Analysis
-
max time kernel
20s -
max time network
27s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-04-2023 17:21
Behavioral task
behavioral1
Sample
1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
Resource
win10v2004-20230220-en
Errors
General
-
Target
1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
-
Size
1.2MB
-
MD5
e0340f456f76993fc047bc715dfdae6a
-
SHA1
d47f6f7e553c4bc44a2fe88c2054de901390b2d7
-
SHA256
1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887
-
SHA512
cac10c675d81630eefca49b2ac4cc83f3eb29115ee28a560db4d6c33f70bf24980e48bb48ce20375349736e3e6b23a1ca504b9367917328853fffc5539626bbc
-
SSDEEP
24576:/4GHnhIzOasqUgEOr69/BRH7dCibu+XoAX0eOTva49ttrSpt81ekHPyWe:AshdasJgEOrGBRxCihH7OO49rveMG
Malware Config
Signatures
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exedescription ioc process File created C:\Users\Admin\Pictures\DisconnectUnblock.tiff.locked 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe File created C:\Users\Admin\Pictures\GroupRegister.crw.locked 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe File created C:\Users\Admin\Pictures\SuspendSubmit.crw.locked 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe File created C:\Users\Admin\Pictures\SyncConvert.crw.locked 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe -
Executes dropped EXE 3 IoCs
Processes:
protect.exeassembler.exeoverwrite.exepid process 1516 protect.exe 2204 assembler.exe 3252 overwrite.exe -
Processes:
resource yara_rule behavioral2/memory/4968-133-0x0000000000660000-0x00000000008EE000-memory.dmp upx behavioral2/memory/4968-330-0x0000000000660000-0x00000000008EE000-memory.dmp upx -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
overwrite.exedescription ioc process File opened for modification \??\PhysicalDrive0 overwrite.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\25146970\protect.exe autoit_exe C:\Users\Admin\25146970\protect.exe autoit_exe behavioral2/memory/4968-330-0x0000000000660000-0x00000000008EE000-memory.dmp autoit_exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "15" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
protect.exepid process 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe 1516 protect.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exepid process 4968 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exedescription pid process Token: SeShutdownPrivilege 4968 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 2772 LogonUI.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exedescription pid process target process PID 4968 wrote to memory of 1516 4968 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe protect.exe PID 4968 wrote to memory of 1516 4968 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe protect.exe PID 4968 wrote to memory of 1516 4968 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe protect.exe PID 4968 wrote to memory of 2204 4968 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe assembler.exe PID 4968 wrote to memory of 2204 4968 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe assembler.exe PID 4968 wrote to memory of 2204 4968 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe assembler.exe PID 4968 wrote to memory of 3252 4968 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe overwrite.exe PID 4968 wrote to memory of 3252 4968 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe overwrite.exe PID 4968 wrote to memory of 3252 4968 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe overwrite.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe"C:\Users\Admin\AppData\Local\Temp\1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe"1⤵
- Modifies extensions of user files
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Users\Admin\25146970\protect.exe"C:\Users\Admin\25146970\protect.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1516 -
C:\Users\Admin\25146970\assembler.exe"C:\Users\Admin\25146970\assembler.exe" -f bin "C:\Users\Admin\25146970\boot.asm" -o "C:\Users\Admin\25146970\boot.bin"2⤵
- Executes dropped EXE
PID:2204 -
C:\Users\Admin\25146970\overwrite.exe"C:\Users\Admin\25146970\overwrite.exe" "C:\Users\Admin\25146970\boot.bin"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3252
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39fc855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2772
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\25146970\assembler.exeFilesize
589KB
MD57e3cea1f686207563c8369f64ea28e5b
SHA1a1736fd61555841396b0406d5c9ca55c4b6cdf41
SHA2562a5305369edb9c2d7354b2f210e91129e4b8c546b0adf883951ea7bf7ee0f2b2
SHA5124629bc32094bdb030e6c9be247068e7295599203284cb95921c98fcbe3ac60286670be7e5ee9f0374a4017286c7af9db211bd831e3ea871d31a509d7bbc1d6a3
-
C:\Users\Admin\25146970\assembler.exeFilesize
589KB
MD57e3cea1f686207563c8369f64ea28e5b
SHA1a1736fd61555841396b0406d5c9ca55c4b6cdf41
SHA2562a5305369edb9c2d7354b2f210e91129e4b8c546b0adf883951ea7bf7ee0f2b2
SHA5124629bc32094bdb030e6c9be247068e7295599203284cb95921c98fcbe3ac60286670be7e5ee9f0374a4017286c7af9db211bd831e3ea871d31a509d7bbc1d6a3
-
C:\Users\Admin\25146970\boot.asmFilesize
825B
MD5def1219cfb1c0a899e5c4ea32fe29f70
SHA188aedde59832576480dfc7cd3ee6f54a132588a8
SHA25691e74c438099172b057bedf693d877bd08677d5f2173763986be4974c0970581
SHA5121e735d588cb1bb42324eaff1b9190ec6a8254f419d1ba4a13d03716ff5c102a335532b573a5befb08da90586e5670617066564ef9872f8c415b9a480836df423
-
C:\Users\Admin\25146970\boot.binFilesize
512B
MD590053233e561c8bf7a7b14eda0fa0e84
SHA116a7138387f7a3366b7da350c598f71de3e1cde2
SHA256a760d8bc77ad8c0c839d4ef162ce44d5897af6fa84e0cc05ecc0747759ea76c2
SHA51263fda509cd02fd9d1374435f95515bc74f1ca8a9650b87d2299f8eee3a1c5a41b1cb8a4e1360c75f876f1dae193fdf4a96eba244683308f34d64d7ce37af2bb4
-
C:\Users\Admin\25146970\overwrite.exeFilesize
288KB
MD5bc160318a6e8dadb664408fb539cd04b
SHA14b5eb324eebe3f84e623179a8e2c3743ccf32763
SHA256f2bc5886b0f189976a367a69da8745bf66842f9bba89f8d208790db3dad0c7d2
SHA51251bc090f2821c57d94cfe4399b1f372a68d2811ea0b87d1ac1d6cf8ae39b167038ac21c471b168f1d19c6b213762024abb7e9e5ca311b246b46af0888289e46c
-
C:\Users\Admin\25146970\overwrite.exeFilesize
288KB
MD5bc160318a6e8dadb664408fb539cd04b
SHA14b5eb324eebe3f84e623179a8e2c3743ccf32763
SHA256f2bc5886b0f189976a367a69da8745bf66842f9bba89f8d208790db3dad0c7d2
SHA51251bc090f2821c57d94cfe4399b1f372a68d2811ea0b87d1ac1d6cf8ae39b167038ac21c471b168f1d19c6b213762024abb7e9e5ca311b246b46af0888289e46c
-
C:\Users\Admin\25146970\protect.exeFilesize
837KB
MD5fd414666a5b2122c3d9e3e380cf225ed
SHA1de139747b42a807efa8a2dcc1a8304f9a29b862d
SHA256e61a8382f7293e40cb993ddcbcaa53a4e5f07a3d6b6a1bfe5377a1a74a8dcac6
SHA5129ab2163d7deff29c202ed88dba36d5b28f6c67e647a0cadb3d03cc725796e19e5f298c04b1c8523d1d1ee4307e1a5d6f8156fa4021627d6ca1bbd0830695ae05
-
C:\Users\Admin\25146970\protect.exeFilesize
837KB
MD5fd414666a5b2122c3d9e3e380cf225ed
SHA1de139747b42a807efa8a2dcc1a8304f9a29b862d
SHA256e61a8382f7293e40cb993ddcbcaa53a4e5f07a3d6b6a1bfe5377a1a74a8dcac6
SHA5129ab2163d7deff29c202ed88dba36d5b28f6c67e647a0cadb3d03cc725796e19e5f298c04b1c8523d1d1ee4307e1a5d6f8156fa4021627d6ca1bbd0830695ae05
-
memory/2204-165-0x0000000000400000-0x000000000049B000-memory.dmpFilesize
620KB
-
memory/3252-170-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4968-133-0x0000000000660000-0x00000000008EE000-memory.dmpFilesize
2.6MB
-
memory/4968-330-0x0000000000660000-0x00000000008EE000-memory.dmpFilesize
2.6MB