5f72efa758d857722a10e5e90313fc236d3e60342a59cd9bb7f35779e91be461

Reason

Machine shutdown

General

Target

Virus/000.exe
Size

6.7MB
MD5

d5671758956b39e048680b6a8275e96a
SHA1

33c341130bf9c93311001a6284692c86fec200ef
SHA256

4a900b344ef765a66f98cf39ac06273d565ca0f5d19f7ea4ca183786155d4a47
SHA512

972e89ed8b7b4d75df0a05c53e71fb5c29edaa173d7289656676b9d2a1ed439be1687beddc6fb1fbf068868c3da9c3d2deb03b55e5ab5e7968858b5efc49fbe7
SSDEEP

3072:V3LA1++iCeFj0im6X/AXpT8vVMCcHVcdhghUuzzo9Y:lLJlC6j0CX4XmvWHVcd62uo9

Score

8^/10

evasion persistence ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

000.exe

description	ioc	process
File opened (read-only)	\??\Y:	000.exe
File opened (read-only)	\??\B:	000.exe
File opened (read-only)	\??\G:	000.exe
File opened (read-only)	\??\H:	000.exe
File opened (read-only)	\??\Q:	000.exe
File opened (read-only)	\??\R:	000.exe
File opened (read-only)	\??\S:	000.exe
File opened (read-only)	\??\U:	000.exe
File opened (read-only)	\??\I:	000.exe
File opened (read-only)	\??\J:	000.exe
File opened (read-only)	\??\M:	000.exe
File opened (read-only)	\??\N:	000.exe
File opened (read-only)	\??\P:	000.exe
File opened (read-only)	\??\V:	000.exe
File opened (read-only)	\??\W:	000.exe
File opened (read-only)	\??\T:	000.exe
File opened (read-only)	\??\X:	000.exe
File opened (read-only)	\??\Z:	000.exe
File opened (read-only)	\??\A:	000.exe
File opened (read-only)	\??\E:	000.exe
File opened (read-only)	\??\K:	000.exe
File opened (read-only)	\??\L:	000.exe
File opened (read-only)	\??\O:	000.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

000.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0"	000.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs
ransomware

Defacement
T1491

Modify Registry
T1112

Processes:

000.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Control Panel\Desktop\Wallpaper 000.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1408 taskkill.exe
1244 taskkill.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Control Panel\Desktop\Wallpaper	000.exe

pid	process
1408	taskkill.exe
1244	taskkill.exe

Modifies registry class 1 IoCs

Processes:

000.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	000.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exe000.exetaskkill.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1408	taskkill.exe
Token: SeShutdownPrivilege	3328	000.exe
Token: SeCreatePagefilePrivilege	3328	000.exe
Token: SeDebugPrivilege	1244	taskkill.exe
Token: SeIncreaseQuotaPrivilege	96	WMIC.exe
Token: SeSecurityPrivilege	96	WMIC.exe
Token: SeTakeOwnershipPrivilege	96	WMIC.exe
Token: SeLoadDriverPrivilege	96	WMIC.exe
Token: SeSystemProfilePrivilege	96	WMIC.exe
Token: SeSystemtimePrivilege	96	WMIC.exe
Token: SeProfSingleProcessPrivilege	96	WMIC.exe
Token: SeIncBasePriorityPrivilege	96	WMIC.exe
Token: SeCreatePagefilePrivilege	96	WMIC.exe
Token: SeBackupPrivilege	96	WMIC.exe
Token: SeRestorePrivilege	96	WMIC.exe
Token: SeShutdownPrivilege	96	WMIC.exe
Token: SeDebugPrivilege	96	WMIC.exe
Token: SeSystemEnvironmentPrivilege	96	WMIC.exe
Token: SeRemoteShutdownPrivilege	96	WMIC.exe
Token: SeUndockPrivilege	96	WMIC.exe
Token: SeManageVolumePrivilege	96	WMIC.exe
Token: 33	96	WMIC.exe
Token: 34	96	WMIC.exe
Token: 35	96	WMIC.exe
Token: 36	96	WMIC.exe
Token: SeIncreaseQuotaPrivilege	96	WMIC.exe
Token: SeSecurityPrivilege	96	WMIC.exe
Token: SeTakeOwnershipPrivilege	96	WMIC.exe
Token: SeLoadDriverPrivilege	96	WMIC.exe
Token: SeSystemProfilePrivilege	96	WMIC.exe
Token: SeSystemtimePrivilege	96	WMIC.exe
Token: SeProfSingleProcessPrivilege	96	WMIC.exe
Token: SeIncBasePriorityPrivilege	96	WMIC.exe
Token: SeCreatePagefilePrivilege	96	WMIC.exe
Token: SeBackupPrivilege	96	WMIC.exe
Token: SeRestorePrivilege	96	WMIC.exe
Token: SeShutdownPrivilege	96	WMIC.exe
Token: SeDebugPrivilege	96	WMIC.exe
Token: SeSystemEnvironmentPrivilege	96	WMIC.exe
Token: SeRemoteShutdownPrivilege	96	WMIC.exe
Token: SeUndockPrivilege	96	WMIC.exe
Token: SeManageVolumePrivilege	96	WMIC.exe
Token: 33	96	WMIC.exe
Token: 34	96	WMIC.exe
Token: 35	96	WMIC.exe
Token: 36	96	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3080	WMIC.exe
Token: SeSecurityPrivilege	3080	WMIC.exe
Token: SeTakeOwnershipPrivilege	3080	WMIC.exe
Token: SeLoadDriverPrivilege	3080	WMIC.exe
Token: SeSystemProfilePrivilege	3080	WMIC.exe
Token: SeSystemtimePrivilege	3080	WMIC.exe
Token: SeProfSingleProcessPrivilege	3080	WMIC.exe
Token: SeIncBasePriorityPrivilege	3080	WMIC.exe
Token: SeCreatePagefilePrivilege	3080	WMIC.exe
Token: SeBackupPrivilege	3080	WMIC.exe
Token: SeRestorePrivilege	3080	WMIC.exe
Token: SeShutdownPrivilege	3080	WMIC.exe
Token: SeDebugPrivilege	3080	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3080	WMIC.exe
Token: SeRemoteShutdownPrivilege	3080	WMIC.exe
Token: SeUndockPrivilege	3080	WMIC.exe
Token: SeManageVolumePrivilege	3080	WMIC.exe
Token: 33	3080	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

000.exe

pid process

3328 000.exe
3328 000.exe

pid	process
3328	000.exe
3328	000.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

000.execmd.exe

description	pid	process	target process
PID 3328 wrote to memory of 4680	3328	000.exe	cmd.exe
PID 3328 wrote to memory of 4680	3328	000.exe	cmd.exe
PID 3328 wrote to memory of 4680	3328	000.exe	cmd.exe
PID 4680 wrote to memory of 1408	4680	cmd.exe	taskkill.exe
PID 4680 wrote to memory of 1408	4680	cmd.exe	taskkill.exe
PID 4680 wrote to memory of 1408	4680	cmd.exe	taskkill.exe
PID 4680 wrote to memory of 1244	4680	cmd.exe	taskkill.exe
PID 4680 wrote to memory of 1244	4680	cmd.exe	taskkill.exe
PID 4680 wrote to memory of 1244	4680	cmd.exe	taskkill.exe
PID 4680 wrote to memory of 96	4680	cmd.exe	WMIC.exe
PID 4680 wrote to memory of 96	4680	cmd.exe	WMIC.exe
PID 4680 wrote to memory of 96	4680	cmd.exe	WMIC.exe
PID 4680 wrote to memory of 3080	4680	cmd.exe	WMIC.exe
PID 4680 wrote to memory of 3080	4680	cmd.exe	WMIC.exe
PID 4680 wrote to memory of 3080	4680	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\Virus\000.exe
"C:\Users\Admin\AppData\Local\Temp\Virus\000.exe"
1⤵
- Enumerates connected drives
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:4680

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' set FullName='UR NEXT'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:96

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' rename 'UR NEXT'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\Windows\SysWOW64\shutdown.exe
shutdown /f /r /t 0
3⤵
PID:3464

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ae5855 /state1:0x41c64e6d
1⤵
PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
d8f20d2bce6f1962478a64026d725b61

SHA1
7d7212dccc194e64e7f76e66d4de1cf437b4eb1d

SHA256
bfc48cfab6b0ff35bdf38e39fb7d7c62505e3a90ce9e7e43dd2ae848ee92310d

SHA512
0cb3d85b4c7c1695606b07c273f26df17c3f6f130431d695ef1dc46be805d007880be3d257743ea7583625a5e5f39548d5ef134966f5b4a0a90416be03a26f06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\one.rtf

