Overview

overview

10

Static

static

6f08506724...11.exe

windows7-x64

10

6f08506724...11.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    37s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/10/2022, 13:36

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe

  • Size

    323KB

  • MD5

    a1bb74424a908d9146d2e6ea73085794

  • SHA1

    82cb2648c5b82f627d28dfa252bc522fb83b078b

  • SHA256

    6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11

  • SHA512

    7ee4fa1a902e0afe2863098c0acf196e8d01907646aeeb5c903ce9f6ee9d99345e400cfaef42094bd846650d23a11e17e5c106901e8d6dea8bbeb48de1dbc275

  • SSDEEP

    6144:aBxeN/Tdx8YzL+4eBDgelLBLZx53TV5n+yNXavM:aBxe9dx8Yz6nhtLZx53TV5n+4av

Score
10/10
evasionpersistenceransomwaretrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Modifies system executable filetype association 2 TTPs 64 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 12 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables cmd.exe use via registry modification 12 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 10 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 24 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 47 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 45 IoCs
    evasion
  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 4 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • System policy modification 1 TTPs 48 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe
    "C:\Users\Admin\AppData\Local\Temp\6f08506724e94890487b53df2b143278bcf717f3fa7583d96037292155782e11.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies system executable filetype association
    • Modifies visibility of file extensions in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Sets file execution options in registry
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4876
    • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies system executable filetype association
      • Modifies visibility of file extensions in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Sets file execution options in registry
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2152
      • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        C:\Windows\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:788
      • C:\Windows\SysWOW64\Kantuk.exe
        C:\Windows\system32\Kantuk.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies system executable filetype association
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Sets file execution options in registry
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • Drops autorun.inf file
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:4600
      • C:\Windows\SysWOW64\4K51K4.exe
        C:\Windows\system32\4K51K4.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies system executable filetype association
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Sets file execution options in registry
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1824
      • C:\Windows\SysWOW64\K0L4B0R451.exe
        C:\Windows\system32\K0L4B0R451.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies system executable filetype association
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Sets file execution options in registry
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:2336
      • C:\Windows\SysWOW64\GoldenGhost.exe
        C:\Windows\system32\GoldenGhost.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies system executable filetype association
        • Modifies visibility of file extensions in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Executes dropped EXE
        • Sets file execution options in registry
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:3100
    • C:\Windows\SysWOW64\Kantuk.exe
      C:\Windows\system32\Kantuk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3056
    • C:\Windows\SysWOW64\4K51K4.exe
      C:\Windows\system32\4K51K4.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:460
    • C:\Windows\SysWOW64\K0L4B0R451.exe
      C:\Windows\system32\K0L4B0R451.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4240
    • C:\Windows\SysWOW64\GoldenGhost.exe
      C:\Windows\system32\GoldenGhost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4080

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Aut0exec.bat
          Filesize

          323KB

          MD5

          377ea55781fe43551b737d6d14b439b8

          SHA1

          ef4b7a662cc43e147f8aec34e93b2af69bd7fe10

          SHA256

          26f30c340f45dc85fcaa79976bf58d1bcf42a6b610da525cd0188b394936ea5c

          SHA512

          a2a2c433e3122697755b71bcf55e297de70739f2d626c03115f414d94dcad06126a087266298635336f55ba35ca8287208f001784b05552e073d560db1a57fbe

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Windows_3D.scr
          Filesize

          323KB

          MD5

          4c3af5916dd70ad60c3cc937f7ff5bce

          SHA1

          afdc446614507155463e2eda2c34845f8353b881

          SHA256

          3cae607f6d06d4c8b4cd69df4e9b7fa167ed8ff515d372a26d64d504878fec09

          SHA512

          8320bd5c5aea960ea5bb062cee4671c7299d893f834943fee0f2e0204d5e975021ae0693056aa589874139410023f1df1e0439f79fb8bde9f6d81b0cbbd31816

          Download Submit

        • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
          Filesize

          323KB

          MD5

          4c3af5916dd70ad60c3cc937f7ff5bce

          SHA1

          afdc446614507155463e2eda2c34845f8353b881

          SHA256

          3cae607f6d06d4c8b4cd69df4e9b7fa167ed8ff515d372a26d64d504878fec09

          SHA512

          8320bd5c5aea960ea5bb062cee4671c7299d893f834943fee0f2e0204d5e975021ae0693056aa589874139410023f1df1e0439f79fb8bde9f6d81b0cbbd31816

