73cb87faef2c3ecb0302862632490bd72bf4adcb6266c912ba991396a8b4b073

General

Target

73cb87faef2c3ecb0302862632490bd72bf4adcb6266c912ba991396a8b4b073.exe
Size

406KB
MD5

392f56d7c7b640affaae2e99410f3ec7
SHA1

bcbe1b37f5c6712f21fe2b8cdfe030e55b235a1b
SHA256

73cb87faef2c3ecb0302862632490bd72bf4adcb6266c912ba991396a8b4b073
SHA512

386e65e25015a5badf2f77e7c46413d71022a58877011caacc9e53229c3242d5c84803122841578e6af79a4856364498aa05239b2dd3ef64439c1bbc2e5450dc
SSDEEP

12288:kAqRal1A2gsWn18XIGapIAy83rNa+rid0:kxkJ45G9F8A+R

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

73cb87faef2c3ecb0302862632490bd72bf4adcb6266c912ba991396a8b4b073.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run	73cb87faef2c3ecb0302862632490bd72bf4adcb6266c912ba991396a8b4b073.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KRNGL = "C:\\ProgramData\\KRNGL.exe"	73cb87faef2c3ecb0302862632490bd72bf4adcb6266c912ba991396a8b4b073.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wp.png"	Explorer.EXE

Modifies registry class 2 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

73cb87faef2c3ecb0302862632490bd72bf4adcb6266c912ba991396a8b4b073.exe

pid	process
4356	73cb87faef2c3ecb0302862632490bd72bf4adcb6266c912ba991396a8b4b073.exe
4356	73cb87faef2c3ecb0302862632490bd72bf4adcb6266c912ba991396a8b4b073.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3160 Explorer.EXE

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

wmic.exevssvc.exeExplorer.EXE

description	pid	process
Token: SeIncreaseQuotaPrivilege	4080	wmic.exe
Token: SeSecurityPrivilege	4080	wmic.exe
Token: SeTakeOwnershipPrivilege	4080	wmic.exe
Token: SeLoadDriverPrivilege	4080	wmic.exe
Token: SeSystemProfilePrivilege	4080	wmic.exe
Token: SeSystemtimePrivilege	4080	wmic.exe
Token: SeProfSingleProcessPrivilege	4080	wmic.exe
Token: SeIncBasePriorityPrivilege	4080	wmic.exe
Token: SeCreatePagefilePrivilege	4080	wmic.exe
Token: SeBackupPrivilege	4080	wmic.exe
Token: SeRestorePrivilege	4080	wmic.exe
Token: SeShutdownPrivilege	4080	wmic.exe
Token: SeDebugPrivilege	4080	wmic.exe
Token: SeSystemEnvironmentPrivilege	4080	wmic.exe
Token: SeRemoteShutdownPrivilege	4080	wmic.exe
Token: SeUndockPrivilege	4080	wmic.exe
Token: SeManageVolumePrivilege	4080	wmic.exe
Token: 33	4080	wmic.exe
Token: 34	4080	wmic.exe
Token: 35	4080	wmic.exe
Token: 36	4080	wmic.exe
Token: SeIncreaseQuotaPrivilege	4080	wmic.exe
Token: SeSecurityPrivilege	4080	wmic.exe
Token: SeTakeOwnershipPrivilege	4080	wmic.exe
Token: SeLoadDriverPrivilege	4080	wmic.exe
Token: SeSystemProfilePrivilege	4080	wmic.exe
Token: SeSystemtimePrivilege	4080	wmic.exe
Token: SeProfSingleProcessPrivilege	4080	wmic.exe
Token: SeIncBasePriorityPrivilege	4080	wmic.exe
Token: SeCreatePagefilePrivilege	4080	wmic.exe
Token: SeBackupPrivilege	4080	wmic.exe
Token: SeRestorePrivilege	4080	wmic.exe
Token: SeShutdownPrivilege	4080	wmic.exe
Token: SeDebugPrivilege	4080	wmic.exe
Token: SeSystemEnvironmentPrivilege	4080	wmic.exe
Token: SeRemoteShutdownPrivilege	4080	wmic.exe
Token: SeUndockPrivilege	4080	wmic.exe
Token: SeManageVolumePrivilege	4080	wmic.exe
Token: 33	4080	wmic.exe
Token: 34	4080	wmic.exe
Token: 35	4080	wmic.exe
Token: 36	4080	wmic.exe
Token: SeBackupPrivilege	1596	vssvc.exe
Token: SeRestorePrivilege	1596	vssvc.exe
Token: SeAuditPrivilege	1596	vssvc.exe
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

Explorer.EXE

pid	process
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

3160 Explorer.EXE
3160 Explorer.EXE
3160 Explorer.EXE
3160 Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

73cb87faef2c3ecb0302862632490bd72bf4adcb6266c912ba991396a8b4b073.exeExplorer.EXE

description	pid	process	target process
PID 4356 wrote to memory of 3160	4356	73cb87faef2c3ecb0302862632490bd72bf4adcb6266c912ba991396a8b4b073.exe	Explorer.EXE
PID 3160 wrote to memory of 4080	3160	Explorer.EXE	wmic.exe
PID 3160 wrote to memory of 4080	3160	Explorer.EXE	wmic.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3160

C:\Users\Admin\AppData\Local\Temp\73cb87faef2c3ecb0302862632490bd72bf4adcb6266c912ba991396a8b4b073.exe
"C:\Users\Admin\AppData\Local\Temp\73cb87faef2c3ecb0302862632490bd72bf4adcb6266c912ba991396a8b4b073.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

1

T1107

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1

T1490

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\README.KRNGL.txt
Filesize
274B

MD5
c55cb00073164fef156c3f585a6be65f

SHA1
45f79b1a17d172019607e781bfaa7a34fef776e8

SHA256
111b4f221ebb4ef983d1236549c129a00f26e3b60eb32e0bff91400348dbca2f

SHA512
f10e9b5d2c25e93e6cdae8f6ecbd2ef53c54493d5630122703b26b353c18a2201e42df276f5a7ec86a6c30e955125c99db78492331d09f7f86b20f3a1932ee01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg
Filesize
14KB

MD5
2257fa8cef64a74c33655bd5f74ef5e5

SHA1
b9f8baf96166f99cb1983563e632e6e69984ad5c

SHA256
ead48b70e048de6ccca219a229ca90b49a9d1b9c14bf3a7c5eaad544294fcfd3

SHA512
7792be9b935a46a923e97bb76b76957070e116dcc4cb6fcd8b883c2d6f142285ebc9fd26cdf29bd19c8bdff412487f586abaa1724332b613e71afa45d7f3e4f9

Download Submit
memory/3160-133-0x0000000002BA0000-0x0000000002BDD000-memory.dmp

Filesize
244KB

Download
memory/3160-134-0x0000000180000000-0x0000000180043000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads