Analysis
-
max time kernel
152s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 15:22
Static task
static1
Behavioral task
behavioral1
Sample
85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exe
Resource
win10v2004-20220901-en
General
-
Target
85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exe
-
Size
637KB
-
MD5
7da542b3bb5315c122e615782f69ecbf
-
SHA1
6ed5e8827874dc1ffb452511f7a0c7a8556fd954
-
SHA256
85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37
-
SHA512
80f3b521a64bddddcf9c6747c76e92423ad036bdc79aa88d8fb61ea5a00baf0d8c6da3f5dfd963a5fe47c4ac763da5972ff8b6f12db8c1bfcbf80fad3920a1f4
-
SSDEEP
12288:7Wbr5dYHRCfp7cJY2nj9pH9G3qMc7qJUHrlm63yCkhep9Mkkf:6bddfhIJN7dG3O7XH53ybheLDkf
Malware Config
Extracted
C:\ProgramData\yrnkowk.html
http-equiv='Content-Type
Extracted
C:\Users\Admin\Documents\Decrypt All Files plqrcsi.txt
http://kph3onblkthy4z37.onion.cab
http://kph3onblkthy4z37.tor2web.org
http://kph3onblkthy4z37.onion/
Extracted
C:\ProgramData\yrnkowk.html
http://kph3onblkthy4z37.onion.cab
http://kph3onblkthy4z37.tor2web.org
http://kph3onblkthy4z37.onion
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
dajjvan.exedajjvan.exepid process 1340 dajjvan.exe 5088 dajjvan.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\HideConnect.CRW.plqrcsi svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\PublishEnable.RAW.plqrcsi svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dajjvan.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation dajjvan.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Drops file in System32 directory 5 IoCs
Processes:
dajjvan.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE dajjvan.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies dajjvan.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 dajjvan.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\desktop.ini dajjvan.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 dajjvan.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\Decrypt All Files plqrcsi.bmp" Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
dajjvan.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\GPU dajjvan.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"6.2.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" dajjvan.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch dajjvan.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" dajjvan.exe -
Modifies data under HKEY_USERS 20 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2339e045-0000-0000-0000-d01200000000}\MaxCapacity = "15140" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2339e045-0000-0000-0000-d01200000000}\NukeOnDelete = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2339e045-0000-0000-0000-d01200000000} svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00320033003300390065003000340035002d0030003000300030002d0030003000300030002d0030003000300030002d006400300031003200300030003000300030003000300030007d0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" svchost.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exedajjvan.exepid process 4412 85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exe 4412 85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exe 1340 dajjvan.exe 1340 dajjvan.exe 1340 dajjvan.exe 1340 dajjvan.exe 1340 dajjvan.exe 1340 dajjvan.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 760 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dajjvan.exedescription pid process Token: SeDebugPrivilege 1340 dajjvan.exe Token: SeDebugPrivilege 1340 dajjvan.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
dajjvan.exepid process 5088 dajjvan.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
dajjvan.exepid process 5088 dajjvan.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
dajjvan.exepid process 5088 dajjvan.exe 5088 dajjvan.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
