Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 08:15
Static task
static1
Behavioral task
behavioral1
Sample
73cb87faef2c3ecb0302862632490bd72bf4adcb6266c912ba991396a8b4b073.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
73cb87faef2c3ecb0302862632490bd72bf4adcb6266c912ba991396a8b4b073.exe
Resource
win10v2004-20230220-en
General
-
Target
73cb87faef2c3ecb0302862632490bd72bf4adcb6266c912ba991396a8b4b073.exe
-
Size
406KB
-
MD5
392f56d7c7b640affaae2e99410f3ec7
-
SHA1
bcbe1b37f5c6712f21fe2b8cdfe030e55b235a1b
-
SHA256
73cb87faef2c3ecb0302862632490bd72bf4adcb6266c912ba991396a8b4b073
-
SHA512
386e65e25015a5badf2f77e7c46413d71022a58877011caacc9e53229c3242d5c84803122841578e6af79a4856364498aa05239b2dd3ef64439c1bbc2e5450dc
-
SSDEEP
12288:kAqRal1A2gsWn18XIGapIAy83rNa+rid0:kxkJ45G9F8A+R
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
73cb87faef2c3ecb0302862632490bd72bf4adcb6266c912ba991396a8b4b073.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run 73cb87faef2c3ecb0302862632490bd72bf4adcb6266c912ba991396a8b4b073.exe Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KRNGL = "C:\\ProgramData\\KRNGL.exe" 73cb87faef2c3ecb0302862632490bd72bf4adcb6266c912ba991396a8b4b073.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wp.png" Explorer.EXE -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
73cb87faef2c3ecb0302862632490bd72bf4adcb6266c912ba991396a8b4b073.exepid process 4356 73cb87faef2c3ecb0302862632490bd72bf4adcb6266c912ba991396a8b4b073.exe 4356 73cb87faef2c3ecb0302862632490bd72bf4adcb6266c912ba991396a8b4b073.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3160 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
wmic.exevssvc.exeExplorer.EXEdescription pid process Token: SeIncreaseQuotaPrivilege 4080 wmic.exe Token: SeSecurityPrivilege 4080 wmic.exe Token: SeTakeOwnershipPrivilege 4080 wmic.exe Token: SeLoadDriverPrivilege 4080 wmic.exe Token: SeSystemProfilePrivilege 4080 wmic.exe Token: SeSystemtimePrivilege 4080 wmic.exe Token: SeProfSingleProcessPrivilege 4080 wmic.exe Token: SeIncBasePriorityPrivilege 4080 wmic.exe Token: SeCreatePagefilePrivilege 4080 wmic.exe Token: SeBackupPrivilege 4080 wmic.exe Token: SeRestorePrivilege 4080 wmic.exe Token: SeShutdownPrivilege 4080 wmic.exe Token: SeDebugPrivilege 4080 wmic.exe Token: SeSystemEnvironmentPrivilege 4080 wmic.exe Token: SeRemoteShutdownPrivilege 4080 wmic.exe Token: SeUndockPrivilege 4080 wmic.exe Token: SeManageVolumePrivilege 4080 wmic.exe Token: 33 4080 wmic.exe Token: 34 4080 wmic.exe Token: 35 4080 wmic.exe Token: 36 4080 wmic.exe Token: SeIncreaseQuotaPrivilege 4080 wmic.exe Token: SeSecurityPrivilege 4080 wmic.exe Token: SeTakeOwnershipPrivilege 4080 wmic.exe Token: SeLoadDriverPrivilege 4080 wmic.exe Token: SeSystemProfilePrivilege 4080 wmic.exe Token: SeSystemtimePrivilege 4080 wmic.exe Token: SeProfSingleProcessPrivilege 4080 wmic.exe Token: SeIncBasePriorityPrivilege 4080 wmic.exe Token: SeCreatePagefilePrivilege 4080 wmic.exe Token: SeBackupPrivilege 4080 wmic.exe Token: SeRestorePrivilege 4080 wmic.exe Token: SeShutdownPrivilege 4080 wmic.exe Token: SeDebugPrivilege 4080 wmic.exe Token: SeSystemEnvironmentPrivilege 4080 wmic.exe Token: SeRemoteShutdownPrivilege 4080 wmic.exe Token: SeUndockPrivilege 4080 wmic.exe Token: SeManageVolumePrivilege 4080 wmic.exe Token: 33 4080 wmic.exe Token: 34 4080 wmic.exe Token: 35 4080 wmic.exe Token: 36 4080 wmic.exe Token: SeBackupPrivilege 1596 vssvc.exe Token: SeRestorePrivilege 1596 vssvc.exe Token: SeAuditPrivilege 1596 vssvc.exe Token: SeShutdownPrivilege 3160 Explorer.EXE Token: SeCreatePagefilePrivilege 3160 Explorer.EXE Token: SeShutdownPrivilege 3160 Explorer.EXE Token: SeCreatePagefilePrivilege 3160 Explorer.EXE -
Suspicious use of FindShellTrayWindow 10 IoCs
Processes:
Explorer.EXEpid process 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
73cb87faef2c3ecb0302862632490bd72bf4adcb6266c912ba991396a8b4b073.exeExplorer.EXEdescription pid process target process PID 4356 wrote to memory of 3160 4356 73cb87faef2c3ecb0302862632490bd72bf4adcb6266c912ba991396a8b4b073.exe Explorer.EXE PID 3160 wrote to memory of 4080 3160 Explorer.EXE wmic.exe PID 3160 wrote to memory of 4080 3160 Explorer.EXE wmic.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\73cb87faef2c3ecb0302862632490bd72bf4adcb6266c912ba991396a8b4b073.exe"C:\Users\Admin\AppData\Local\Temp\73cb87faef2c3ecb0302862632490bd72bf4adcb6266c912ba991396a8b4b073.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\README.KRNGL.txtFilesize
274B
MD5c55cb00073164fef156c3f585a6be65f
SHA145f79b1a17d172019607e781bfaa7a34fef776e8
SHA256111b4f221ebb4ef983d1236549c129a00f26e3b60eb32e0bff91400348dbca2f
SHA512f10e9b5d2c25e93e6cdae8f6ecbd2ef53c54493d5630122703b26b353c18a2201e42df276f5a7ec86a6c30e955125c99db78492331d09f7f86b20f3a1932ee01
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpgFilesize
14KB
MD52257fa8cef64a74c33655bd5f74ef5e5
SHA1b9f8baf96166f99cb1983563e632e6e69984ad5c
SHA256ead48b70e048de6ccca219a229ca90b49a9d1b9c14bf3a7c5eaad544294fcfd3
SHA5127792be9b935a46a923e97bb76b76957070e116dcc4cb6fcd8b883c2d6f142285ebc9fd26cdf29bd19c8bdff412487f586abaa1724332b613e71afa45d7f3e4f9
-
memory/3160-133-0x0000000002BA0000-0x0000000002BDD000-memory.dmpFilesize
244KB
-
memory/3160-134-0x0000000180000000-0x0000000180043000-memory.dmpFilesize
268KB