Analysis
-
max time kernel
82s -
max time network
82s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
21/04/2024, 18:00
General
-
Target
ROTANOTEDKSID-Destructive.exe
-
Size
17.9MB
-
MD5
8b93e46a7e9e681b2124ffe7647bbba1
-
SHA1
dee59152e78de697f1d23b350cd0f1e14b648960
-
SHA256
c9b88b16d87992287ef72834bae3ac45db9eba4e32dcc8db4756bf6349d97a25
-
SHA512
47618d6f367b99a0b9688dd2bdfba9e2999195c556dc8c4defb4284998093d737b586911de280dfaf51fe76ca628fc6d47096dd4077ce2224c4df3272439e138
-
SSDEEP
393216:3bAOuHdROJY4gVM5RdxEK1iLXXEhkrzu2WXJcC8d9SkdOt:3sOg0Y4qM5RXEKWNjWKCc/o
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Executes dropped EXE 6 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 6 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 44 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ROTANOTEDKSID-Destructive.exe"C:\Users\Admin\AppData\Local\Temp\ROTANOTEDKSID-Destructive.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\2175.tmp\2176.tmp\2177.vbs //Nologo2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\2175.tmp\s.cmd" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
-
-
C:\Users\Admin\AppData\Local\Temp\2175.tmp\WipeMBR.exeWipeMBR.exe4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2175.tmp\snd.vbs"4⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\note.txt4⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\system32\timeout.exetimeout 5 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.google.co.ck/search?q=help+me+my+computer+has+a+virus4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1256 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\2175.tmp\MouseDraw.exeMouseDraw.exe4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\timeout.exetimeout 10 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Local\Temp\2175.tmp\pixels.exepixels.exe4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\timeout.exetimeout 10 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Local\Temp\2175.tmp\gl.exegl.exe4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\timeout.exetimeout 5 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Local\Temp\2175.tmp\TextOut.exeTextOut.exe4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\timeout.exetimeout 30 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Local\Temp\2175.tmp\masher.exemasher.exe4⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\system32\timeout.exetimeout 15 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im wininit.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
Filesize
252B
MD5b53a4d0e252b77a84da4036e901724a5
SHA15d07193b7576b9626db793d0a3c8dec89ff57ec5
SHA2569ef291777354426f8ae7dbebe3677da0ba78eabc11d20a252238b05cec44d66f
SHA512108a651208c98a4b56c8a2e2d8523f8fb050d7d9365f6a51ef540c9acdcb3146645f5e06578570fbf4808444c0407eedacfa5330ff75a1eb1a11d0d35aa2bc84
-
Filesize
344B
MD57e335fa87eb163e97ad88f9b9989cdae
SHA1b21817b5548fe4bc86aee258bda11ce48100bf6a
SHA2564dac90861ff8c107af516b2156b36edb2ea76682d39c9e9c5123ff82db61a956
SHA512d13dc960e4beb4aefaa2170b9caa06523330d40e9e354c647b55033783d385f47ade912b256397eda75ae9003e37c434a5045183ec1acc68c5b3bab8c1376b52
-
Filesize
344B
MD56a72b3ac0682a73f62d02919d8e05c61
SHA19840c1456c4186de85e2678f1554246f9e3e6b3b
SHA256542ce5ea6d3f24aac1ec1fbcbfe4981c9d74418c869b0688c6ff5e2547023979
SHA5124b18a942a854b6586382e39f8455e3d929dec5238272af601c0c9ca8d64adda04219a0644f89cb8bed82c286dd091a6e735f6b020eb3c40202605be99da04186
-
Filesize
344B
MD5f25aa5fdbc85addd2d34dfb380f59346
SHA1569004de6a9c177c21902e856e0ec1c91f8f49fa
SHA25693f549dc8ac2b25463df045129323b6bed0d76e3f335acd80e82a87971443b7d
SHA5120e38cd844a20b997b06de82ec72cf46d3aac70285dd291b8a38788fe051e2015850b5e5f3401c71b3fd550e5065a04b2e2cb43527d4a80018fa78f5c05ba8dc0
-
Filesize
344B
MD5e23722fd2ab64abf951a98fbee349b76
SHA1bd1689cd4a4cc912e75de9d8654373f4a86c735a
SHA256ddffcb96498db346bba1f954b91629e96aff850b53961f9e9f42fb5b56589427
SHA512a7f30f3e3e24445e67e4621b5e8923b6f0606dbe39c09eb118fc28536965753bfaaa5040d955d93d7c47f4e235b27b01a6e6c9f08abf53bf436ced515c839320
-
Filesize
344B
MD5ceb001b71ea68b418fa0d7a1f9b9ef5a
SHA174d0cbfc00bb242448afe2ca466b5d96a4650c4e
SHA25677e15154f9adc46e1ad98c66a2518d0ff6fce15b9bde5f32687355200d14a3ce
SHA5124a1af07f4e17b6d8ee41eafb7db5d097c4155594b78a356c75d9c384a8b49d8b4c23db6a8f9e0cff846c6cf69df1b9cb63092e4ca6bad30af8e9363a36595b43
-
Filesize
344B
MD531bb228dde3c27973b9f35b8f213e3dd
SHA139ed569b64ec81454d29ef8ef892361b55a8843d
SHA256f73ee977009814de5024efe54f3f5f2daa11794670e4fa51795dcfd047448130
SHA512ec14241134093a2a1c3f00b0ac7bf58096c602b4947c681ad0d96001b9b1e418e3f49d4bcb5b60a60dda63e48f054366d59e42c7341b568c3386a9177de963aa
-
Filesize
344B
MD59290054ab112a97eb5d366298ca55645
SHA12595ec21524d8af60822303becd873360e80c593
SHA256f9505039d9efff07d89864dd4d1028b56e97630eca8e46cf6ee1ffb2f090653d
SHA51204982a6cfd57b6185e3f176f5bb1f1566655bb2f3335d8bf46900456b5d7ad73a84a20565d68faf9a4c5f86ce090b41a58b7d8327bc6e58d965833978c7e20bb
-
Filesize
344B
MD540244b178a119d2fa988c44863678d53
SHA1e1c5b9ecf0b0ce5e4e4cf466ec88dc8f147320ca
SHA2568b648694508cf46047e843b2fe6d4a6adb27d85b53acf5ad02f8d561a0e40df6
SHA5120699b0fc6201a8a0cffb3198d5b5a0e1d00b26195c8aed9e69e3fca8ac74d260480b52bc5dcbc1717b98f6e88df46a8fdd3e38506d8a8bd34b0fe5dad17c3274
-
Filesize
344B
MD51170629622927163f77151e83c2ef9b8
SHA16089f20cb822fa7eae2ec6df9285caaaaa754251
SHA25682fede2583cd58d0aacc77efd5db188c7278dd68cb3397cbcdadcbd705d02248
SHA512345777dc55102a3748fd8280befcaa85b7c3b59ba4497f83fe00054ce6389d988a5813cae923ddefd11f069342cde5b85329eaada69a2aeee2a8ff71782d1784
-
Filesize
242B
MD5915150254666effc4a58f7c213bc2f7f
SHA1ee1981a46b25e584701fd353718c14077383e67f
SHA256c6d078bf10634f0ec4a55a47ece62871cfcf36b2fbf4a1fb03c9ef764a4e2a1f
SHA512638408baafb582c76f614b478bdfef7af45af3b272c2ec5e084ce15c3744f0458e1a3f3b84a1d94e131befda233be1b95e6dfc68172a1251ba7a08a9ffd48ea7
-
Filesize
5KB
MD5bb19ae1d01877a3f48f79caad1b8adfc
SHA16e1ffdc11f63ed2b7527c18b728e3c8d0bf473db
SHA256f7b4a5c922d1621419d3d60752d2b62a5ae7ee5ba1df30c42263b33cca75e76c
SHA512c2772c02f5efa27d148323e414ba968e6a2ed24cfbab55c232b1ec3b3e224d6fed022dc6b8427220447e5a41d1ad49c37c18b2dd8456a576b9ed1d9af464b379
-
Filesize
55KB
MD5eb4bc511f79f7a1573b45f5775b3a99b
SHA1d910fb51ad7316aa54f055079374574698e74b35
SHA2567859a62e04b0acb06516eb12454de6673883ecfaeaed6c254659bca7cd59c050
SHA512ec9bdf1c91b6262b183fd23f640eac22016d1f42db631380676ed34b962e01badda91f9cbdfa189b42fe3182a992f1b95a7353af41e41b2d6e1dab17e87637a0
-
Filesize
5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
Filesize
498KB
MD5e9ccb3dbde79ba5ffdf9cad4b32d59fd
SHA13a8cd67adc7c885bdf683f1e7f491e6a4a50679f
SHA2568f2c6777c7ccc01ab67290fa8acd5a4c4866be64129f39dfaeb9197dfa15e137
SHA5125ca7c8439030c9b4b966760c660640a094b0d6e30e10df85d7b900c6f9108b0e309298ed93c006634bb3f437bab3cff1b83a5d1b18c666c04346f0856294c461
-
Filesize
884B
MD5b1ffd981efee9b6dd90e104fe96674d4
SHA17430659628b9745f3cf9b343c79a995854ffb033
SHA256b7ea938b6f7838c8e3207c84d048957d28917f143b3ab9cd4901154a8d14d8a5
SHA512f3ee256ef0b7de3293bd6f9dfef6e4ae72da617ae1e91350db94d9bbe7f94e6ca82345a901d041d8f5bf57dc3db3a423c6cc5d0d509a4d39941d21b9aabd0dd4
-
Filesize
103KB
MD5be86c274800697354120d01c65f33258
SHA18154def1188ee33564f939f9d6d4c588ee30b004
SHA256dfa46efcc267f7c4fa18c9a3f1f0204fe3266cceadff2a8fffb9d1a66312ea4d
SHA5120e5470851b2793c48cc5c585e42eebafac094e9ad3bc52599aded633bac7e8ef9da48236ecabadc9ed367ba10fa4989ff4b7deb7b2a04723c3f615401a32619a
-
Filesize
105KB
MD5eb7b4001626d2b0527c3ae30ee4ed9a7
SHA19df4431810306a7df10ebc609cd7497c4aefe161
SHA256dd0d91ef97690c3810fb4ebe285c937147e9cfb1c10927ebeb443783de0bc6d1
SHA5124dbde2b4240a32c2960c45e4dd43f6cfaa8296de3e1e6c419bd70f5f79f8a8d844b6912abf82ba7e4dae08b98281a5f24f0dcb35f785970c10720f3c71e6c6e5
-
Filesize
104KB
MD5ec7a81a425f85d9acce04ffe9221b47f
SHA184dcebfad820d6da0f9f345e1d3bd0b34e7144d1
SHA256074c27fc89ad943eced18cc29f24f2ebb7747bef3abb0f2866989ea0a2b6047f
SHA512df8244079fa3f7f84807dff1d814b73306a5dc7eee65183e19da5de5f880270391bd579f0047b89deeb326b033352910ef66a2e44bd6a5f2936babc7e9051ec4
-
Filesize
22.7MB
MD52635b974d7d8b4c8ff21f9a1c62ccc5c
SHA19dcf453ff65b4f53131a22eebd078ff91850131e
SHA25678c187cf219cb44ce79ee72029bf85ca4516d3a5ffd49e20d3577d0222588ffd
SHA512172b506e4636a7ade20f07e0334af3b67682145f41d9089486679f3bea505730a630949d830eadf606e41725035009698f0a90cbab637e81899d460090c64c3a
-
Filesize
105KB
MD5754be91171c29e0b2b35c209553c6e45
SHA173da71d831ba2c13aaf28a9e2d581ee52d95d639
SHA256595f476a34f1b6a481a89aec8bab0e323e7ccc7fbc53586982d26f681ddcc4a3
SHA5121ea4b1c01548275f701ccd09cc4018f60efcaacbcc8676fd989d05e9322e5f5bbd967e5206bfda18f6ce6d989dfa45cd4dd9155fc08c1fbdbb2ba025c2927fc6
-
Filesize
103KB
MD5b8c89423394e0e68cd7e22940e09072b
SHA1ab7a1e0f97b51d0e1ca158c3190ab411fdc4ff99
SHA2566cb009d194a96ceb66f4ebb564893d170605c6c4c36d242043a59aad172fa0f2
SHA51252b1d62a43f981764cb26359456a7b79c049c1fa73a5d6e1ecc776006d04e5dd2834aa24786a45b5fe73e082848686e187225a2aa1b785c1468d30e786eb36bd
-
Filesize
103KB
MD544f3a742cabfd08c4462d5ade9640e35
SHA1572d67622db81b18bae66cf506dc858d6f77ef7e
SHA256ad6decfe3dca3a836d18be663114ad3f318df39fe3cc98753f106eb63632f71e
SHA5129307e3db6febbb2e66bca313b77819c59c4593d1ffc4f7875cc89168401af8708fb16978e26b1c6c7dcd1404a0072bd0dff5c524608d04bd1a19b8006eae7528
-
Filesize
592B
MD50f5dadbddd4d6bcdd1abac71fdb32104
SHA11cd1067d0a970a0049cc683c73654bd6b8f571dc
SHA256887680f385c15361070839683ab710277f233689d04eed822a4e1625dbd92d98
SHA512b6b59b2d6e10ebe1dd869436ba35a70fa298b36e23159240635bda360f450243f8449e6d196bc41510c022a956445e65676509b6b3151c9be141f70802c5363c
-
Filesize
221B
MD57f1f2f18b81c7ff47430c518defb9f48
SHA133642f35825428762b8133721ca38466e7b69559
SHA256208337c0a3656061ad50d85b608cc0fec353f71d16ccd6896aae2ed4e5bdfa58
SHA512c441e17a5f48c7b381a233f95b88b640f167ac053584a77e20cf5f9cc0e199527051ce7d39d450573af6db4ea5c8056ed62189322c2e0ba9a6779dae1dbbfc04
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
36B
MD5a4e789bb56e618fcb3ef8aa1c78c3e7c
SHA1140d37cf32bdbfc2225c47141237a65ea5aab232
SHA2566478fe5c461fde02690d3386e9f70210853cae13d3e5577c31e8bb69783d1d7c
SHA5129a616962d9c872a08dda1db0f251af1da843a7da3053ec88fa30f22fb25c905724927c7f3f31f790de10e6ad8bbae8006336a15b272a38beb614410d07943024
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
4KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
116KB