Filesize
403B

MD5
6fbd6ce25307749d6e0a66ebbc0264e7

SHA1
faee71e2eac4c03b96aabecde91336a6510fff60

SHA256
e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

SHA512
35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

Download Submit
C:\Users\Admin\AppData\Local\Temp\rniw.exe

Filesize
64KB

MD5
900c9568247666d064041f295dabcd20

SHA1
32b4ba4ee470232ba85fd6570eb3273adba847ba

SHA256
65e03fc9317cac07f38fc0f7ba1c8a87e49216d1c319b390777b39b6901b2a46

SHA512
b5518aa0062f03a68dfbdf92c38ec0f6b166d262162d2b690bfa0511b09bba45f1b9938d869871c1ce32543861ad66952f6850c9f7409e17249647fd3aa5050c

Download Submit
C:\Users\Admin\AppData\Local\Temp\v.mp4

Filesize
81KB

MD5
d2774b188ab5dde3e2df5033a676a0b4

SHA1
6e8f668cba211f1c3303e4947676f2fc9e4a1bcc

SHA256
95374cf300097872a546d89306374e7cf2676f7a8b4c70274245d2dccfc79443

SHA512
3047a831ed9c8690b00763061807e98e15e9534ebc9499e3e5abb938199f9716c0e24a83a13291a8fd5b91a6598aeeef377d6793f6461fc0247ec4bbd901a131

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat

Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
memory/3328-35-0x000000000C6D0000-0x000000000C6E0000-memory.dmp

Filesize
64KB

Download
memory/3328-39-0x000000000C2D0000-0x000000000C2E0000-memory.dmp

Filesize
64KB

Download
memory/3328-28-0x000000000C2D0000-0x000000000C2E0000-memory.dmp

Filesize
64KB

Download
memory/3328-29-0x000000000C2D0000-0x000000000C2E0000-memory.dmp

Filesize
64KB

Download
memory/3328-33-0x000000000C2D0000-0x000000000C2E0000-memory.dmp

Filesize
64KB

Download
memory/3328-31-0x000000000C2D0000-0x000000000C2E0000-memory.dmp

Filesize
64KB

Download
memory/3328-34-0x000000000C2D0000-0x000000000C2E0000-memory.dmp

Filesize
64KB

Download
memory/3328-1-0x0000000000E80000-0x000000000152E000-memory.dmp

Filesize
6.7MB

Download
memory/3328-37-0x000000000C6D0000-0x000000000C6E0000-memory.dmp

Filesize
64KB

Download
memory/3328-38-0x000000000C6D0000-0x000000000C6E0000-memory.dmp

Filesize
64KB

Download
memory/3328-36-0x000000000C6D0000-0x000000000C6E0000-memory.dmp

Filesize
64KB

Download
memory/3328-22-0x000000000C5A0000-0x000000000C5D8000-memory.dmp

Filesize
224KB

Download
memory/3328-41-0x000000000C2D0000-0x000000000C2E0000-memory.dmp

Filesize
64KB

Download
memory/3328-40-0x000000000C2D0000-0x000000000C2E0000-memory.dmp

Filesize
64KB

Download
memory/3328-42-0x000000000C6D0000-0x000000000C6E0000-memory.dmp

Filesize
64KB

Download
memory/3328-43-0x000000000C6D0000-0x000000000C6E0000-memory.dmp

Filesize
64KB

Download
memory/3328-11-0x0000000005EC0000-0x0000000005ED0000-memory.dmp

Filesize
64KB

Download
memory/3328-3-0x0000000006490000-0x000000000698E000-memory.dmp

Filesize
5.0MB

Download
memory/3328-2-0x0000000005EC0000-0x0000000005ED0000-memory.dmp

Filesize
64KB

Download
memory/3328-398-0x0000000073640000-0x0000000073D2E000-memory.dmp

Filesize
6.9MB

Download
memory/3328-863-0x0000000005EC0000-0x0000000005ED0000-memory.dmp

Filesize
64KB

Download
memory/3328-0-0x0000000073640000-0x0000000073D2E000-memory.dmp

Filesize
6.9MB

Download
memory/3328-867-0x0000000005EC0000-0x0000000005ED0000-memory.dmp

Filesize
64KB

Download
memory/3328-874-0x0000000073640000-0x0000000073D2E000-memory.dmp

Filesize
6.9MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads