Analysis
-
max time kernel
142s -
max time network
76s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
21-12-2022 09:54
Static task
static1
Behavioral task
behavioral1
Sample
5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe
Resource
win10-20220812-en
General
-
Target
5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe
-
Size
143KB
-
MD5
193cbda4598fe61c69b538416fb78aa1
-
SHA1
7f8546a917732a4daf146b818fdb7c14b25df3ba
-
SHA256
5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92
-
SHA512
9e3cb60b519fb6f81b484048ab9e9b4ec78ef81f30c31807d28e18b8ac91a36e94d0c19e5e09082b1039cbcc4b6ece4189677168c97fe5a6da0fb395adc15e3b
-
SSDEEP
3072:MTb4+LoQHG9gh9hRgf2WGapffZY36ozdH6oz:ObFLo1aRg+gXZUz
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
TankRansom2.0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" TankRansom2.0.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
TankRansom2.0.exepid process 4660 TankRansom2.0.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 4148 takeown.exe 1860 icacls.exe -
Drops startup file 2 IoCs
Processes:
TankRansom2.0.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TankRansom.exe TankRansom2.0.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TankRansom.exe TankRansom2.0.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 4148 takeown.exe 1860 icacls.exe -
Drops file in System32 directory 6 IoCs
Processes:
5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exedescription ioc process File opened for modification C:\Windows\System32\LogonUIfake.exe 5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe File opened for modification C:\Windows\System32\voice.vbs 5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe File opened for modification C:\Windows\System32\TankRansom2.0.exe 5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe File created C:\Windows\System32\LogonUIreal.exe 5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe File opened for modification C:\Windows\System32\LogonUIreal.exe 5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe File created C:\Windows\System32\LogonUI.exe 5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
TankRansom2.0.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings TankRansom2.0.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
TankRansom2.0.exepid process 4660 TankRansom2.0.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
takeown.exeTankRansom2.0.exeAUDIODG.EXEdescription pid process Token: SeTakeOwnershipPrivilege 4148 takeown.exe Token: SeDebugPrivilege 4660 TankRansom2.0.exe Token: 33 4220 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4220 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.execmd.exeTankRansom2.0.exedescription pid process target process PID 1004 wrote to memory of 1576 1004 5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe cmd.exe PID 1004 wrote to memory of 1576 1004 5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe cmd.exe PID 1576 wrote to memory of 4148 1576 cmd.exe takeown.exe PID 1576 wrote to memory of 4148 1576 cmd.exe takeown.exe PID 1576 wrote to memory of 1860 1576 cmd.exe icacls.exe PID 1576 wrote to memory of 1860 1576 cmd.exe icacls.exe PID 1004 wrote to memory of 4660 1004 5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe TankRansom2.0.exe PID 1004 wrote to memory of 4660 1004 5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe TankRansom2.0.exe PID 4660 wrote to memory of 3352 4660 TankRansom2.0.exe WScript.exe PID 4660 wrote to memory of 3352 4660 TankRansom2.0.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe"C:\Users\Admin\AppData\Local\Temp\5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe"1⤵
- Disables RegEdit via registry modification
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"2⤵
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4148 -
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1860 -
C:\Windows\System32\TankRansom2.0.exe"C:\Windows\System32\TankRansom2.0.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\System32\voice.vbs"3⤵PID:3352
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3e41⤵
- Suspicious use of AdjustPrivilegeToken
PID:4220
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD563792b4a01f23ea169d88ddc93ea7c5c
SHA1fbd311c82a2d79520b3890e5d18d49000deb9d5f
SHA2563a1208f3b252ff662dccf6a9198f59948016d419d333253bb908a5eb0fa8b9e2
SHA51256e9469d695aa9d9885f253599445c3a4d40da5d36514fe251a76d7146468fad2096736197d464e2204bb11a99324f8bef7d57dfb8851611faf47c28a390a531
-
Filesize
45KB
MD563792b4a01f23ea169d88ddc93ea7c5c
SHA1fbd311c82a2d79520b3890e5d18d49000deb9d5f
SHA2563a1208f3b252ff662dccf6a9198f59948016d419d333253bb908a5eb0fa8b9e2
SHA51256e9469d695aa9d9885f253599445c3a4d40da5d36514fe251a76d7146468fad2096736197d464e2204bb11a99324f8bef7d57dfb8851611faf47c28a390a531
-
Filesize
375B
MD5f3356dbb18fb01413eb46d5672b0b3d9
SHA11b14464cfe89ee88cb4b9501919420eb73d9294b
SHA25621982b5e271f90f9a3462d265eb0a213cd3315df841fded629fedea62b4cf31c
SHA5121a766a765a28a3fa3d5b9590a6b2c3706d2d8638ac37bf367f66668170561b31be6adc0414942f88546a9430d911320c3aa46132fbed83bd152b35b96218b2ce