Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2022 16:57
Static task
static1
Behavioral task
behavioral1
Sample
Trojan-Ransom.Win32.Blocker.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Trojan-Ransom.Win32.Blocker.exe
Resource
win10v2004-20220901-en
General
-
Target
Trojan-Ransom.Win32.Blocker.exe
-
Size
909KB
-
MD5
be95306ba1b3d87913f6f8dd5f86cbc3
-
SHA1
5901ba5c4199e5bb8b58dae9ae78566afbb44fa2
-
SHA256
dc2add0b011dc2b4ae2511caa812858bbe370cf22721e46c264542ce29d60c6e
-
SHA512
0a413cc1922d87474781cff268a3bb2170050148bb4eaa36411f28c2ca4e008b947ba4d60cc194511b59dc43a079eabd37fa01f5048ba2017c1a7959f34791e0
-
SSDEEP
24576:iUWqist6UzuAKg6s11X38rMrIzv6B50xq:iUUJUzJKz8F5eS0M
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
BajLUV.pzBXsOyDOIMqdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" BajLUV.pzBXsOyDOIMq -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
BajLUV.pzBXsOyDOIMqpid process 376 BajLUV.pzBXsOyDOIMq -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
RegSvcs.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U5421566-RYV5-7OTE-1Q8V-R86HOGMN66K5} RegSvcs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U5421566-RYV5-7OTE-1Q8V-R86HOGMN66K5}\StubPath = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe\"" RegSvcs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Trojan-Ransom.Win32.Blocker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Trojan-Ransom.Win32.Blocker.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
BajLUV.pzBXsOyDOIMqdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mldui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mldui\\45401.vbs" BajLUV.pzBXsOyDOIMq Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce BajLUV.pzBXsOyDOIMq -
Processes:
BajLUV.pzBXsOyDOIMqdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BajLUV.pzBXsOyDOIMq -
Suspicious use of SetThreadContext 1 IoCs
Processes:
BajLUV.pzBXsOyDOIMqdescription pid process target process PID 376 set thread context of 1284 376 BajLUV.pzBXsOyDOIMq RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
Trojan-Ransom.Win32.Blocker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings Trojan-Ransom.Win32.Blocker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
BajLUV.pzBXsOyDOIMqpid process 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq 376 BajLUV.pzBXsOyDOIMq -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
BajLUV.pzBXsOyDOIMqdescription pid process Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq Token: SeDebugPrivilege 376 BajLUV.pzBXsOyDOIMq -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Trojan-Ransom.Win32.Blocker.exeWScript.exeBajLUV.pzBXsOyDOIMqdescription pid process target process PID 4904 wrote to memory of 2076 4904 Trojan-Ransom.Win32.Blocker.exe WScript.exe PID 4904 wrote to memory of 2076 4904 Trojan-Ransom.Win32.Blocker.exe WScript.exe PID 4904 wrote to memory of 2076 4904 Trojan-Ransom.Win32.Blocker.exe WScript.exe PID 2076 wrote to memory of 376 2076 WScript.exe BajLUV.pzBXsOyDOIMq PID 2076 wrote to memory of 376 2076 WScript.exe BajLUV.pzBXsOyDOIMq PID 2076 wrote to memory of 376 2076 WScript.exe BajLUV.pzBXsOyDOIMq PID 376 wrote to memory of 1284 376 BajLUV.pzBXsOyDOIMq RegSvcs.exe PID 376 wrote to memory of 1284 376 BajLUV.pzBXsOyDOIMq RegSvcs.exe PID 376 wrote to memory of 1284 376 BajLUV.pzBXsOyDOIMq RegSvcs.exe PID 376 wrote to memory of 1284 376 BajLUV.pzBXsOyDOIMq RegSvcs.exe PID 376 wrote to memory of 1284 376 BajLUV.pzBXsOyDOIMq RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mldui\QzafowI.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mldui\BajLUV.pzBXsOyDOIMqBajLUV.pzBXsOyDOIMq kFYhscmgri.QEQ3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Modifies Installed Components in the registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\mldui\BajLUV.pzBXsOyDOIMqFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
C:\Users\Admin\AppData\Local\Temp\mldui\BajLUV.pzBXsOyDOIMqFilesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
C:\Users\Admin\AppData\Local\Temp\mldui\CMXpQjy.IJIFilesize
222B
MD5787d8d90965e70ca0d269c83c406f0de
SHA17da6d7053aa2a43831a3f1257a77a8752ea3e603
SHA2568bb92766af21fb83dbb90825ef102d1c6576d07c9556d2da4658779c02d5341f
SHA51250604ea6e708997dc857c4e50e48f7d3a9a05c1b7a7865e5053c06e20fc951e9eb41d9e6bc78b4bd0f2f59d79c6a4f5a7dbd83506d27a33f1fd187e9ce4abaef
-
C:\Users\Admin\AppData\Local\Temp\mldui\QzafowI.vbsFilesize
71B
MD578c4f6655dacda99ba5c2af055938a6a
SHA12f93f8ec878389b6864c4fed993842a2924497f0
SHA256a92626bfd54da9e526ad67032269dd578735fec319915464450634e3d1517fa5
SHA512ffcbddf5ae65ae5519db78dee11e54ef1fb3e4152916036d243100389ace3d70d62e83b9568f4eddf281faf16c87a2c6a8728aa167dfe5c72dafb685b7ee0e21
-
C:\Users\Admin\AppData\Local\Temp\mldui\TZNQPU~1.ANWFilesize
69KB
MD55794ef0198b5e9dc3d1b25ddaf65bb70
SHA14d0f49194e749ff2887a1e93cce757713e96cd96
SHA256a58a7ff745b154ec55f28378e314555aec5e05cbef360eab29a549fec834a17a
SHA5123c1005b49d7ac191363ceb3587242d62415d6b3436854a3a873e8deb9f5562ea1c431d94e28f1bb5c5f8565e57192afb3df67ce4b13d00fb103fbaec79224fea
-
C:\Users\Admin\AppData\Local\Temp\mldui\kFYhscmgri.QEQFilesize
24.0MB
MD52c8878e3aa40fa8cfc4605767126e783
SHA11ec2fd0f64e637b74bc0efe892475f431f4038b1
SHA256816974014b6627a98afe0d1fdb877e9b8b88fbeef9e2b8bcf99fb5d47892debf
SHA5121b0b3803764a0dcce0f3178d40c0feab07eeec54d70ecc6837da5818b0e6010e715a754a46b19dd41d2d8e86834245d1efdc3d1ed7093bad1e5e8bc61e65b113
-
memory/376-134-0x0000000000000000-mapping.dmp
-
memory/1284-140-0x0000000000000000-mapping.dmp
-
memory/1284-141-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1284-142-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2076-132-0x0000000000000000-mapping.dmp