          Download Submit

        • C:\Windows\SysWOW64\4K51K4.exe
          Filesize

          323KB

          MD5

          4c3af5916dd70ad60c3cc937f7ff5bce

          SHA1

          afdc446614507155463e2eda2c34845f8353b881

          SHA256

          3cae607f6d06d4c8b4cd69df4e9b7fa167ed8ff515d372a26d64d504878fec09

          SHA512

          8320bd5c5aea960ea5bb062cee4671c7299d893f834943fee0f2e0204d5e975021ae0693056aa589874139410023f1df1e0439f79fb8bde9f6d81b0cbbd31816

          Download Submit

        • C:\Windows\SysWOW64\4K51K4.exe
          Filesize

          323KB

          MD5

          50b2971269d85154a17393200f0553ea

          SHA1

          f0930046d2d54c77a5043f6c0b1cfe797222a0c4

          SHA256

          b6377b44703a8895d802525f4d2f3dbe9501f17df9f0af9e38c91da0fc790b1c

          SHA512

          b9209515d4792936167901f442255cb47158d3b437d48dfc8ea939f53e826ce9aab63a9ad20025efad28065757c764a509a483a8322f27976e3a3c5dde06247b

          Download Submit

        • C:\Windows\SysWOW64\4K51K4.exe
          Filesize

          323KB

          MD5

          50b2971269d85154a17393200f0553ea

          SHA1

          f0930046d2d54c77a5043f6c0b1cfe797222a0c4

          SHA256

          b6377b44703a8895d802525f4d2f3dbe9501f17df9f0af9e38c91da0fc790b1c

          SHA512

          b9209515d4792936167901f442255cb47158d3b437d48dfc8ea939f53e826ce9aab63a9ad20025efad28065757c764a509a483a8322f27976e3a3c5dde06247b

          Download Submit

        • C:\Windows\SysWOW64\4K51K4.exe
          Filesize

          323KB

          MD5

          50b2971269d85154a17393200f0553ea

          SHA1

          f0930046d2d54c77a5043f6c0b1cfe797222a0c4

          SHA256

          b6377b44703a8895d802525f4d2f3dbe9501f17df9f0af9e38c91da0fc790b1c

          SHA512

          b9209515d4792936167901f442255cb47158d3b437d48dfc8ea939f53e826ce9aab63a9ad20025efad28065757c764a509a483a8322f27976e3a3c5dde06247b

          Download Submit

        • C:\Windows\SysWOW64\GoldenGhost.exe
          Filesize

          323KB

          MD5

          4c3af5916dd70ad60c3cc937f7ff5bce

          SHA1

          afdc446614507155463e2eda2c34845f8353b881

          SHA256

          3cae607f6d06d4c8b4cd69df4e9b7fa167ed8ff515d372a26d64d504878fec09

          SHA512

          8320bd5c5aea960ea5bb062cee4671c7299d893f834943fee0f2e0204d5e975021ae0693056aa589874139410023f1df1e0439f79fb8bde9f6d81b0cbbd31816

          Download Submit

        • C:\Windows\SysWOW64\GoldenGhost.exe
          Filesize

          323KB

          MD5

          f7321183702d5dfb9882c0b95cba1b30

          SHA1

          4d1ea48303e1f27e25954310339162b22f1233db

          SHA256

          9b028519b8df6741226d70aeda3d98a3d61420e4ac9035226da17da070f3c3c7

          SHA512

          e628f8f53bfb37c5e1439dd94cdbaafd07b68375740442fa4fef096994e619b69c47357dd9d7d6c709c7a52090e506efb90966cc9b78649e8247419f151d4e72

          Download Submit

        • C:\Windows\SysWOW64\GoldenGhost.exe
          Filesize

          323KB

          MD5

          f7321183702d5dfb9882c0b95cba1b30

          SHA1

          4d1ea48303e1f27e25954310339162b22f1233db

          SHA256

          9b028519b8df6741226d70aeda3d98a3d61420e4ac9035226da17da070f3c3c7

          SHA512

          e628f8f53bfb37c5e1439dd94cdbaafd07b68375740442fa4fef096994e619b69c47357dd9d7d6c709c7a52090e506efb90966cc9b78649e8247419f151d4e72

