Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
21/04/2024, 18:00
General
-
Target
ROTANOTEDKSID-Destructive.exe
-
Size
17.9MB
-
MD5
8b93e46a7e9e681b2124ffe7647bbba1
-
SHA1
dee59152e78de697f1d23b350cd0f1e14b648960
-
SHA256
c9b88b16d87992287ef72834bae3ac45db9eba4e32dcc8db4756bf6349d97a25
-
SHA512
47618d6f367b99a0b9688dd2bdfba9e2999195c556dc8c4defb4284998093d737b586911de280dfaf51fe76ca628fc6d47096dd4077ce2224c4df3272439e138
-
SSDEEP
393216:3bAOuHdROJY4gVM5RdxEK1iLXXEhkrzu2WXJcC8d9SkdOt:3sOg0Y4qM5RXEKWNjWKCc/o
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 6 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 32 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ROTANOTEDKSID-Destructive.exe"C:\Users\Admin\AppData\Local\Temp\ROTANOTEDKSID-Destructive.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\274A.tmp\274B.tmp\274C.vbs //Nologo2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\274A.tmp\s.cmd" "3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
-
-
C:\Users\Admin\AppData\Local\Temp\274A.tmp\WipeMBR.exeWipeMBR.exe4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\274A.tmp\snd.vbs"4⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\note.txt4⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\system32\timeout.exetimeout 5 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.co.ck/search?q=help+me+my+computer+has+a+virus4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa4b9e46f8,0x7ffa4b9e4708,0x7ffa4b9e47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,817919431153435429,1885825635368142388,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,817919431153435429,1885825635368142388,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,817919431153435429,1885825635368142388,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,817919431153435429,1885825635368142388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,817919431153435429,1885825635368142388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,817919431153435429,1885825635368142388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,817919431153435429,1885825635368142388,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:15⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\274A.tmp\MouseDraw.exeMouseDraw.exe4⤵
- Executes dropped EXE
-
-
C:\Windows\system32\timeout.exetimeout 10 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Local\Temp\274A.tmp\pixels.exepixels.exe4⤵
- Executes dropped EXE
-
-
C:\Windows\system32\timeout.exetimeout 10 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Local\Temp\274A.tmp\gl.exegl.exe4⤵
- Executes dropped EXE
-
-
C:\Windows\system32\timeout.exetimeout 5 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Local\Temp\274A.tmp\TextOut.exeTextOut.exe4⤵
- Executes dropped EXE
-
-
C:\Windows\system32\timeout.exetimeout 30 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Local\Temp\274A.tmp\masher.exemasher.exe4⤵
- Executes dropped EXE
-
-
C:\Windows\system32\timeout.exetimeout 15 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im wininit.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x478 0x42c1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD549dde89f025a1cce8848473379f7c28f
SHA1b405956b33146b2890530e818b6aa74bba3afb88
SHA256d6d125ba686b825bb22ab967a346051780cab1f55fc68a2f3efdf3fb5598f96b
SHA51253050344674d8886db66e25f42d97bf46b26229972631f857286c2a303897cda58d85ee8ca768bbfb1fc07e52567315ea85d57e39b5b382916700ec389946506
-
Filesize
152B
MD53d94406b964753cc5222ab1343f54bb1
SHA1a5e7de0781fa1fabb3cd89564f2e5693cb4dee16
SHA256fd9923a217cd8d2c44a63dbfe52ec262e7c80b1f1e50c6e0f21f8379c90e7762
SHA5121ad2c144e7bbd809f400f8782586d3768fc82bcef39db986f766897c344efec77ab2c0b6d9c5ee2019ef5cf9ad0c46bdd25392cbc9dbf9ea80e800577f0fc598
-
Filesize
198KB
MD5319e0c36436ee0bf24476acbcc83565c
SHA1fb2658d5791fe5b37424119557ab8cee30acdc54
SHA256f6562ea52e056b979d6f52932ae57b7afb04486b10b0ebde22c5b51f502c69d1
SHA512ad902b9a010cf99bdedba405cad0387890a9ff90a9c91f6a3220cdceec1b08ecb97a326aef01b28d8d0aacb5f2a16f02f673e196bdb69fc68b3f636139059902
-
Filesize
144B
MD5d3ab7efeb8b61dde63a2017afafbfb0b
SHA1cb10e8d8ad09949fc141bcc573e63036c9a9d047
SHA256931a082f108eedb6bf65709d532c872e98337a799ce1e36b90d0650f71ab66b9
SHA5125f872c1c49012a6f06819fa00214ad862fec0ad6f5338700aa821dc3165f7e66f6a05a12ff4023d4a43373751c4c39c32ef8d49b17875518c7f6a2c3eff42f00
-
Filesize
815B
MD51b570399e680a6afef3d22c6d1f7e15c
SHA17b1faa929b43a5e3e21cdc24e6cd97cd83229701
SHA256e7218ce68112649af087d46ab4c341c31189a2996ed4167c3ff30cf302b1fe56
SHA51249213d2fa0b216c2b18b929e4a6996f4959692e6f8f65315165c42efe5c7a4d298994400351ba25de96cefd7b321327bea418f03f5e1bf269b1376676160668e
-
Filesize
5KB
MD5888f6a76380a627b09d55033a23a2a70
SHA168afdcc5e8aee7772c0ca45053dd584bc484f200
SHA256c5040b380e16134f85d666a61df3be75a6fce9fc909d57a17a25391b9aa85acf
SHA512b219c39facbe2e85a2a42fab87913917aff8808575768b9d5c9f5e2f9d60670764c593bcf9d3c586d218b8d3f45cfb8262f53a6693af3626c293116f720e8ede
-
Filesize
7KB
MD535c7142fd504eab9458f1399638721c7
SHA13ee8591f8b604057c6e239fe8123bc51c832e94c
SHA25661de44860523a7f3a677bdbcb1a32f9f6d3c9524bce83d190df3b3feb8650c9b
SHA512a45fc2f2efa1b02f8a1a97fa511e3cd8d4ca4e2f56e5b122db5fb4041cf500525e48d2a3da14640e7270f1594e7361ab6572d47ab833e6090b59d4a4137cda20
-
Filesize
6KB
MD5aa89a43da23e789b65cc58538be89d53
SHA170fb9d818fed72b03f44dfb9a2818275c7173be4
SHA2562c647440aaa6ce261df5e04e4572a6a2d1efa3dfbce806be2e2b93d5f0335408
SHA512bf63163e1df0277a68c8d0ef925db3e13eed07d3b0ca2ee7983c0232a848282c3ad61663c2a47bbc5dd513420600011b76e30a99f64b5bed2c5de0c076e73667
-
Filesize
6KB
MD510eba50ebe7aded402d5d8cba41c6a46
SHA1767d389a70ba932de3d7d58e62494956c1a4b3bd
SHA256b692a4d3cbc3f19e40401bd6a325295f04f4129d7de6a1277aeefb7424493f66
SHA51210903a216e9303c33cfa88adb1a1a15306668c44153279499c4005ecc9612543b295c431a5328e0b9f10e6fae77f06d81ea1cc9c6fc2f4ab53444cb37ab67cfe
-
Filesize
24KB
MD57c43199d1e5acf5a31e1cbef990fbc47
SHA1df7bd524b9b3175325c0aff3469ea7f2211d3061
SHA25652a6fd2a2fff53c738c77a6385e7e1677f8990781699f78c63d5a4b0fe566d22
SHA512aae886642b40ffb0676534fd85abe43ab588526b8e952b12a1bcafc73cb05103c76aee4fa32cc18c74af6c59aa1dc84bcda09ebccb7d11adc79fee3bfc93e2d1
-
Filesize
10KB
MD5d6bd6de43d5296b753a920e5aef2fb74
SHA1724bf1015f183c778956e0074fb4ebc4d2b66d28
SHA256c513906d3d626804c7d57dae559bd3f8c5eba2794040817652744fc6f255f7d5
SHA5127ae3b99bac1fa542e37aae355d49ecb5308e8ef9bd2d88f8abedba03cb92a1a424af67bfc2322696aa8ef3010f34318b065cd473781e6748b7778ef2beea9405
-
Filesize
64KB
MD5987a07b978cfe12e4ce45e513ef86619
SHA122eec9a9b2e83ad33bedc59e3205f86590b7d40c
SHA256f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8
SHA51239b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
884B
MD5b1ffd981efee9b6dd90e104fe96674d4
SHA17430659628b9745f3cf9b343c79a995854ffb033
SHA256b7ea938b6f7838c8e3207c84d048957d28917f143b3ab9cd4901154a8d14d8a5
SHA512f3ee256ef0b7de3293bd6f9dfef6e4ae72da617ae1e91350db94d9bbe7f94e6ca82345a901d041d8f5bf57dc3db3a423c6cc5d0d509a4d39941d21b9aabd0dd4
-
Filesize
103KB
MD5be86c274800697354120d01c65f33258
SHA18154def1188ee33564f939f9d6d4c588ee30b004
SHA256dfa46efcc267f7c4fa18c9a3f1f0204fe3266cceadff2a8fffb9d1a66312ea4d
SHA5120e5470851b2793c48cc5c585e42eebafac094e9ad3bc52599aded633bac7e8ef9da48236ecabadc9ed367ba10fa4989ff4b7deb7b2a04723c3f615401a32619a
-
Filesize
105KB
MD5eb7b4001626d2b0527c3ae30ee4ed9a7
SHA19df4431810306a7df10ebc609cd7497c4aefe161
SHA256dd0d91ef97690c3810fb4ebe285c937147e9cfb1c10927ebeb443783de0bc6d1
SHA5124dbde2b4240a32c2960c45e4dd43f6cfaa8296de3e1e6c419bd70f5f79f8a8d844b6912abf82ba7e4dae08b98281a5f24f0dcb35f785970c10720f3c71e6c6e5
-
Filesize
104KB
MD5ec7a81a425f85d9acce04ffe9221b47f
SHA184dcebfad820d6da0f9f345e1d3bd0b34e7144d1
SHA256074c27fc89ad943eced18cc29f24f2ebb7747bef3abb0f2866989ea0a2b6047f
SHA512df8244079fa3f7f84807dff1d814b73306a5dc7eee65183e19da5de5f880270391bd579f0047b89deeb326b033352910ef66a2e44bd6a5f2936babc7e9051ec4
-
Filesize
22.7MB
MD52635b974d7d8b4c8ff21f9a1c62ccc5c
SHA19dcf453ff65b4f53131a22eebd078ff91850131e
SHA25678c187cf219cb44ce79ee72029bf85ca4516d3a5ffd49e20d3577d0222588ffd
SHA512172b506e4636a7ade20f07e0334af3b67682145f41d9089486679f3bea505730a630949d830eadf606e41725035009698f0a90cbab637e81899d460090c64c3a
-
Filesize
105KB
MD5754be91171c29e0b2b35c209553c6e45
SHA173da71d831ba2c13aaf28a9e2d581ee52d95d639
SHA256595f476a34f1b6a481a89aec8bab0e323e7ccc7fbc53586982d26f681ddcc4a3
SHA5121ea4b1c01548275f701ccd09cc4018f60efcaacbcc8676fd989d05e9322e5f5bbd967e5206bfda18f6ce6d989dfa45cd4dd9155fc08c1fbdbb2ba025c2927fc6
-
Filesize
103KB
MD5b8c89423394e0e68cd7e22940e09072b
SHA1ab7a1e0f97b51d0e1ca158c3190ab411fdc4ff99
SHA2566cb009d194a96ceb66f4ebb564893d170605c6c4c36d242043a59aad172fa0f2
SHA51252b1d62a43f981764cb26359456a7b79c049c1fa73a5d6e1ecc776006d04e5dd2834aa24786a45b5fe73e082848686e187225a2aa1b785c1468d30e786eb36bd
-
Filesize
103KB
MD544f3a742cabfd08c4462d5ade9640e35
SHA1572d67622db81b18bae66cf506dc858d6f77ef7e
SHA256ad6decfe3dca3a836d18be663114ad3f318df39fe3cc98753f106eb63632f71e
SHA5129307e3db6febbb2e66bca313b77819c59c4593d1ffc4f7875cc89168401af8708fb16978e26b1c6c7dcd1404a0072bd0dff5c524608d04bd1a19b8006eae7528
-
Filesize
592B
MD50f5dadbddd4d6bcdd1abac71fdb32104
SHA11cd1067d0a970a0049cc683c73654bd6b8f571dc
SHA256887680f385c15361070839683ab710277f233689d04eed822a4e1625dbd92d98
SHA512b6b59b2d6e10ebe1dd869436ba35a70fa298b36e23159240635bda360f450243f8449e6d196bc41510c022a956445e65676509b6b3151c9be141f70802c5363c
-
Filesize
221B
MD57f1f2f18b81c7ff47430c518defb9f48
SHA133642f35825428762b8133721ca38466e7b69559
SHA256208337c0a3656061ad50d85b608cc0fec353f71d16ccd6896aae2ed4e5bdfa58
SHA512c441e17a5f48c7b381a233f95b88b640f167ac053584a77e20cf5f9cc0e199527051ce7d39d450573af6db4ea5c8056ed62189322c2e0ba9a6779dae1dbbfc04
-
Filesize
36B
MD5a4e789bb56e618fcb3ef8aa1c78c3e7c
SHA1140d37cf32bdbfc2225c47141237a65ea5aab232
SHA2566478fe5c461fde02690d3386e9f70210853cae13d3e5577c31e8bb69783d1d7c
SHA5129a616962d9c872a08dda1db0f251af1da843a7da3053ec88fa30f22fb25c905724927c7f3f31f790de10e6ad8bbae8006336a15b272a38beb614410d07943024
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
116KB