Overview
overview
10Static
static
7Ransomware...er.exe
windows10-2004-x64
8Ransomware/7ev3n.exe
windows10-2004-x64
Ransomware...le.exe
windows10-2004-x64
Ransomware...it.exe
windows10-2004-x64
Ransomware/Birele.exe
windows10-2004-x64
10Ransomware...r5.exe
windows10-2004-x64
8Ransomware...us.exe
windows10-2004-x64
10Ransomware...er.exe
windows10-2004-x64
10Ransomware...ll.exe
windows10-2004-x64
7Ransomware...ck.exe
windows10-2004-x64
7Ransomware/Dharma.exe
windows10-2004-x64
9Ransomware/Fantom.exe
windows10-2004-x64
10Ransomware...ab.exe
windows10-2004-x64
10Ransomware...ye.exe
windows10-2004-x64
10Ransomware...Eye.js
windows10-2004-x64
10Ransomware...pt.exe
windows10-2004-x64
10Ransomware...en.exe
windows10-2004-x64
8Ransomware...AZ.dll
windows10-2004-x64
3Ransomware...om.exe
windows10-2004-x64
10Ransomware...ya.exe
windows10-2004-x64
10Ransomware...ap.exe
windows10-2004-x64
1Ransomware....A.exe
windows10-2004-x64
6Ransomware...om.exe
windows10-2004-x64
10Ransomware...nt.exe
windows10-2004-x64
Ransomware...ot.exe
windows10-2004-x64
Ransomware/RedEye.exe
windows10-2004-x64
Ransomware...re.exe
windows10-2004-x64
7Ransomware/Rokku.exe
windows10-2004-x64
10Ransomware/Satana.exe
windows10-2004-x64
5Ransomware/Seftad.exe
windows10-2004-x64
6Ransomware...re.exe
windows10-2004-x64
10Ransomware/UIWIX.dll
windows10-2004-x64
1Resubmissions
18-03-2024 22:36
240318-2h9hwsba88 10Analysis
-
max time kernel
8s -
max time network
11s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
18-03-2024 22:36
Behavioral task
behavioral1
Sample
Ransomware/$uckyLocker.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
Ransomware/7ev3n.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Ransomware/Annabelle.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
Ransomware/BadRabbit.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Ransomware/Birele.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
Ransomware/Cerber5.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Ransomware/CoronaVirus.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
Ransomware/CryptoLocker.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Ransomware/CryptoWall.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
Ransomware/DeriaLock.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Ransomware/Dharma.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
Ransomware/Fantom.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Ransomware/GandCrab.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
Ransomware/GoldenEye/GoldenEye.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Ransomware/GoldenEye/GoldenEye.js
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
Ransomware/InfinityCrypt.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Ransomware/Krotten.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
Ransomware/Locky.AZ.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Ransomware/NoMoreRansom.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
Ransomware/NotPetya.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Ransomware/PetrWrap.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
Ransomware/Petya.A.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Ransomware/PolyRansom.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
Ransomware/PowerPoint.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Ransomware/RedBoot.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
Ransomware/RedEye.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Ransomware/Rensenware.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
Ransomware/Rokku.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
Ransomware/Satana.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
Ransomware/Seftad.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
Ransomware/SporaRansomware.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
Ransomware/UIWIX.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Errors
General
-
Target
Ransomware/RedBoot.exe
-
Size
1.2MB
-
MD5
e0340f456f76993fc047bc715dfdae6a
-
SHA1
d47f6f7e553c4bc44a2fe88c2054de901390b2d7
-
SHA256
1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887
-
SHA512
cac10c675d81630eefca49b2ac4cc83f3eb29115ee28a560db4d6c33f70bf24980e48bb48ce20375349736e3e6b23a1ca504b9367917328853fffc5539626bbc
-
SSDEEP
24576:/4GHnhIzOasqUgEOr69/BRH7dCibu+XoAX0eOTva49ttrSpt81ekHPyWe:AshdasJgEOrGBRxCihH7OO49rveMG
Malware Config
Signatures
-
Renames multiple (121) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 3 IoCs
pid Process 4124 protect.exe 4440 assembler.exe 1928 overwrite.exe -
