Analysis
-
max time kernel
61s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 00:06
Static task
static1
Behavioral task
behavioral1
Sample
903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
Resource
win10v2004-20220901-en
General
-
Target
903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe
-
Size
1.1MB
-
MD5
f7bf40a04f42e1f14e54a18d3c61897f
-
SHA1
3eebc14f1c70ae9d4fa493c650a94d12257b2435
-
SHA256
903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56
-
SHA512
18aeeebd2733f3e0db865a3bd79433162cf6459bc75fc1883373c94800223334610eb3c8a123c760cf6378fe2b9741ba8299aeab6cb72682375619ee558503fb
-
SSDEEP
12288:gpQzNWXXasPZqh+unTEDA9ukiVATu83lf6YiRuRVlbEU6kw801pyVklLgjN25Kt7:g5asBpDDkqAT31Bi0RQ1EqG2+EC
Malware Config
Extracted
C:\Users\Admin\Documents\yrnkowk.html
http-equiv='Content-Type
Extracted
C:\Users\Admin\Documents\DecryptAllFiles 240628218.txt
http://wypwtzc2kaceyufw.onion
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
dajjvan.exedajjvan.exepid process 1084 dajjvan.exe 4836 dajjvan.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
dajjvan.exedescription ioc process File renamed C:\Users\Admin\AppData\Local\Temp\0.tmp => C:\Users\Admin\Pictures\SyncCompress.raw.qlvpcsi dajjvan.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exedajjvan.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation dajjvan.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
dajjvan.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\AllFilesAreLocked 240628218.bmp" dajjvan.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exedajjvan.exedescription pid process target process PID 3248 set thread context of 1584 3248 903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe 903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe PID 1084 set thread context of 4836 1084 dajjvan.exe dajjvan.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2276 2440 WerFault.exe 4524 2480 WerFault.exe explorer.exe 548 4836 WerFault.exe dajjvan.exe 3912 4836 WerFault.exe dajjvan.exe -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-929662420-1054238289-2961194603-1000\{ADF67F87-DAB9-455A-A7AF-2835B3EBDA5E} explorer.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exedajjvan.exedajjvan.exepid process 3248 903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe 3248 903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe 3248 903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe 3248 903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe 1584 903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe 1584 903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe 1084 dajjvan.exe 1084 dajjvan.exe 1084 dajjvan.exe 1084 dajjvan.exe 4836 dajjvan.exe 4836 dajjvan.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
explorer.exedescription pid process Token: SeShutdownPrivilege 2480 explorer.exe Token: SeCreatePagefilePrivilege 2480 explorer.exe Token: SeShutdownPrivilege 2480 explorer.exe Token: SeCreatePagefilePrivilege 2480 explorer.exe Token: SeShutdownPrivilege 2480 explorer.exe Token: SeCreatePagefilePrivilege 2480 explorer.exe Token: SeShutdownPrivilege 2480 explorer.exe Token: SeCreatePagefilePrivilege 2480 explorer.exe Token: SeShutdownPrivilege 2480 explorer.exe Token: SeCreatePagefilePrivilege 2480 explorer.exe Token: SeShutdownPrivilege 2480 explorer.exe Token: SeCreatePagefilePrivilege 2480 explorer.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
dajjvan.exeexplorer.exepid process 4836 dajjvan.exe 2480 explorer.exe 2480 explorer.exe 2480 explorer.exe 2480 explorer.exe 2480 explorer.exe 2480 explorer.exe -
Suspicious use of SendNotifyMessage 9 IoCs
Processes:
dajjvan.exeexplorer.exepid process 4836 dajjvan.exe 2480 explorer.exe 2480 explorer.exe 2480 explorer.exe 2480 explorer.exe 2480 explorer.exe 2480 explorer.exe 2480 explorer.exe 2480 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exedajjvan.exedajjvan.exepid process 3248 903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe 3248 903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe 1084 dajjvan.exe 1084 dajjvan.exe 4836 dajjvan.exe 4836 dajjvan.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exedajjvan.exedescription pid process target process PID 3248 wrote to memory of 1584 3248 903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe 903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe PID 3248 wrote to memory of 1584 3248 903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe 903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe PID 3248 wrote to memory of 1584 3248 903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe 903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe PID 3248 wrote to memory of 1584 3248 903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe 903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe PID 3248 wrote to memory of 1584 3248 903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe 903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe PID 3248 wrote to memory of 1584 3248 903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe 903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe PID 1084 wrote to memory of 4836 1084 dajjvan.exe dajjvan.exe PID 1084 wrote to memory of 4836 1084 dajjvan.exe dajjvan.exe PID 1084 wrote to memory of 4836 1084 dajjvan.exe dajjvan.exe PID 1084 wrote to memory of 4836 1084 dajjvan.exe dajjvan.exe PID 1084 wrote to memory of 4836 1084 dajjvan.exe dajjvan.exe PID 1084 wrote to memory of 4836 1084 dajjvan.exe dajjvan.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe"C:\Users\Admin\AppData\Local\Temp\903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exeC:\Users\Admin\AppData\Local\Temp\903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56.exe2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\dajjvan.exeC:\Users\Admin\AppData\Local\Temp\dajjvan.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dajjvan.exeC:\Users\Admin\AppData\Local\Temp\dajjvan.exe2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 12723⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 12723⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 2440 -ip 24401⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2440 -s 15281⤵
- Program crash
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2480 -s 21722⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 448 -p 2480 -ip 24801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4836 -ip 48361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4836 -ip 48361⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.qlvpcsiFilesize
622KB
MD5bb49f5bd8fea01c9e8525f29c1c2844e
SHA13be0ce711036ccb7c8bb6a9003702f992b88c1f8
SHA256dfb474f346c4a07f6c4d4cefd88cc5f2de6545ad905d1d53f03c87a27f6f64db
SHA512f7d104d5f0108721893b671ef49d2b6eb6e1dcb892c99de1ba9f542bd2be1d5496651fd8330a4c7f058cb30ec967526ea7c5a00d8c0a948dbfeaa6d978785b22
-
C:\ProgramData\Oracle\akatxdgFilesize
654B
MD570bbdbc1a4a3784da1291374334214be
SHA112da503f16dae445b183be3f35c7e124eb700fdc
SHA25642787e32fd894e6ee7fbc5b0d9b8bc06fd86e07abd88ffbd655045f9ec7d7b7a
SHA5124528630366a82b43cb36c455fbb2f452121e9c95a0c7ecbe25ce654c20fc9b65ef9dd9304b82ed12d8bcc9b3db2ae429167c6b912d7f65966111b49e602fbea7
-
C:\Users\Admin\AppData\Local\Temp\dajjvan.exeFilesize
1.1MB
MD5f7bf40a04f42e1f14e54a18d3c61897f
SHA13eebc14f1c70ae9d4fa493c650a94d12257b2435
SHA256903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56
SHA51218aeeebd2733f3e0db865a3bd79433162cf6459bc75fc1883373c94800223334610eb3c8a123c760cf6378fe2b9741ba8299aeab6cb72682375619ee558503fb
-
C:\Users\Admin\AppData\Local\Temp\dajjvan.exeFilesize
1.1MB
MD5f7bf40a04f42e1f14e54a18d3c61897f
SHA13eebc14f1c70ae9d4fa493c650a94d12257b2435
SHA256903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56
SHA51218aeeebd2733f3e0db865a3bd79433162cf6459bc75fc1883373c94800223334610eb3c8a123c760cf6378fe2b9741ba8299aeab6cb72682375619ee558503fb
-
C:\Users\Admin\AppData\Local\Temp\dajjvan.exeFilesize
1.1MB
MD5f7bf40a04f42e1f14e54a18d3c61897f
SHA13eebc14f1c70ae9d4fa493c650a94d12257b2435
SHA256903ba9c8405222214484f6d5cfa6afb76afb927bfb23297a2f520d9bc953ac56
SHA51218aeeebd2733f3e0db865a3bd79433162cf6459bc75fc1883373c94800223334610eb3c8a123c760cf6378fe2b9741ba8299aeab6cb72682375619ee558503fb
-
memory/1584-138-0x0000000000400000-0x00000000004A6E00-memory.dmpFilesize
667KB
-
memory/1584-137-0x00000000009C0000-0x0000000000C01000-memory.dmpFilesize
2.3MB
-
memory/1584-132-0x0000000000000000-mapping.dmp
-
memory/1584-136-0x00000000007B0000-0x00000000009C0000-memory.dmpFilesize
2.1MB
-
memory/1584-133-0x0000000000400000-0x00000000004A7000-memory.dmpFilesize
668KB
-
memory/3248-135-0x0000000002480000-0x0000000002484000-memory.dmpFilesize
16KB
-
memory/4836-141-0x0000000000000000-mapping.dmp
-
memory/4836-146-0x0000000000950000-0x0000000000B91000-memory.dmpFilesize
2.3MB