Analysis

  • max time kernel
    142s
  • max time network
    76s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    21-12-2022 09:54

General

  • Target

    5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe

  • Size

    143KB

  • MD5

    193cbda4598fe61c69b538416fb78aa1

  • SHA1

    7f8546a917732a4daf146b818fdb7c14b25df3ba

  • SHA256

    5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92

  • SHA512

    9e3cb60b519fb6f81b484048ab9e9b4ec78ef81f30c31807d28e18b8ac91a36e94d0c19e5e09082b1039cbcc4b6ece4189677168c97fe5a6da0fb395adc15e3b

  • SSDEEP

    3072:MTb4+LoQHG9gh9hRgf2WGapffZY36ozdH6oz:ObFLo1aRg+gXZUz

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Executes dropped EXE 1 IoCs
  • Possible privilege escalation attempt 2 IoCs
  • Drops startup file 2 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe
    "C:\Users\Admin\AppData\Local\Temp\5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe"
    1⤵
    • Disables RegEdit via registry modification
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1004
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:4148
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32 /grant "Admin:F"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1860
    • C:\Windows\System32\TankRansom2.0.exe
      "C:\Windows\System32\TankRansom2.0.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Drops startup file
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4660
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\System32\voice.vbs"
        3⤵
          PID:3352
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x3e4
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4220

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\System32\TankRansom2.0.exe

      Filesize

      45KB

      MD5

      63792b4a01f23ea169d88ddc93ea7c5c

      SHA1

      fbd311c82a2d79520b3890e5d18d49000deb9d5f

      SHA256

      3a1208f3b252ff662dccf6a9198f59948016d419d333253bb908a5eb0fa8b9e2

      SHA512

      56e9469d695aa9d9885f253599445c3a4d40da5d36514fe251a76d7146468fad2096736197d464e2204bb11a99324f8bef7d57dfb8851611faf47c28a390a531

    • C:\Windows\System32\TankRansom2.0.exe

      Filesize

      45KB

      MD5

      63792b4a01f23ea169d88ddc93ea7c5c

      SHA1

      fbd311c82a2d79520b3890e5d18d49000deb9d5f

      SHA256

      3a1208f3b252ff662dccf6a9198f59948016d419d333253bb908a5eb0fa8b9e2

      SHA512

      56e9469d695aa9d9885f253599445c3a4d40da5d36514fe251a76d7146468fad2096736197d464e2204bb11a99324f8bef7d57dfb8851611faf47c28a390a531

    • C:\Windows\System32\voice.vbs

      Filesize

      375B

      MD5

      f3356dbb18fb01413eb46d5672b0b3d9

      SHA1

      1b14464cfe89ee88cb4b9501919420eb73d9294b

      SHA256

      21982b5e271f90f9a3462d265eb0a213cd3315df841fded629fedea62b4cf31c

      SHA512

      1a766a765a28a3fa3d5b9590a6b2c3706d2d8638ac37bf367f66668170561b31be6adc0414942f88546a9430d911320c3aa46132fbed83bd152b35b96218b2ce

    • memory/1004-115-0x0000000000E40000-0x0000000000E6A000-memory.dmp

      Filesize

      168KB

    • memory/1576-116-0x0000000000000000-mapping.dmp

    • memory/1860-118-0x0000000000000000-mapping.dmp

    • memory/3352-124-0x0000000000000000-mapping.dmp

    • memory/4148-117-0x0000000000000000-mapping.dmp

    • memory/4660-119-0x0000000000000000-mapping.dmp

    • memory/4660-122-0x00000000005D0000-0x00000000005E0000-memory.dmp

      Filesize

      64KB