067916eeef467124e4ed136953bc7f2dbd432367a8bb09598a35e1e608183b05

General

Target

5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe
Size

143KB
MD5

193cbda4598fe61c69b538416fb78aa1
SHA1

7f8546a917732a4daf146b818fdb7c14b25df3ba
SHA256

5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92
SHA512

9e3cb60b519fb6f81b484048ab9e9b4ec78ef81f30c31807d28e18b8ac91a36e94d0c19e5e09082b1039cbcc4b6ece4189677168c97fe5a6da0fb395adc15e3b
SSDEEP

3072:MTb4+LoQHG9gh9hRgf2WGapffZY36ozdH6oz:ObFLo1aRg+gXZUz

Score

10^/10

discovery evasion exploit persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs
persistence

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

TankRansom2.0.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" TankRansom2.0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty"	TankRansom2.0.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe

Disables Task Manager via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

TankRansom2.0.exe

pid process

4660 TankRansom2.0.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

4148 takeown.exe
1860 icacls.exe

pid	process
4660	TankRansom2.0.exe

pid	process
4148	takeown.exe
1860	icacls.exe

Drops startup file 2 IoCs

Processes:

TankRansom2.0.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TankRansom.exe	TankRansom2.0.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TankRansom.exe	TankRansom2.0.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

4148 takeown.exe
1860 icacls.exe

pid	process
4148	takeown.exe
1860	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe

description	ioc	process
File opened for modification	C:\Windows\System32\LogonUIfake.exe	5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe
File opened for modification	C:\Windows\System32\voice.vbs	5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe
File opened for modification	C:\Windows\System32\TankRansom2.0.exe	5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe
File created	C:\Windows\System32\LogonUIreal.exe	5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe
File opened for modification	C:\Windows\System32\LogonUIreal.exe	5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe
File created	C:\Windows\System32\LogonUI.exe	5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

TankRansom2.0.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings TankRansom2.0.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

TankRansom2.0.exe

pid process

4660 TankRansom2.0.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	TankRansom2.0.exe

pid	process
4660	TankRansom2.0.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

takeown.exeTankRansom2.0.exeAUDIODG.EXE

description	pid	process
Token: SeTakeOwnershipPrivilege	4148	takeown.exe
Token: SeDebugPrivilege	4660	TankRansom2.0.exe
Token: 33	4220	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4220	AUDIODG.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.execmd.exeTankRansom2.0.exe

description	pid	process	target process
PID 1004 wrote to memory of 1576	1004	5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe	cmd.exe
PID 1004 wrote to memory of 1576	1004	5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe	cmd.exe
PID 1576 wrote to memory of 4148	1576	cmd.exe	takeown.exe
PID 1576 wrote to memory of 4148	1576	cmd.exe	takeown.exe
PID 1576 wrote to memory of 1860	1576	cmd.exe	icacls.exe
PID 1576 wrote to memory of 1860	1576	cmd.exe	icacls.exe
PID 1004 wrote to memory of 4660	1004	5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe	TankRansom2.0.exe
PID 1004 wrote to memory of 4660	1004	5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe	TankRansom2.0.exe
PID 4660 wrote to memory of 3352	4660	TankRansom2.0.exe	WScript.exe
PID 4660 wrote to memory of 3352	4660	TankRansom2.0.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe
"C:\Users\Admin\AppData\Local\Temp\5de55c68325c841463352b7e53b058a65e476579fa8cf7126b9dbc6fc4fddc92.exe"
1⤵
- Disables RegEdit via registry modification
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"
2⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1860

C:\Windows\System32\TankRansom2.0.exe
"C:\Windows\System32\TankRansom2.0.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\System32\voice.vbs"
3⤵
PID:3352

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3e4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\TankRansom2.0.exe

Filesize
45KB

MD5
63792b4a01f23ea169d88ddc93ea7c5c

SHA1
fbd311c82a2d79520b3890e5d18d49000deb9d5f

SHA256
3a1208f3b252ff662dccf6a9198f59948016d419d333253bb908a5eb0fa8b9e2

SHA512
56e9469d695aa9d9885f253599445c3a4d40da5d36514fe251a76d7146468fad2096736197d464e2204bb11a99324f8bef7d57dfb8851611faf47c28a390a531

Download Submit
C:\Windows\System32\TankRansom2.0.exe

Filesize
45KB

MD5
63792b4a01f23ea169d88ddc93ea7c5c

SHA1
fbd311c82a2d79520b3890e5d18d49000deb9d5f

SHA256
3a1208f3b252ff662dccf6a9198f59948016d419d333253bb908a5eb0fa8b9e2

SHA512
56e9469d695aa9d9885f253599445c3a4d40da5d36514fe251a76d7146468fad2096736197d464e2204bb11a99324f8bef7d57dfb8851611faf47c28a390a531

Download Submit
C:\Windows\System32\voice.vbs

Filesize
375B

MD5
f3356dbb18fb01413eb46d5672b0b3d9

SHA1
1b14464cfe89ee88cb4b9501919420eb73d9294b

SHA256
21982b5e271f90f9a3462d265eb0a213cd3315df841fded629fedea62b4cf31c

SHA512
1a766a765a28a3fa3d5b9590a6b2c3706d2d8638ac37bf367f66668170561b31be6adc0414942f88546a9430d911320c3aa46132fbed83bd152b35b96218b2ce

Download Submit
memory/1004-115-0x0000000000E40000-0x0000000000E6A000-memory.dmp

Filesize
168KB

Download
memory/1576-116-0x0000000000000000-mapping.dmp

Download
memory/1860-118-0x0000000000000000-mapping.dmp

Download
memory/3352-124-0x0000000000000000-mapping.dmp

Download
memory/4148-117-0x0000000000000000-mapping.dmp

Download
memory/4660-119-0x0000000000000000-mapping.dmp

Download
memory/4660-122-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads