1d871d84ee02630558411e47c81ef2aa8bef8f6cd8daaf594f133f545f772c26

Analysis

max time kernel
150s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2023 15:29

Target

Rasomware20exe.exe
Size

824KB
MD5

7d17a868abac9de81fe79087eee31471
SHA1

2d3f58ea051db43964243b8aefb7279e45e7bda9
SHA256

1d871d84ee02630558411e47c81ef2aa8bef8f6cd8daaf594f133f545f772c26
SHA512

85ec6c3cf0908b306712041fc9d971d27349641245c29f126e01443dcc6ccd78530c789b15d345938c194009c890b42f7c95bc65deae1ef7372e5744651f9540
SSDEEP

24576:ntfYkVVmFFFKvvvvvvvvvvvvvvvvms4AkVVmFFFKvvvvvvvvvvvvvvvvms4n:n+vnAvn

Score

10^/10

Modifies WinLogon for persistence 2 TTPs 1 IoCs
persistence

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

Rasomware20exe.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" Rasomware20exe.exe
Disables Task Manager via registry modification
evasion
Drops desktop.ini file(s) 1 IoCs

Processes:

Rasomware20exe.exe

description ioc process

File created C:\Users\Admin\Downloads\desktop.ini Rasomware20exe.exe
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
ransomware

Defacement
T1491

Modify Registry
T1112

Processes:

Rasomware20exe.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Control Panel\Desktop\Wallpaper Rasomware20exe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty"	Rasomware20exe.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\desktop.ini	Rasomware20exe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Control Panel\Desktop\Wallpaper	Rasomware20exe.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Rasomware20exe.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Rasomware20exe.exe

description pid process

Token: SeDebugPrivilege 2316 Rasomware20exe.exe

description	pid	process
Token: SeDebugPrivilege	2316	Rasomware20exe.exe

Initial Access

Execution

Persistence

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

memory/2316-133-0x0000000000E30000-0x0000000000F04000-memory.dmp

Filesize
848KB

Download
memory/2316-134-0x000000001BD60000-0x000000001BD70000-memory.dmp

Filesize
64KB

Download
memory/2316-135-0x000000001BD60000-0x000000001BD70000-memory.dmp

Filesize
64KB

Download
memory/2316-162-0x000000001BD60000-0x000000001BD70000-memory.dmp

Filesize
64KB

Download
memory/2316-163-0x000000001BD60000-0x000000001BD70000-memory.dmp

Filesize
64KB

Download
memory/2316-164-0x000000001BD60000-0x000000001BD70000-memory.dmp

Filesize
64KB

Download
memory/2316-165-0x000000001BD60000-0x000000001BD70000-memory.dmp

Filesize
64KB

Download
memory/2316-166-0x000000001BD60000-0x000000001BD70000-memory.dmp

Filesize
64KB

Download