resource yara_rule behavioral25/memory/3716-0-0x0000000000C10000-0x0000000000E9E000-memory.dmp upx behavioral25/memory/3716-159-0x0000000000C10000-0x0000000000E9E000-memory.dmp upx -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 overwrite.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral25/files/0x000c000000023150-22.dat autoit_exe behavioral25/memory/3716-159-0x0000000000C10000-0x0000000000E9E000-memory.dmp autoit_exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "24" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe 4124 protect.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3716 RedBoot.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeShutdownPrivilege 3716 RedBoot.exe Token: 9801035658286186188 3716 RedBoot.exe Token: 9801054349980384923 3716 RedBoot.exe Token: 9801075240697708192 3716 RedBoot.exe Token: 9801089534346182267 3716 RedBoot.exe Token: 9801093932391906927 3716 RedBoot.exe Token: 9801098330437631587 3716 RedBoot.exe Token: 9801115922620530227 3716 RedBoot.exe Token: 9801119221154954792 3716 RedBoot.exe Token: 9801134614314990078 3716 RedBoot.exe Token: 9801147808452163994 3716 RedBoot.exe Token: 9801166500146362793 3716 RedBoot.exe Token: 9801167599657925028 3716 RedBoot.exe Token: 9801178594772236614 3716 RedBoot.exe Token: 9801187390863685998 3716 RedBoot.exe Token: 9801209381092309298 3716 RedBoot.exe Token: 9801225873763645639 3716 RedBoot.exe Token: 9801290744938215444 3716 RedBoot.exe Token: 9801292943961077774 3716 RedBoot.exe Token: 9801305038586689583 3716 RedBoot.exe Token: 9801316033701002193 3716 RedBoot.exe Token: 9801321531258289088 3716 RedBoot.exe Token: 285830073548802 3716 RedBoot.exe Token: 569379519463427 3716 RedBoot.exe Token: 6755485340401689 3716 RedBoot.exe Token: 5629602613428245 3716 RedBoot.exe Token: 2252040331853833 3716 RedBoot.exe Token: 4294967295 3716 RedBoot.exe Token: 0 3716 RedBoot.exe Token: 412316860512 3716 RedBoot.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1748 LogonUI.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3716 wrote to memory of 4124 3716 RedBoot.exe 90 PID 3716 wrote to memory of 4124 3716 RedBoot.exe 90 PID 3716 wrote to memory of 4124 3716 RedBoot.exe 90 PID 3716 wrote to memory of 4440 3716 RedBoot.exe 91 PID 3716 wrote to memory of 4440 3716 RedBoot.exe 91 PID 3716 wrote to memory of 4440 3716 RedBoot.exe 91 PID 3716 wrote to memory of 1928 3716 RedBoot.exe 93 PID 3716 wrote to memory of 1928 3716 RedBoot.exe 93 PID 3716 wrote to memory of 1928 3716 RedBoot.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware\RedBoot.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware\RedBoot.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Users\Admin\94361161\protect.exe"C:\Users\Admin\94361161\protect.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4124
-
-
C:\Users\Admin\94361161\assembler.exe"C:\Users\Admin\94361161\assembler.exe" -f bin "C:\Users\Admin\94361161\boot.asm" -o "C:\Users\Admin\94361161\boot.bin"2⤵
- Executes dropped EXE
PID:4440
-
-
C:\Users\Admin\94361161\overwrite.exe"C:\Users\Admin\94361161\overwrite.exe" "C:\Users\Admin\94361161\boot.bin"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1928
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39a6855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
589KB
MD57e3cea1f686207563c8369f64ea28e5b
SHA1a1736fd61555841396b0406d5c9ca55c4b6cdf41
SHA2562a5305369edb9c2d7354b2f210e91129e4b8c546b0adf883951ea7bf7ee0f2b2
SHA5124629bc32094bdb030e6c9be247068e7295599203284cb95921c98fcbe3ac60286670be7e5ee9f0374a4017286c7af9db211bd831e3ea871d31a509d7bbc1d6a3
-
Filesize
825B
MD5def1219cfb1c0a899e5c4ea32fe29f70
SHA188aedde59832576480dfc7cd3ee6f54a132588a8
SHA25691e74c438099172b057bedf693d877bd08677d5f2173763986be4974c0970581
SHA5121e735d588cb1bb42324eaff1b9190ec6a8254f419d1ba4a13d03716ff5c102a335532b573a5befb08da90586e5670617066564ef9872f8c415b9a480836df423
-
Filesize
512B
MD590053233e561c8bf7a7b14eda0fa0e84
SHA116a7138387f7a3366b7da350c598f71de3e1cde2
SHA256a760d8bc77ad8c0c839d4ef162ce44d5897af6fa84e0cc05ecc0747759ea76c2
SHA51263fda509cd02fd9d1374435f95515bc74f1ca8a9650b87d2299f8eee3a1c5a41b1cb8a4e1360c75f876f1dae193fdf4a96eba244683308f34d64d7ce37af2bb4
-
Filesize
288KB
MD5bc160318a6e8dadb664408fb539cd04b
SHA14b5eb324eebe3f84e623179a8e2c3743ccf32763
SHA256f2bc5886b0f189976a367a69da8745bf66842f9bba89f8d208790db3dad0c7d2
SHA51251bc090f2821c57d94cfe4399b1f372a68d2811ea0b87d1ac1d6cf8ae39b167038ac21c471b168f1d19c6b213762024abb7e9e5ca311b246b46af0888289e46c
-
Filesize
837KB
MD5fd414666a5b2122c3d9e3e380cf225ed
SHA1de139747b42a807efa8a2dcc1a8304f9a29b862d
SHA256e61a8382f7293e40cb993ddcbcaa53a4e5f07a3d6b6a1bfe5377a1a74a8dcac6
SHA5129ab2163d7deff29c202ed88dba36d5b28f6c67e647a0cadb3d03cc725796e19e5f298c04b1c8523d1d1ee4307e1a5d6f8156fa4021627d6ca1bbd0830695ae05