04e56a99957eb3328946a8c601f190bb6534e34e926c0d72b2b9c69acd6f61bd

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2023, 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rkill.exe
Size

1.7MB
MD5

0e69f0d7dff33025d9706dbf2d1afc67
SHA1

bb65f7a77e4023c499100669f6abf3e96bdd5935
SHA256

04e56a99957eb3328946a8c601f190bb6534e34e926c0d72b2b9c69acd6f61bd
SHA512

6f6a8e32aa470251d001d54413bcf5c5327f05f029e95d9e763d52c9888a5de951e41957b0a1b8d3280cd4af650b811da55d188595d0a13f73d42693694e656f
SSDEEP

49152:PpEsgw1gkZV2HXsMnmjEREseBSsxHnfXsrHYiKYiliZ:7IYtYd

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	rkill64.exe

Executes dropped EXE 1 IoCs

pid	Process
3648	rkill64.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4588	Notepad.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3648	rkill64.exe
3648	rkill64.exe
3648	rkill64.exe
3648	rkill64.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1468	rkill.exe
Token: SeDebugPrivilege	3648	rkill64.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 3648	1468	rkill.exe	87
PID 1468 wrote to memory of 3648	1468	rkill.exe	87
PID 3648 wrote to memory of 4588	3648	rkill64.exe	97
PID 3648 wrote to memory of 4588	3648	rkill64.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\rkill.exe
"C:\Users\Admin\AppData\Local\Temp\rkill.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Local\Temp\rkill64.exe
  C:\Users\Admin\AppData\Local\Temp\rkill.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Windows\System32\Notepad.exe
    Notepad.exe C:\Users\Admin\Desktop\Rkill.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rkill64.exe

Filesize
960KB

MD5
0b768337711afaf41e40ba8f242c79cc

SHA1
10ae8a2b53a9853631375b307f4a6b572a61b391

SHA256
ebf4f6d4cd5eed24fe46f834c3b942e02a6e4c9ad3ba8fbaac61e4d0fd104e73

SHA512
3abdacf0f17bad81829247d4504e48504560623bca08c6ee188ba9dfda4789892ec0b8ea647eff1c28d6d7577b971db0113af4e161c25096d401d73ecaa230d0

Download Submit
C:\Users\Admin\Desktop\Rkill.txt

Filesize
3KB

MD5
1bd09463a5b2f3eb567fdeecdd139431

SHA1
63cbb2e726357cac93b78cfa01a36894bb9f1342

SHA256
39ada5938ba1dda939f2317e26a679cb47e72976d69cdd9759dff907020778d1

SHA512
e818f70f0a241bfdd6a0b9e579e047f92f1c9e2396bdd7890e278814171617e0af61524a52f92715f00a64bb2dbe6429fb46c938f961dca8cfc778b0c93bcfb2

Download Submit
C:\Users\Admin\Desktop\Rkill.txt

Filesize
514B

MD5
8dcaf28228546a24f12029a1477027ee

SHA1
d5c266f0e19ede2a69ee1b4b087402ffd9cb17b5

SHA256
709668ecf36b03016cd0e2b480b2b1991f11d7ae3b282c3e9c00247d4de23121

SHA512
210575611065eaca69daf3a375fa4279b1ec6ddc0a23a54fe922e23864dea0256fb1ae9bd1c3f7d3fc64febd70a244d72498f13d409007fc8533c2801031ee9d

Download Submit
C:\Users\Admin\Desktop\Rkill.txt

Filesize
514B

MD5
8dcaf28228546a24f12029a1477027ee

SHA1
d5c266f0e19ede2a69ee1b4b087402ffd9cb17b5

SHA256
709668ecf36b03016cd0e2b480b2b1991f11d7ae3b282c3e9c00247d4de23121

SHA512
210575611065eaca69daf3a375fa4279b1ec6ddc0a23a54fe922e23864dea0256fb1ae9bd1c3f7d3fc64febd70a244d72498f13d409007fc8533c2801031ee9d

Download Submit