          Download Submit

        • C:\Windows\SysWOW64\GoldenGhost.exe
          Filesize

          323KB

          MD5

          f7321183702d5dfb9882c0b95cba1b30

          SHA1

          4d1ea48303e1f27e25954310339162b22f1233db

          SHA256

          9b028519b8df6741226d70aeda3d98a3d61420e4ac9035226da17da070f3c3c7

          SHA512

          e628f8f53bfb37c5e1439dd94cdbaafd07b68375740442fa4fef096994e619b69c47357dd9d7d6c709c7a52090e506efb90966cc9b78649e8247419f151d4e72

          Download Submit

        • C:\Windows\SysWOW64\K0L4B0R451.exe
          Filesize

          323KB

          MD5

          7b914fd6956b7042a213f7400a4c11bc

          SHA1

          87cc88c00389621f8a2a5542ed5aec656340e7aa

          SHA256

          d774465ed8c2e3484244222e1e2e708aba819e170f79be3b64c5794417f5ae3e

          SHA512

          3afa729903c15682039cc8c6e560fa7ecd0c21878a8736a26a3659ef1910f9750201d5767b1df29ce43ac512f5fc191bf12ae0ced69df47c8e37283e2c2bdc99

          Download Submit

        • C:\Windows\SysWOW64\K0L4B0R451.exe
          Filesize

          323KB

          MD5

          678c177bb60551eb0f3bf999ad6ae48c

          SHA1

          35edea07cee84f4a267f06b216cdaf1a7b3eeae0

          SHA256

          2683746e56c9588d4ac4bd0dd163c56da8d5afabcfbd0bf7f2284cb1d2593b86

          SHA512

          f154ecf76788533fda7fed50ff70e81a782e9dca400d98d9183ed18670a3efb67d5342dfef09dd4dfed5d7d3f8da715d991e81241fdb826e032c509d8c960c44

          Download Submit

        • C:\Windows\SysWOW64\K0L4B0R451.exe
          Filesize

          323KB

          MD5

          678c177bb60551eb0f3bf999ad6ae48c

          SHA1

          35edea07cee84f4a267f06b216cdaf1a7b3eeae0

          SHA256

          2683746e56c9588d4ac4bd0dd163c56da8d5afabcfbd0bf7f2284cb1d2593b86

          SHA512

          f154ecf76788533fda7fed50ff70e81a782e9dca400d98d9183ed18670a3efb67d5342dfef09dd4dfed5d7d3f8da715d991e81241fdb826e032c509d8c960c44

          Download Submit

        • C:\Windows\SysWOW64\K0L4B0R451.exe
          Filesize

          323KB

          MD5

          678c177bb60551eb0f3bf999ad6ae48c

          SHA1

          35edea07cee84f4a267f06b216cdaf1a7b3eeae0

          SHA256

          2683746e56c9588d4ac4bd0dd163c56da8d5afabcfbd0bf7f2284cb1d2593b86

          SHA512

          f154ecf76788533fda7fed50ff70e81a782e9dca400d98d9183ed18670a3efb67d5342dfef09dd4dfed5d7d3f8da715d991e81241fdb826e032c509d8c960c44

          Download Submit

        • C:\Windows\SysWOW64\Kantuk.exe
          Filesize

          323KB

          MD5

          4c3af5916dd70ad60c3cc937f7ff5bce

          SHA1

          afdc446614507155463e2eda2c34845f8353b881

          SHA256

          3cae607f6d06d4c8b4cd69df4e9b7fa167ed8ff515d372a26d64d504878fec09

          SHA512

          8320bd5c5aea960ea5bb062cee4671c7299d893f834943fee0f2e0204d5e975021ae0693056aa589874139410023f1df1e0439f79fb8bde9f6d81b0cbbd31816

          Download Submit

        • C:\Windows\SysWOW64\Kantuk.exe
          Filesize

          323KB

          MD5

          5d559bb14d0ff1983e5b678b6f3a7363

          SHA1

          26fd83e9cf037e585f4f9ebb5fd7b9e697f7b48d

          SHA256

          b92705353722e6062d0d081abc5083bea34920568e27efca1082f0a384cb9d31

          SHA512

          7c37926cec1ec15a478d6868b03808de397b229302685d42b90aa5b811e29c38cbeac8bf8d73bcb879d0b1e603aab8c04743c6c96e555e98f51a2a385f5a3c8a

