Analysis
-
max time kernel
150s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 12:53
Static task
static1
Behavioral task
behavioral1
Sample
10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe
Resource
win10v2004-20220812-en
General
-
Target
10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe
-
Size
1.0MB
-
MD5
5b65b00894b6bdf79de272360d268604
-
SHA1
ba437d3e5f376f1d655632a52bf1e05af8a7e7a9
-
SHA256
10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80
-
SHA512
4ff69fd3473ffc39e938009e1983de50c90a55996a51fc4d3dae09767dd0fd3bec87aced33dd71b7b0d32314161ceb15899e4fb68264928a0d9a717b6a330d12
-
SSDEEP
24576:xVm0yFkkRztCxlvTJe9XJaCubcnoxtjZZHh65:rmvFvRav1eVdeQ8FZN6
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-gkwiicl.txt
http://onja764ig6vah2jo.onion.cab
http://onja764ig6vah2jo.tor2web.org
http://onja764ig6vah2jo.onion/
Extracted
C:\Users\Admin\Documents\Decrypt-All-Files-gkwiicl.txt
http://onja764ig6vah2jo.onion.cab
http://onja764ig6vah2jo.tor2web.org
http://onja764ig6vah2jo.onion/
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
gejzibk.exegejzibk.exepid process 1228 gejzibk.exe 1180 gejzibk.exe -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\SaveConvertFrom.CRW.gkwiicl svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ConnectPublish.RAW.gkwiicl svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\SelectStart.RAW.gkwiicl svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\AssertSelect.CRW.gkwiicl svchost.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\Decrypt-All-Files-gkwiicl.bmp" Explorer.EXE -
Suspicious use of SetThreadContext 2 IoCs
Processes:
10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exegejzibk.exedescription pid process target process PID 1160 set thread context of 1712 1160 10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe 10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe PID 1228 set thread context of 1180 1228 gejzibk.exe gejzibk.exe -
Drops file in Program Files directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-gkwiicl.txt svchost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-gkwiicl.bmp svchost.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1692 vssadmin.exe -
Modifies data under HKEY_USERS 20 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6abee744-1a82-11ed-8290-806e6f6e6963} svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6abee744-1a82-11ed-8290-806e6f6e6963}\MaxCapacity = "15140" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6abee744-1a82-11ed-8290-806e6f6e6963}\NukeOnDelete = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00360061006200650065003700340034002d0031006100380032002d0031003100650064002d0038003200390030002d003800300036006500360066003600650036003900360033007d0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" svchost.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exegejzibk.exepid process 1712 10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe 1180 gejzibk.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
gejzibk.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1180 gejzibk.exe Token: SeDebugPrivilege 1180 gejzibk.exe Token: SeShutdownPrivilege 1276 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exetaskeng.exegejzibk.exegejzibk.exesvchost.exedescription pid process target process PID 1160 wrote to memory of 1712 1160 10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe 10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe PID 1160 wrote to memory of 1712 1160 10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe 10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe PID 1160 wrote to memory of 1712 1160 10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe 10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe PID 1160 wrote to memory of 1712 1160 10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe 10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe PID 1160 wrote to memory of 1712 1160 10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe 10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe PID 1160 wrote to memory of 1712 1160 10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe 10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe PID 1160 wrote to memory of 1712 1160 10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe 10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe PID 1160 wrote to memory of 1712 1160 10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe 10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe PID 1376 wrote to memory of 1228 1376 taskeng.exe gejzibk.exe PID 1376 wrote to memory of 1228 1376 taskeng.exe gejzibk.exe PID 1376 wrote to memory of 1228 1376 taskeng.exe gejzibk.exe PID 1376 wrote to memory of 1228 1376 taskeng.exe gejzibk.exe PID 1228 wrote to memory of 1180 1228 gejzibk.exe gejzibk.exe PID 1228 wrote to memory of 1180 1228 gejzibk.exe gejzibk.exe PID 1228 wrote to memory of 1180 1228 gejzibk.exe gejzibk.exe PID 1228 wrote to memory of 1180 1228 gejzibk.exe gejzibk.exe PID 1228 wrote to memory of 1180 1228 gejzibk.exe gejzibk.exe PID 1228 wrote to memory of 1180 1228 gejzibk.exe gejzibk.exe PID 1228 wrote to memory of 1180 1228 gejzibk.exe gejzibk.exe PID 1228 wrote to memory of 1180 1228 gejzibk.exe gejzibk.exe PID 1180 wrote to memory of 600 1180 gejzibk.exe svchost.exe PID 600 wrote to memory of 1676 600 svchost.exe DllHost.exe PID 600 wrote to memory of 1676 600 svchost.exe DllHost.exe PID 600 wrote to memory of 1676 600 svchost.exe DllHost.exe PID 1180 wrote to memory of 1276 1180 gejzibk.exe Explorer.EXE PID 1180 wrote to memory of 1692 1180 gejzibk.exe vssadmin.exe PID 1180 wrote to memory of 1692 1180 gejzibk.exe vssadmin.exe PID 1180 wrote to memory of 1692 1180 gejzibk.exe vssadmin.exe PID 1180 wrote to memory of 1692 1180 gejzibk.exe vssadmin.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe"C:\Users\Admin\AppData\Local\Temp\10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe"C:\Users\Admin\AppData\Local\Temp\10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {0CE8622C-D822-410F-BB36-402E1B1E2335} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gejzibk.exeC:\Users\Admin\AppData\Local\Temp\gejzibk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gejzibk.exeC:\Users\Admin\AppData\Local\Temp\gejzibk.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all4⤵
- Interacts with shadow copies
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Package Cache\qrsyuslFilesize
654B
MD56effb15e094018eb4b4984db188a7d69
SHA17f2c06eab9d73a18bf1b31cc712b495807132785
SHA25635d178b93af779c4bfb46efb56351ae68301d504b9cd329b05aa51abb18351fd
SHA512b0ba3ae97015584011667b4ed1a12d07bc2fc8fe751ceb06ee4ed318dfaf8a7e69810e8e23b462c6ed11927f9e499f7857c623d05344fdcf8a171c79302192db
-
C:\ProgramData\Package Cache\qrsyuslFilesize
654B
MD56effb15e094018eb4b4984db188a7d69
SHA17f2c06eab9d73a18bf1b31cc712b495807132785
SHA25635d178b93af779c4bfb46efb56351ae68301d504b9cd329b05aa51abb18351fd
SHA512b0ba3ae97015584011667b4ed1a12d07bc2fc8fe751ceb06ee4ed318dfaf8a7e69810e8e23b462c6ed11927f9e499f7857c623d05344fdcf8a171c79302192db
-
C:\ProgramData\Package Cache\qrsyuslFilesize
654B
MD539977b8f27f221085f57bc009441db79
SHA1ef4ae8ff5eb263136276de8c3b764152292d6022
SHA25653a4091b59d016770b910410107121d33ec4149a6b9b8cbc7cdb5ae5f7baf508
SHA512489a825abf246b5c7b43fddce181cba8058fdba21919fe4136140ed23017f8eb03d526ef5cef35b15864b4912806593ef2b3bdb2682234deba6c1710dc9f817c
-
C:\ProgramData\Package Cache\qrsyuslFilesize
654B
MD5e239cc20de2df399aafe6f8d0073b92e
SHA19166382661172740371095b979154a497e4c5188
SHA256e158809900877ea058b0e6cb44678ebebced0bc2ca6c6a65e75500052e9f1a74
SHA5123eb80bd068471ec32b4c7d2fe7a1715f9d079ed37bce095e2cfda65e9edf4788f4fb1874260bcae5e3cf8ff435faf2f7cc91d5d02548f4384480a36fb2debe20
-
C:\Users\Admin\AppData\Local\Temp\gejzibk.exeFilesize
1.0MB
MD55b65b00894b6bdf79de272360d268604
SHA1ba437d3e5f376f1d655632a52bf1e05af8a7e7a9
SHA25610aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80
SHA5124ff69fd3473ffc39e938009e1983de50c90a55996a51fc4d3dae09767dd0fd3bec87aced33dd71b7b0d32314161ceb15899e4fb68264928a0d9a717b6a330d12
-
C:\Users\Admin\AppData\Local\Temp\gejzibk.exeFilesize
1.0MB
MD55b65b00894b6bdf79de272360d268604
SHA1ba437d3e5f376f1d655632a52bf1e05af8a7e7a9
SHA25610aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80
SHA5124ff69fd3473ffc39e938009e1983de50c90a55996a51fc4d3dae09767dd0fd3bec87aced33dd71b7b0d32314161ceb15899e4fb68264928a0d9a717b6a330d12
-
C:\Users\Admin\AppData\Local\Temp\gejzibk.exeFilesize
1.0MB
MD55b65b00894b6bdf79de272360d268604
SHA1ba437d3e5f376f1d655632a52bf1e05af8a7e7a9
SHA25610aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80
SHA5124ff69fd3473ffc39e938009e1983de50c90a55996a51fc4d3dae09767dd0fd3bec87aced33dd71b7b0d32314161ceb15899e4fb68264928a0d9a717b6a330d12
-
memory/600-82-0x0000000000600000-0x0000000000674000-memory.dmpFilesize
464KB
-
memory/600-88-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmpFilesize
8KB
-
memory/600-84-0x0000000000600000-0x0000000000674000-memory.dmpFilesize
464KB
-
memory/1160-55-0x0000000074780000-0x0000000074D2B000-memory.dmpFilesize
5.7MB
-
memory/1160-63-0x0000000074780000-0x0000000074D2B000-memory.dmpFilesize
5.7MB
-
memory/1160-54-0x0000000075B11000-0x0000000075B13000-memory.dmpFilesize
8KB
-
memory/1180-74-0x00000000013EC07E-mapping.dmp
-
memory/1180-81-0x0000000000BA0000-0x0000000000DE0000-memory.dmpFilesize
2.2MB
-
memory/1228-67-0x0000000000000000-mapping.dmp
-
memory/1228-70-0x0000000074670000-0x0000000074C1B000-memory.dmpFilesize
5.7MB
-
memory/1228-76-0x0000000074670000-0x0000000074C1B000-memory.dmpFilesize
5.7MB
-
memory/1676-87-0x0000000000000000-mapping.dmp
-
memory/1692-94-0x0000000000000000-mapping.dmp
-
memory/1712-61-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/1712-57-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/1712-59-0x000000000124C07E-mapping.dmp
-
memory/1712-60-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/1712-56-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/1712-62-0x0000000000610000-0x000000000081F000-memory.dmpFilesize
2.1MB
-
memory/1712-65-0x0000000000820000-0x0000000000A60000-memory.dmpFilesize
2.2MB