734403a96fad68cb2ef2b340adddd9cadd5894007aac703dcdb4a4cb8326c538

max time kernel
5s
max time network
14s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-03-2024 21:57

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/000/[email protected]
Size

6.7MB
MD5

f2b7074e1543720a9a98fda660e02688
SHA1

1029492c1a12789d8af78d54adcb921e24b9e5ca
SHA256

4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966
SHA512

73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff
SSDEEP

3072:eaLA1++iCeFj0im6X/AXpT8vVMCcHVcdhghUuz1o9Y:fLJlC6j0CX4XmvWHVcd62uO9

Score

8^/10

evasion persistence ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

[email protected]

description	ioc	process
File opened (read-only)	\??\A:	[email protected]
File opened (read-only)	\??\E:	[email protected]
File opened (read-only)	\??\G:	[email protected]
File opened (read-only)	\??\H:	[email protected]
File opened (read-only)	\??\L:	[email protected]
File opened (read-only)	\??\Q:	[email protected]
File opened (read-only)	\??\T:	[email protected]
File opened (read-only)	\??\V:	[email protected]
File opened (read-only)	\??\Z:	[email protected]
File opened (read-only)	\??\B:	[email protected]
File opened (read-only)	\??\K:	[email protected]
File opened (read-only)	\??\M:	[email protected]
File opened (read-only)	\??\O:	[email protected]
File opened (read-only)	\??\P:	[email protected]
File opened (read-only)	\??\U:	[email protected]
File opened (read-only)	\??\X:	[email protected]
File opened (read-only)	\??\I:	[email protected]
File opened (read-only)	\??\J:	[email protected]
File opened (read-only)	\??\N:	[email protected]
File opened (read-only)	\??\W:	[email protected]
File opened (read-only)	\??\Y:	[email protected]
File opened (read-only)	\??\R:	[email protected]
File opened (read-only)	\??\S:	[email protected]

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

[email protected]

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0"	[email protected]

Sets desktop wallpaper using registry 2 TTPs 1 IoCs
ransomware

Defacement
T1491

Modify Registry
T1112

Processes:

[email protected]

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\Wallpaper [email protected]
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3836 taskkill.exe
2112 taskkill.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\Wallpaper	[email protected]

pid	process
3836	taskkill.exe
2112	taskkill.exe

Modifies registry class 2 IoCs

Processes:

[email protected]

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	[email protected]
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-566096764-1992588923-1249862864-1000\{7D528170-4C18-4D09-A3B5-53022BAB5F17}	[email protected]

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exe[email protected]taskkill.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3836	taskkill.exe
Token: SeShutdownPrivilege	5004	[email protected]
Token: SeCreatePagefilePrivilege	5004	[email protected]
Token: SeDebugPrivilege	2112	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4780	WMIC.exe
Token: SeSecurityPrivilege	4780	WMIC.exe
Token: SeTakeOwnershipPrivilege	4780	WMIC.exe
Token: SeLoadDriverPrivilege	4780	WMIC.exe
Token: SeSystemProfilePrivilege	4780	WMIC.exe
Token: SeSystemtimePrivilege	4780	WMIC.exe
Token: SeProfSingleProcessPrivilege	4780	WMIC.exe
Token: SeIncBasePriorityPrivilege	4780	WMIC.exe
Token: SeCreatePagefilePrivilege	4780	WMIC.exe
Token: SeBackupPrivilege	4780	WMIC.exe
Token: SeRestorePrivilege	4780	WMIC.exe
Token: SeShutdownPrivilege	4780	WMIC.exe
Token: SeDebugPrivilege	4780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4780	WMIC.exe
Token: SeRemoteShutdownPrivilege	4780	WMIC.exe
Token: SeUndockPrivilege	4780	WMIC.exe
Token: SeManageVolumePrivilege	4780	WMIC.exe
Token: 33	4780	WMIC.exe
Token: 34	4780	WMIC.exe
Token: 35	4780	WMIC.exe
Token: 36	4780	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4780	WMIC.exe
Token: SeSecurityPrivilege	4780	WMIC.exe
Token: SeTakeOwnershipPrivilege	4780	WMIC.exe
Token: SeLoadDriverPrivilege	4780	WMIC.exe
Token: SeSystemProfilePrivilege	4780	WMIC.exe
Token: SeSystemtimePrivilege	4780	WMIC.exe
Token: SeProfSingleProcessPrivilege	4780	WMIC.exe
Token: SeIncBasePriorityPrivilege	4780	WMIC.exe
Token: SeCreatePagefilePrivilege	4780	WMIC.exe
Token: SeBackupPrivilege	4780	WMIC.exe
Token: SeRestorePrivilege	4780	WMIC.exe
Token: SeShutdownPrivilege	4780	WMIC.exe
Token: SeDebugPrivilege	4780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4780	WMIC.exe
Token: SeRemoteShutdownPrivilege	4780	WMIC.exe
Token: SeUndockPrivilege	4780	WMIC.exe
Token: SeManageVolumePrivilege	4780	WMIC.exe
Token: 33	4780	WMIC.exe
Token: 34	4780	WMIC.exe
Token: 35	4780	WMIC.exe
Token: 36	4780	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1816	WMIC.exe
Token: SeSecurityPrivilege	1816	WMIC.exe
Token: SeTakeOwnershipPrivilege	1816	WMIC.exe
Token: SeLoadDriverPrivilege	1816	WMIC.exe
Token: SeSystemProfilePrivilege	1816	WMIC.exe
Token: SeSystemtimePrivilege	1816	WMIC.exe
Token: SeProfSingleProcessPrivilege	1816	WMIC.exe
Token: SeIncBasePriorityPrivilege	1816	WMIC.exe
Token: SeCreatePagefilePrivilege	1816	WMIC.exe
Token: SeBackupPrivilege	1816	WMIC.exe
Token: SeRestorePrivilege	1816	WMIC.exe
Token: SeShutdownPrivilege	1816	WMIC.exe
Token: SeDebugPrivilege	1816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1816	WMIC.exe
Token: SeRemoteShutdownPrivilege	1816	WMIC.exe
Token: SeUndockPrivilege	1816	WMIC.exe
Token: SeManageVolumePrivilege	1816	WMIC.exe
Token: 33	1816	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

[email protected]

pid process

5004 [email protected]
5004 [email protected]

pid	process
5004	[email protected]
5004	[email protected]

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

[email protected]cmd.exe

description	pid	process	target process
PID 5004 wrote to memory of 4464	5004	[email protected]	cmd.exe
PID 5004 wrote to memory of 4464	5004	[email protected]	cmd.exe
PID 5004 wrote to memory of 4464	5004	[email protected]	cmd.exe
PID 4464 wrote to memory of 3836	4464	cmd.exe	taskkill.exe
PID 4464 wrote to memory of 3836	4464	cmd.exe	taskkill.exe
PID 4464 wrote to memory of 3836	4464	cmd.exe	taskkill.exe
PID 4464 wrote to memory of 2112	4464	cmd.exe	taskkill.exe
PID 4464 wrote to memory of 2112	4464	cmd.exe	taskkill.exe
PID 4464 wrote to memory of 2112	4464	cmd.exe	taskkill.exe
PID 4464 wrote to memory of 4780	4464	cmd.exe	WMIC.exe
PID 4464 wrote to memory of 4780	4464	cmd.exe	WMIC.exe
PID 4464 wrote to memory of 4780	4464	cmd.exe	WMIC.exe
PID 4464 wrote to memory of 1816	4464	cmd.exe	WMIC.exe
PID 4464 wrote to memory of 1816	4464	cmd.exe	WMIC.exe
PID 4464 wrote to memory of 1816	4464	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\000\[email protected]
"C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\000\[email protected]"
1⤵
- Enumerates connected drives
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' set FullName='UR NEXT'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' rename 'UR NEXT'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\SysWOW64\shutdown.exe
shutdown /f /r /t 0
3⤵
PID:3324

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39b3855 /state1:0x41c64e6d
1⤵
PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
077f30960d9e4ee83fff7d6734fd4756

SHA1
88d4bfc40e94bfd1c60f8142d69ab2adfa00cddf

SHA256
9999209b6d22ce028595e36c06490222dc9e56489d3595539e762c609dea5ac0

SHA512
285dc9ca635cee97b1d64efcdf03a700ca5cf7b77bca7a77c1d29f5509b98b6c904b9cbcd8eb73112029ba562da731a2e4ba88eed8e08922e4f75c9a48728b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\one.rtf

Filesize
403B

MD5
6fbd6ce25307749d6e0a66ebbc0264e7

SHA1
faee71e2eac4c03b96aabecde91336a6510fff60

SHA256
e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

SHA512
35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

Download Submit
C:\Users\Admin\AppData\Local\Temp\rniw.exe

Filesize
76KB

MD5
9232120b6ff11d48a90069b25aa30abc

SHA1
97bb45f4076083fca037eee15d001fd284e53e47

SHA256
70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

SHA512
b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

Download Submit
C:\Users\Admin\AppData\Local\Temp\text.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat

Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
memory/5004-33-0x000000000B390000-0x000000000B3A0000-memory.dmp

Filesize
64KB

Download
memory/5004-36-0x000000000BD30000-0x000000000BD40000-memory.dmp

Filesize
64KB

Download
memory/5004-23-0x000000000B0C0000-0x000000000B0CE000-memory.dmp

Filesize
56KB

Download
memory/5004-11-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/5004-29-0x000000000B390000-0x000000000B3A0000-memory.dmp

Filesize
64KB

Download
memory/5004-30-0x000000000B390000-0x000000000B3A0000-memory.dmp

Filesize
64KB

Download
memory/5004-31-0x000000000B390000-0x000000000B3A0000-memory.dmp

Filesize
64KB

Download
memory/5004-32-0x000000000B390000-0x000000000B3A0000-memory.dmp

Filesize
64KB

Download
memory/5004-0-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/5004-34-0x000000000B390000-0x000000000B3A0000-memory.dmp

Filesize
64KB

Download
memory/5004-35-0x000000000BD30000-0x000000000BD40000-memory.dmp

Filesize
64KB

Download
memory/5004-22-0x000000000BCF0000-0x000000000BD28000-memory.dmp

Filesize
224KB

Download
memory/5004-38-0x000000000B390000-0x000000000B3A0000-memory.dmp

Filesize
64KB

Download
memory/5004-39-0x000000000BD30000-0x000000000BD40000-memory.dmp

Filesize
64KB

Download
memory/5004-41-0x000000000BD30000-0x000000000BD40000-memory.dmp

Filesize
64KB

Download
memory/5004-42-0x000000000B390000-0x000000000B3A0000-memory.dmp

Filesize
64KB

Download
memory/5004-43-0x000000000BD30000-0x000000000BD40000-memory.dmp

Filesize
64KB

Download
memory/5004-40-0x000000000BD30000-0x000000000BD40000-memory.dmp

Filesize
64KB

Download
memory/5004-37-0x000000000B390000-0x000000000B3A0000-memory.dmp

Filesize
64KB

Download
memory/5004-3-0x00000000059C0000-0x0000000005F64000-memory.dmp

Filesize
5.6MB

Download
memory/5004-2-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/5004-1-0x00000000002B0000-0x000000000095E000-memory.dmp

Filesize
6.7MB

Download
memory/5004-862-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads