Overview

overview

9

Static

static

7

Ransomware...ot.zip

windows7-x64

1

Ransomware...ot.zip

windows10-2004-x64

1

1001a8c7f3...87.exe

windows7-x64

1001a8c7f3...87.exe

windows10-2004-x64

out.exe

windows7-x64

out.exe

windows10-2004-x64

Analysis

  • max time kernel
    87s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/11/2023, 20:19

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe

  • Size

    1.2MB

  • MD5

    e0340f456f76993fc047bc715dfdae6a

  • SHA1

    d47f6f7e553c4bc44a2fe88c2054de901390b2d7

  • SHA256

    1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887

  • SHA512

    cac10c675d81630eefca49b2ac4cc83f3eb29115ee28a560db4d6c33f70bf24980e48bb48ce20375349736e3e6b23a1ca504b9367917328853fffc5539626bbc

  • SSDEEP

    24576:/4GHnhIzOasqUgEOr69/BRH7dCibu+XoAX0eOTva49ttrSpt81ekHPyWe:AshdasJgEOrGBRxCihH7OO49rveMG

Score
9/10
bootkitpersistenceransomwareupx

Malware Config

Signatures

  • Renames multiple (145) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Windows directory 1 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
    "C:\Users\Admin\AppData\Local\Temp\1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2564
    • C:\Users\Admin\10385113\protect.exe
      "C:\Users\Admin\10385113\protect.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3824
    • C:\Users\Admin\10385113\assembler.exe
      "C:\Users\Admin\10385113\assembler.exe" -f bin "C:\Users\Admin\10385113\boot.asm" -o "C:\Users\Admin\10385113\boot.bin"
      2⤵
      • Executes dropped EXE
      PID:1092
    • C:\Users\Admin\10385113\overwrite.exe
      "C:\Users\Admin\10385113\overwrite.exe" "C:\Users\Admin\10385113\boot.bin"
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      PID:5012
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39a1855 /state1:0x41c64e6d
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2032
  • C:\Windows\system32\werfault.exe
    werfault.exe /hc /shared Global\57865ea4a6ff46769b3f54a38b27b7cc /t 0 /p 3872
    1⤵
      PID:1980

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\10385113\assembler.exe
      Filesize

      589KB

      MD5

      7e3cea1f686207563c8369f64ea28e5b

      SHA1

      a1736fd61555841396b0406d5c9ca55c4b6cdf41

      SHA256

      2a5305369edb9c2d7354b2f210e91129e4b8c546b0adf883951ea7bf7ee0f2b2

      SHA512

      4629bc32094bdb030e6c9be247068e7295599203284cb95921c98fcbe3ac60286670be7e5ee9f0374a4017286c7af9db211bd831e3ea871d31a509d7bbc1d6a3

      Download Submit

    • C:\Users\Admin\10385113\assembler.exe
      Filesize

      589KB

      MD5

      7e3cea1f686207563c8369f64ea28e5b

      SHA1

      a1736fd61555841396b0406d5c9ca55c4b6cdf41

      SHA256

      2a5305369edb9c2d7354b2f210e91129e4b8c546b0adf883951ea7bf7ee0f2b2

      SHA512

      4629bc32094bdb030e6c9be247068e7295599203284cb95921c98fcbe3ac60286670be7e5ee9f0374a4017286c7af9db211bd831e3ea871d31a509d7bbc1d6a3

      Download Submit

    • C:\Users\Admin\10385113\boot.asm
      Filesize

      825B

      MD5

      def1219cfb1c0a899e5c4ea32fe29f70

      SHA1

      88aedde59832576480dfc7cd3ee6f54a132588a8

      SHA256

      91e74c438099172b057bedf693d877bd08677d5f2173763986be4974c0970581

      SHA512

      1e735d588cb1bb42324eaff1b9190ec6a8254f419d1ba4a13d03716ff5c102a335532b573a5befb08da90586e5670617066564ef9872f8c415b9a480836df423

      Download Submit

    • C:\Users\Admin\10385113\boot.bin
      Filesize

      512B

      MD5

      90053233e561c8bf7a7b14eda0fa0e84

      SHA1

      16a7138387f7a3366b7da350c598f71de3e1cde2

      SHA256

      a760d8bc77ad8c0c839d4ef162ce44d5897af6fa84e0cc05ecc0747759ea76c2

      SHA512

      63fda509cd02fd9d1374435f95515bc74f1ca8a9650b87d2299f8eee3a1c5a41b1cb8a4e1360c75f876f1dae193fdf4a96eba244683308f34d64d7ce37af2bb4

      Download Submit

    • C:\Users\Admin\10385113\overwrite.exe
      Filesize

      288KB

      MD5

      bc160318a6e8dadb664408fb539cd04b

      SHA1

      4b5eb324eebe3f84e623179a8e2c3743ccf32763

      SHA256

      f2bc5886b0f189976a367a69da8745bf66842f9bba89f8d208790db3dad0c7d2

      SHA512

      51bc090f2821c57d94cfe4399b1f372a68d2811ea0b87d1ac1d6cf8ae39b167038ac21c471b168f1d19c6b213762024abb7e9e5ca311b246b46af0888289e46c

      Download Submit

    • C:\Users\Admin\10385113\overwrite.exe
      Filesize

      288KB

      MD5

      bc160318a6e8dadb664408fb539cd04b

      SHA1

      4b5eb324eebe3f84e623179a8e2c3743ccf32763

      SHA256

      f2bc5886b0f189976a367a69da8745bf66842f9bba89f8d208790db3dad0c7d2

      SHA512

      51bc090f2821c57d94cfe4399b1f372a68d2811ea0b87d1ac1d6cf8ae39b167038ac21c471b168f1d19c6b213762024abb7e9e5ca311b246b46af0888289e46c

      Download Submit

    • C:\Users\Admin\10385113\protect.exe
      Filesize

      837KB

      MD5

      fd414666a5b2122c3d9e3e380cf225ed

      SHA1

      de139747b42a807efa8a2dcc1a8304f9a29b862d

      SHA256

      e61a8382f7293e40cb993ddcbcaa53a4e5f07a3d6b6a1bfe5377a1a74a8dcac6

      SHA512

      9ab2163d7deff29c202ed88dba36d5b28f6c67e647a0cadb3d03cc725796e19e5f298c04b1c8523d1d1ee4307e1a5d6f8156fa4021627d6ca1bbd0830695ae05

      Download Submit

    • C:\Users\Admin\10385113\protect.exe
      Filesize

      837KB

      MD5

      fd414666a5b2122c3d9e3e380cf225ed

      SHA1

      de139747b42a807efa8a2dcc1a8304f9a29b862d

      SHA256

      e61a8382f7293e40cb993ddcbcaa53a4e5f07a3d6b6a1bfe5377a1a74a8dcac6

      SHA512

      9ab2163d7deff29c202ed88dba36d5b28f6c67e647a0cadb3d03cc725796e19e5f298c04b1c8523d1d1ee4307e1a5d6f8156fa4021627d6ca1bbd0830695ae05

      Download Submit

    • memory/1092-32-0x0000000000400000-0x000000000049B000-memory.dmp

      Filesize

      620KB

      Download

    • memory/2564-0-0x0000000000390000-0x000000000061E000-memory.dmp

      Filesize

      2.6MB

      Download

    • memory/2564-183-0x0000000000390000-0x000000000061E000-memory.dmp

      Filesize

      2.6MB

      Download

    • memory/5012-37-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download