Views/modifies file attributes
-
C:\Windows\system32\takeown.exetakeown /f C:\bootmgr4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\bootmgr /grant Admin:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\attrib.exeattrib -r -s -h C:\bootmgr4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im BY.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\BabaYaga.exeFilesize
20KB
MD5255157e43ec2bb21d5b8ec800f5d34ce
SHA19735fc4659abe4f99547002fd7cce8559bc77038
SHA256bed19c8647924a665df723bc139f962f244254eca50e24091af084b03e929df6
SHA512a6a334b9d1e4f377e270447bec279a279ce8e3f57a0884ef07fb2eed2e4482a1ab324f03e6e9720dde3a17a3e361d84ace5360ecb7a00b0aab7d6a87858b1caa
-
C:\Users\Admin\AppData\Local\Temp\BabaYaga.exeFilesize
20KB
MD5255157e43ec2bb21d5b8ec800f5d34ce
SHA19735fc4659abe4f99547002fd7cce8559bc77038
SHA256bed19c8647924a665df723bc139f962f244254eca50e24091af084b03e929df6
SHA512a6a334b9d1e4f377e270447bec279a279ce8e3f57a0884ef07fb2eed2e4482a1ab324f03e6e9720dde3a17a3e361d84ace5360ecb7a00b0aab7d6a87858b1caa
-
C:\Users\Admin\AppData\Local\Temp\FBDD.tmp\FBDE.tmp\FBDF.batFilesize
649B
MD5b1bf5bb9015986c23172c3d40177be16
SHA1b2a21cfddc9b18348e526f218ebae123487a6019
SHA256708c66bf6eed316604169730be6d5fa514cf439bc84ea3851dded4547fa871d2
SHA5121c81bf9c0c178ba7067990dd0b23fa8125a1c7b055778c38c6a3f60bfbc5cabfea2efc01b8ef5939d7b1c89387939adbeecb7ce5711be367c44f792d9633d2d2
-
C:\Users\Admin\AppData\Local\Temp\something.exeFilesize
87KB
MD5b96f6781a1637637f0f25803545dae7b
SHA129cc78d4d641b6ad69b36e4e873e63f46010b21f
SHA256e2477685e5831120f9b424f99bbeee79f700d1cd3ccae025ea46172fc1433dae
SHA5120035761d673c8bcdc8eb7956115d177ad484a31d27e76b2fc1a41d8d8fea27124e9981e64ff1b6f254c8ddbace5ab95c091a8705bb3794f66aee6679bd912e56
-
\Users\Admin\AppData\Local\Temp\BabaYaga.exeFilesize
20KB
MD5255157e43ec2bb21d5b8ec800f5d34ce
SHA19735fc4659abe4f99547002fd7cce8559bc77038
SHA256bed19c8647924a665df723bc139f962f244254eca50e24091af084b03e929df6
SHA512a6a334b9d1e4f377e270447bec279a279ce8e3f57a0884ef07fb2eed2e4482a1ab324f03e6e9720dde3a17a3e361d84ace5360ecb7a00b0aab7d6a87858b1caa
-
\Users\Admin\AppData\Local\Temp\something.exeFilesize
87KB
MD5b96f6781a1637637f0f25803545dae7b
SHA129cc78d4d641b6ad69b36e4e873e63f46010b21f
SHA256e2477685e5831120f9b424f99bbeee79f700d1cd3ccae025ea46172fc1433dae
SHA5120035761d673c8bcdc8eb7956115d177ad484a31d27e76b2fc1a41d8d8fea27124e9981e64ff1b6f254c8ddbace5ab95c091a8705bb3794f66aee6679bd912e56
-
memory/240-72-0x0000000000000000-mapping.dmp
-
memory/596-77-0x0000000000000000-mapping.dmp
-
memory/692-65-0x0000000000000000-mapping.dmp
-
memory/1060-61-0x0000000000000000-mapping.dmp
-
memory/1188-81-0x0000000000000000-mapping.dmp
-
memory/1464-69-0x0000000000000000-mapping.dmp
-
memory/1552-76-0x0000000000000000-mapping.dmp
-
memory/1556-68-0x0000000000000000-mapping.dmp
-
memory/1584-64-0x0000000000000000-mapping.dmp
-
memory/1612-78-0x0000000000000000-mapping.dmp
-
memory/1684-71-0x0000000000000000-mapping.dmp
-
memory/1696-70-0x0000000000000000-mapping.dmp
-
memory/1748-73-0x0000000000000000-mapping.dmp
-
memory/1768-54-0x0000000000C30000-0x0000000000C6C000-memory.dmpFilesize
240KB
-
memory/1768-55-0x0000000076961000-0x0000000076963000-memory.dmpFilesize
8KB
-
memory/1900-79-0x000007FEFC591000-0x000007FEFC593000-memory.dmpFilesize
8KB
-
memory/1900-57-0x0000000000000000-mapping.dmp
-
memory/1900-66-0x0000000000910000-0x000000000091A000-memory.dmpFilesize
40KB
-
memory/1900-82-0x000000001B426000-0x000000001B445000-memory.dmpFilesize
124KB
-
memory/1900-83-0x000000001B426000-0x000000001B445000-memory.dmpFilesize
124KB
-
memory/1924-80-0x0000000000000000-mapping.dmp
-
memory/1944-74-0x0000000000000000-mapping.dmp
-
memory/2008-75-0x0000000000000000-mapping.dmp