Analysis

  • max time kernel
    59s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-uk
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-uklocale:uk-uaos:windows10-2004-x64systemwindows
  • submitted
    03-03-2024 13:53

Errors

Reason
Machine shutdown

General

  • Target

    Ransomware/RedBoot.exe

  • Size

    1.2MB

  • MD5

    e0340f456f76993fc047bc715dfdae6a

  • SHA1

    d47f6f7e553c4bc44a2fe88c2054de901390b2d7

  • SHA256

    1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887

  • SHA512

    cac10c675d81630eefca49b2ac4cc83f3eb29115ee28a560db4d6c33f70bf24980e48bb48ce20375349736e3e6b23a1ca504b9367917328853fffc5539626bbc

  • SSDEEP

    24576:/4GHnhIzOasqUgEOr69/BRH7dCibu+XoAX0eOTva49ttrSpt81ekHPyWe:AshdasJgEOrGBRxCihH7OO49rveMG

Malware Config

Signatures

  • Renames multiple (149) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ransomware\RedBoot.exe
    "C:\Users\Admin\AppData\Local\Temp\Ransomware\RedBoot.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3688
    • C:\Users\Admin\43629156\protect.exe
      "C:\Users\Admin\43629156\protect.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2828
    • C:\Users\Admin\43629156\assembler.exe
      "C:\Users\Admin\43629156\assembler.exe" -f bin "C:\Users\Admin\43629156\boot.asm" -o "C:\Users\Admin\43629156\boot.bin"
      2⤵
      • Executes dropped EXE
      PID:452
    • C:\Users\Admin\43629156\overwrite.exe
      "C:\Users\Admin\43629156\overwrite.exe" "C:\Users\Admin\43629156\boot.bin"
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      PID:4852
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3984055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\43629156\assembler.exe

    Filesize

    589KB

    MD5

    7e3cea1f686207563c8369f64ea28e5b

    SHA1

    a1736fd61555841396b0406d5c9ca55c4b6cdf41

    SHA256

    2a5305369edb9c2d7354b2f210e91129e4b8c546b0adf883951ea7bf7ee0f2b2

    SHA512

    4629bc32094bdb030e6c9be247068e7295599203284cb95921c98fcbe3ac60286670be7e5ee9f0374a4017286c7af9db211bd831e3ea871d31a509d7bbc1d6a3

  • C:\Users\Admin\43629156\boot.asm

    Filesize

    825B

    MD5

    def1219cfb1c0a899e5c4ea32fe29f70

    SHA1

    88aedde59832576480dfc7cd3ee6f54a132588a8

    SHA256

    91e74c438099172b057bedf693d877bd08677d5f2173763986be4974c0970581

    SHA512

    1e735d588cb1bb42324eaff1b9190ec6a8254f419d1ba4a13d03716ff5c102a335532b573a5befb08da90586e5670617066564ef9872f8c415b9a480836df423

  • C:\Users\Admin\43629156\boot.bin

    Filesize

    512B

    MD5

    90053233e561c8bf7a7b14eda0fa0e84

    SHA1

    16a7138387f7a3366b7da350c598f71de3e1cde2

    SHA256

    a760d8bc77ad8c0c839d4ef162ce44d5897af6fa84e0cc05ecc0747759ea76c2

    SHA512

    63fda509cd02fd9d1374435f95515bc74f1ca8a9650b87d2299f8eee3a1c5a41b1cb8a4e1360c75f876f1dae193fdf4a96eba244683308f34d64d7ce37af2bb4

  • C:\Users\Admin\43629156\overwrite.exe

    Filesize

    288KB

    MD5

    bc160318a6e8dadb664408fb539cd04b

    SHA1

    4b5eb324eebe3f84e623179a8e2c3743ccf32763

    SHA256

    f2bc5886b0f189976a367a69da8745bf66842f9bba89f8d208790db3dad0c7d2

    SHA512

    51bc090f2821c57d94cfe4399b1f372a68d2811ea0b87d1ac1d6cf8ae39b167038ac21c471b168f1d19c6b213762024abb7e9e5ca311b246b46af0888289e46c

  • C:\Users\Admin\43629156\protect.exe

    Filesize

    837KB

    MD5

    fd414666a5b2122c3d9e3e380cf225ed

    SHA1

    de139747b42a807efa8a2dcc1a8304f9a29b862d

    SHA256

    e61a8382f7293e40cb993ddcbcaa53a4e5f07a3d6b6a1bfe5377a1a74a8dcac6

    SHA512

    9ab2163d7deff29c202ed88dba36d5b28f6c67e647a0cadb3d03cc725796e19e5f298c04b1c8523d1d1ee4307e1a5d6f8156fa4021627d6ca1bbd0830695ae05

  • memory/452-32-0x0000000000400000-0x000000000049B000-memory.dmp

    Filesize

    620KB

  • memory/3688-0-0x0000000000BE0000-0x0000000000E6E000-memory.dmp

    Filesize

    2.6MB

  • memory/3688-187-0x0000000000BE0000-0x0000000000E6E000-memory.dmp

    Filesize

    2.6MB

  • memory/4852-37-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB