Analysis
-
max time kernel
151s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 15:02
Static task
static1
Behavioral task
behavioral1
Sample
Tokens.sk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Tokens.sk
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
Tokens.sk
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral4
Sample
Tokens.sk
Resource
debian9-armhf-20221111-en
Behavioral task
behavioral5
Sample
Tokens.sk
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral6
Sample
Tokens.sk
Resource
debian9-mipsel-en-20211208
General
-
Target
Tokens.sk
-
Size
4KB
-
MD5
fa656d935cc584d8c37a50f9b8b0686f
-
SHA1
e1fd90cff910c009fce81612470022b1b6ec9b7b
-
SHA256
4cf4deaeba3985a478d520beb1e9d7ec42d7b332bfbe90513d207c894a0bad43
-
SHA512
0d803c762a8aa0d4bdc58085cc9a21bb2d09d71f9b94f19b041335f555ea50ca04c0b83c993a4942e3bf5a6591b7457e78ced2751dce6c6cb85c83111d875f15
-
SSDEEP
96:1RjqLAkUc26FUm5xG/He4zH+03AOGwIoe7hlqsz:1QbUaUm5xGvewH+03AOGwIoe7hlqsz
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 10 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\sk_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.sk rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\.sk\ = "sk_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\sk_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\sk_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\sk_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\sk_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\sk_auto_file\shell rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AcroRd32.exepid process 560 AcroRd32.exe 560 AcroRd32.exe 560 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2028 wrote to memory of 924 2028 cmd.exe rundll32.exe PID 2028 wrote to memory of 924 2028 cmd.exe rundll32.exe PID 2028 wrote to memory of 924 2028 cmd.exe rundll32.exe PID 924 wrote to memory of 560 924 rundll32.exe AcroRd32.exe PID 924 wrote to memory of 560 924 rundll32.exe AcroRd32.exe PID 924 wrote to memory of 560 924 rundll32.exe AcroRd32.exe PID 924 wrote to memory of 560 924 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Tokens.sk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Tokens.sk2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Tokens.sk"3⤵
- Suspicious use of SetWindowsHookEx