dajjvan.exesvchost.exedescription pid process target process PID 1340 wrote to memory of 812 1340 dajjvan.exe svchost.exe PID 812 wrote to memory of 1668 812 svchost.exe wmiprvse.exe PID 812 wrote to memory of 1668 812 svchost.exe wmiprvse.exe PID 812 wrote to memory of 3972 812 svchost.exe DllHost.exe PID 812 wrote to memory of 3972 812 svchost.exe DllHost.exe PID 1340 wrote to memory of 760 1340 dajjvan.exe Explorer.EXE PID 1340 wrote to memory of 5088 1340 dajjvan.exe dajjvan.exe PID 1340 wrote to memory of 5088 1340 dajjvan.exe dajjvan.exe PID 1340 wrote to memory of 5088 1340 dajjvan.exe dajjvan.exe PID 812 wrote to memory of 5020 812 svchost.exe mousocoreworker.exe PID 812 wrote to memory of 5020 812 svchost.exe mousocoreworker.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding2⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exe"C:\Users\Admin\AppData\Local\Temp\85959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\dajjvan.exeC:\Users\Admin\AppData\Local\Temp\dajjvan.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dajjvan.exe"C:\Users\Admin\AppData\Local\Temp\dajjvan.exe" -u2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ssh\akatxdgFilesize
654B
MD589fc50408112153bca3dc685c6738d63
SHA12772e1ab663f1be96013e6aba275a715674b0242
SHA25611c35006d5ac339264c16886029cdafa8eb39b98cc40b9fcbb9396d30fdb8931
SHA5127b70860abf83fb98b5541cb1f50f0fd1191b07fe8629ccee9837d057f6f2036ea8cf93aef2e9ef650f6906309a5b1a5d631c7f4dc9e03022de9851f9f8a145a1
-
C:\ProgramData\ssh\akatxdgFilesize
654B
MD5cca6ce898e8fdb41e24fce416535d317
SHA13c859d3df0069e8cfbcfdf0d7b54a2524cab9dbf
SHA256d4239a3f9c9b9360ce72fc5bef604ca6c5bdea8082b61a34a8eb4c944ea6bee3
SHA512f1ef05d1baecbfd1b2c181bdb9f48cf92718eec8f6e977a374a31c70b3d3cc9dd1239bd40453f46893453418872cd3b66d3146c3609ade977c12fd728cb7f74a
-
C:\ProgramData\ssh\akatxdgFilesize
654B
MD5cca6ce898e8fdb41e24fce416535d317
SHA13c859d3df0069e8cfbcfdf0d7b54a2524cab9dbf
SHA256d4239a3f9c9b9360ce72fc5bef604ca6c5bdea8082b61a34a8eb4c944ea6bee3
SHA512f1ef05d1baecbfd1b2c181bdb9f48cf92718eec8f6e977a374a31c70b3d3cc9dd1239bd40453f46893453418872cd3b66d3146c3609ade977c12fd728cb7f74a
-
C:\ProgramData\yrnkowk.htmlFilesize
223KB
MD5084d681027c85fc83e9a0136a755b225
SHA1d23c1c39873ab5fc77e064ef0d5f5ff872b98c26
SHA256044cf2b191eedf2d4890cd524a1346a64d67dae6f564cad45d914f29cda17ae4
SHA512cc9c0c990ea18719131966d8c22fe020a7bb860c934fadc628c7fbfc5f5178cf266b7fa477a1f6cb3e4ae1d10bc31336dfb0ca2cd7fc644d11cfc09d0ea96bd6
-
C:\Users\Admin\AppData\Local\Temp\dajjvan.exeFilesize
637KB
MD57da542b3bb5315c122e615782f69ecbf
SHA16ed5e8827874dc1ffb452511f7a0c7a8556fd954
SHA25685959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37
SHA51280f3b521a64bddddcf9c6747c76e92423ad036bdc79aa88d8fb61ea5a00baf0d8c6da3f5dfd963a5fe47c4ac763da5972ff8b6f12db8c1bfcbf80fad3920a1f4
-
C:\Users\Admin\AppData\Local\Temp\dajjvan.exeFilesize
637KB
MD57da542b3bb5315c122e615782f69ecbf
SHA16ed5e8827874dc1ffb452511f7a0c7a8556fd954
SHA25685959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37
SHA51280f3b521a64bddddcf9c6747c76e92423ad036bdc79aa88d8fb61ea5a00baf0d8c6da3f5dfd963a5fe47c4ac763da5972ff8b6f12db8c1bfcbf80fad3920a1f4
-
C:\Users\Admin\AppData\Local\Temp\dajjvan.exeFilesize
637KB
MD57da542b3bb5315c122e615782f69ecbf
SHA16ed5e8827874dc1ffb452511f7a0c7a8556fd954
SHA25685959a1fb5d3d9f5b6e222540e7fbe65cdb108388c6bc8f88766aa517dda5f37
SHA51280f3b521a64bddddcf9c6747c76e92423ad036bdc79aa88d8fb61ea5a00baf0d8c6da3f5dfd963a5fe47c4ac763da5972ff8b6f12db8c1bfcbf80fad3920a1f4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.JPG.plqrcsiFilesize
36KB
MD5f341d7a6d12b594ec30d7c4f68711058
SHA15f22f1105513f1628995ae3cd07ad262d6d721a8
SHA25679582b5b76e5b557f6870411289bbf0ae724829aa8e5244a4fc14f71e9e506b4
SHA5128e18c4a4bf8279c2c12406ed2b71bdadd6dc4d2e071405ca69c50830d3c0d499c0400f3f970c7e1caa5ff579baf50e03d10855bb3b7c63fb3b27d62700b7aab3
-
memory/812-138-0x0000000034C00000-0x0000000034C69000-memory.dmpFilesize
420KB
-
memory/1340-137-0x0000000000B70000-0x0000000000D91000-memory.dmpFilesize
2.1MB
-
memory/1668-140-0x0000000000000000-mapping.dmp
-
memory/3972-141-0x0000000000000000-mapping.dmp
-
memory/4412-132-0x0000000000F20000-0x0000000001110000-memory.dmpFilesize
1.9MB
-
memory/4412-133-0x0000000001110000-0x0000000001331000-memory.dmpFilesize
2.1MB
-
memory/5020-151-0x0000000000000000-mapping.dmp
-
memory/5088-147-0x0000000001200000-0x0000000001421000-memory.dmpFilesize
2.1MB
-
memory/5088-144-0x0000000000000000-mapping.dmp