          Download Submit

        • C:\Windows\SysWOW64\Kantuk.exe
          Filesize

          323KB

          MD5

          5d559bb14d0ff1983e5b678b6f3a7363

          SHA1

          26fd83e9cf037e585f4f9ebb5fd7b9e697f7b48d

          SHA256

          b92705353722e6062d0d081abc5083bea34920568e27efca1082f0a384cb9d31

          SHA512

          7c37926cec1ec15a478d6868b03808de397b229302685d42b90aa5b811e29c38cbeac8bf8d73bcb879d0b1e603aab8c04743c6c96e555e98f51a2a385f5a3c8a

          Download Submit

        • C:\Windows\SysWOW64\Kantuk.exe
          Filesize

          323KB

          MD5

          5d559bb14d0ff1983e5b678b6f3a7363

          SHA1

          26fd83e9cf037e585f4f9ebb5fd7b9e697f7b48d

          SHA256

          b92705353722e6062d0d081abc5083bea34920568e27efca1082f0a384cb9d31

          SHA512

          7c37926cec1ec15a478d6868b03808de397b229302685d42b90aa5b811e29c38cbeac8bf8d73bcb879d0b1e603aab8c04743c6c96e555e98f51a2a385f5a3c8a

          Download Submit

        • C:\Windows\SysWOW64\Shell32.com
          Filesize

          323KB

          MD5

          4c3af5916dd70ad60c3cc937f7ff5bce

          SHA1

          afdc446614507155463e2eda2c34845f8353b881

          SHA256

          3cae607f6d06d4c8b4cd69df4e9b7fa167ed8ff515d372a26d64d504878fec09

          SHA512

          8320bd5c5aea960ea5bb062cee4671c7299d893f834943fee0f2e0204d5e975021ae0693056aa589874139410023f1df1e0439f79fb8bde9f6d81b0cbbd31816

          Download Submit

        • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
          Filesize

          323KB

          MD5

          4c3af5916dd70ad60c3cc937f7ff5bce

          SHA1

          afdc446614507155463e2eda2c34845f8353b881

          SHA256

          3cae607f6d06d4c8b4cd69df4e9b7fa167ed8ff515d372a26d64d504878fec09

          SHA512

          8320bd5c5aea960ea5bb062cee4671c7299d893f834943fee0f2e0204d5e975021ae0693056aa589874139410023f1df1e0439f79fb8bde9f6d81b0cbbd31816

          Download Submit

        • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
          Filesize

          323KB

          MD5

          4c3af5916dd70ad60c3cc937f7ff5bce

          SHA1

          afdc446614507155463e2eda2c34845f8353b881

          SHA256

          3cae607f6d06d4c8b4cd69df4e9b7fa167ed8ff515d372a26d64d504878fec09

          SHA512

          8320bd5c5aea960ea5bb062cee4671c7299d893f834943fee0f2e0204d5e975021ae0693056aa589874139410023f1df1e0439f79fb8bde9f6d81b0cbbd31816

          Download Submit

        • C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
          Filesize

          323KB

          MD5

          4c3af5916dd70ad60c3cc937f7ff5bce

          SHA1

          afdc446614507155463e2eda2c34845f8353b881

          SHA256

          3cae607f6d06d4c8b4cd69df4e9b7fa167ed8ff515d372a26d64d504878fec09

          SHA512

          8320bd5c5aea960ea5bb062cee4671c7299d893f834943fee0f2e0204d5e975021ae0693056aa589874139410023f1df1e0439f79fb8bde9f6d81b0cbbd31816

          Download Submit

        • memory/1824-164-0x0000000000400000-0x0000000000451000-memory.dmp

          Filesize

          324KB

          Download

        • memory/2152-138-0x0000000000400000-0x0000000000451000-memory.dmp

          Filesize

          324KB

          Download

        • memory/2336-169-0x0000000000400000-0x0000000000451000-memory.dmp

          Filesize

          324KB

          Download

        • memory/3100-175-0x0000000000400000-0x0000000000451000-memory.dmp

          Filesize

          324KB

          Download

        • memory/4600-157-0x0000000000400000-0x0000000000451000-memory.dmp

          Filesize

          324KB

          Download

        • memory/4876-132-0x0000000000400000-0x0000000000451000-memory.dmp

          Filesize

          324KB

          Download