1a123a6b7cd4740e829d2e5178c718549d7d17bc7bb348e60fa7be6e1c683d72

Analysis

max time kernel
2s
max time network
4s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 13:05

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

VirusShare_368c01b181eda42d717feeff4291bb4a.exe
Size

45KB
MD5

368c01b181eda42d717feeff4291bb4a
SHA1

d6a6df6a094b9d76a16c1c9d5ce16b9124ee50b1
SHA256

1a123a6b7cd4740e829d2e5178c718549d7d17bc7bb348e60fa7be6e1c683d72
SHA512

8c45f2bd544224de18c46e3ff90b6f75eca41d66be1636a3845e259df9618c33bab2120ee6f866edc4a490039729920c9708e5f600594e1b3a1ebacb17b904d3
SSDEEP

768:it4VZ1p/ija+1ImUqJsbEYY2Ixs4RhYuX5tOH2AFOmDDRLoJQ7zqAU6FbMPwl:Y4VZPqibA26sMK2GncKmA5

Score

9^/10

bootkit persistence ransomware

Malware Config

Signatures

Detects ransomware indicator 2 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231fa-4.dat	SUSP_RANSOMWARE_Indicator_Jul20
behavioral2/memory/1516-44-0x0000000000400000-0x0000000000414000-memory.dmp	SUSP_RANSOMWARE_Indicator_Jul20

Renames multiple (97) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	VirusShare_368c01b181eda42d717feeff4291bb4a.exe

Executes dropped EXE 3 IoCs

pid	Process
1104	321.exe
512	123.exe
908	sys3.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	123.exe
File opened for modification	\??\PHYSICALDRIVE0	sys3.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	321.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	321.exe
File opened for modification	C:\Program Files\ConvertFromConnect.avi	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	321.exe
File opened for modification	C:\Program Files\dotnet\LICENSE.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	321.exe
File opened for modification	C:\Program Files\Common Files\Services\verisign.bmp	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	321.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	321.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "3"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GFHWWRJZDKXSXJK\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\G3qe8q7fP9LpKJA.exe"	321.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ShifR\ = "GFHWWRJZDKXSXJK"	321.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GFHWWRJZDKXSXJK\ = "CRYPTED!"	321.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GFHWWRJZDKXSXJK\DefaultIcon	321.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GFHWWRJZDKXSXJK\shell	321.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GFHWWRJZDKXSXJK\shell\open	321.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ShifR	321.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GFHWWRJZDKXSXJK	321.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GFHWWRJZDKXSXJK\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\G3qe8q7fP9LpKJA.exe,0"	321.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GFHWWRJZDKXSXJK\shell\open\command	321.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	908	sys3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1008	LogonUI.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1104	1516	VirusShare_368c01b181eda42d717feeff4291bb4a.exe	88
PID 1516 wrote to memory of 1104	1516	VirusShare_368c01b181eda42d717feeff4291bb4a.exe	88
PID 1516 wrote to memory of 1104	1516	VirusShare_368c01b181eda42d717feeff4291bb4a.exe	88
PID 1516 wrote to memory of 512	1516	VirusShare_368c01b181eda42d717feeff4291bb4a.exe	89
PID 1516 wrote to memory of 512	1516	VirusShare_368c01b181eda42d717feeff4291bb4a.exe	89
PID 1516 wrote to memory of 512	1516	VirusShare_368c01b181eda42d717feeff4291bb4a.exe	89
PID 512 wrote to memory of 908	512	123.exe	90
PID 512 wrote to memory of 908	512	123.exe	90
PID 512 wrote to memory of 908	512	123.exe	90

C:\Users\Admin\AppData\Local\Temp\VirusShare_368c01b181eda42d717feeff4291bb4a.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_368c01b181eda42d717feeff4291bb4a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Local\Temp\321.exe
  "C:\Users\Admin\AppData\Local\Temp\321.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  PID:1104
- C:\Users\Admin\AppData\Local\Temp\123.exe
  "C:\Users\Admin\AppData\Local\Temp\123.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:512
- - C:\Users\Admin\AppData\Local\Temp\sys3.exe
    C:\Users\Admin\AppData\Local\Temp\\sys3.exe
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of AdjustPrivilegeToken
    PID:908

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39a7855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\123.exe

Filesize
10KB

MD5
5a27e6376a793f2857cf5dac8a4305da

SHA1
fd4e4fed53f3f2f984a3d0e7984a1800f46d4cb4

SHA256
c9b9fd42eb7276c8589655b4bb529890ef2b807ed5c7535978ec6bf89f870a5f

SHA512
78bee85ad0983f14622724b07958af83bc32ec1332abacd4ed52cd2ccdacd9c5c2349e9e81dbfb60a6e5c1268a78efefcd70e555728a049b8fc0351ce856d3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\321.exe

Filesize
11KB

MD5
f2d39b84b4e112a1d0fa4d4fa6ffa6af

SHA1
8598cdcf63911f6181d3b3b8aa0a11b3c781a250

SHA256
48786527d3c37ad371cb79cd2aee7bb3a23ab04de2984398da691d5246a8f823

SHA512
a8b854cb7cc7d12464532cd7896ae55d39b252bb9db26e9b2247f14dea802b987614ed366d513742d8e54504f5616cdb8a46ca80be6e736f219b348986bc06ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\systm.txt

Filesize
41B

MD5
c16b7ee867494ffa79384d9b32bb1a6c

SHA1
ff8254cc19420e6a90f390acd3fa4404c658c1c4

SHA256
51494ed614b90e1c9544ed82954e36dfe8c3e8b2b8e051c8d72a3b2fce58564e

SHA512
5bb13b03d4cc8d4c9f6e4f255ddb4311d1b2d549200a9d4f6ac1db3b2e016f014c76b0304acf054f729efe960a72078bf323689b6e1c64389743ccb7f7d1833a

Download Submit
memory/512-18-0x000000002AA00000-0x000000002AA05000-memory.dmp

Filesize
20KB

Download
memory/512-106-0x000000002AA00000-0x000000002AA05000-memory.dmp

Filesize
20KB

Download
memory/1516-44-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads