2ceee86a0929373bf13009a06e0ed6ac359cac96f97a67de27e78b595a893d89

General

Target

DonnyhubPremium.exe
Size

722KB
MD5

96ac5b2cad1603c928f67adb072f2b56
SHA1

e1991922d75fa487610d069ae5d52af6de428ee3
SHA256

2ceee86a0929373bf13009a06e0ed6ac359cac96f97a67de27e78b595a893d89
SHA512

84a1b261b87995d9e0c02451a344106edd43d021e6e112335bb294def6abdd6c89d606b355ddfe1797bb13ec24f7a18b6e265a691b9e9c6cd66f70ec686cf12f
SSDEEP

12288:lO7FJJ7gIgVj2du42aCrMP5IaAPD67w9rVJd7FtJ7gIDVj2du42a1:o7FJJMPRAu4fC45wu7wb7FtJMsRAu4f1

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (3641) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 38 IoCs

Processes:

DonnyhubPremium.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\gm.dls	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\gmreadme.txt	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	DonnyhubPremium.exe

Drops file in System32 directory 64 IoCs

Processes:

DonnyhubPremium.exe

description	ioc	process
File created	C:\Windows\SysWOW64\en-US\fwcfg.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\en-US\perfproc.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\C_20277.NLS	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\gpedit.msc	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\AppIdPolicyEngineApi.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\loadperf.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\netlogon.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\tpm.msc	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\Dism\it-IT\DismCore.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\Dism\ja-JP\CbsProvider.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\msdxm.ocx	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\Dism\it-IT\DismProv.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\en-US\AltTab.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\en-US\DeviceCenter.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\en-US\ndadmin.exe.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\en-US\sscore.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\desk.cpl	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\iasrad.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\ppcsnap.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\RpcNs4.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\msdxm.tlb	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\eappcfg.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\pautoenr.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\umpo.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\wmpdui.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\wsecedit.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\en-US\apss.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\en-US\comexp.msc	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\dot3msm.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\fde.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\en-US\mctres.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\AuditNativeSnapIn.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\quartz.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\wpdwcn.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\en-US\oledlg.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\en-US\shdocvw.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\msscript.ocx	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\remotesp.tsp	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\usbperf.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\en-US\dvdupgrd.exe.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\BWUnpairElevated.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\DeviceProperties.exe.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\SCardSvr.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\winbio.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\Dism\de-DE\TransmogProvider.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\gameux.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\Ribbons.scr.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\dplaysvr.exe.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\taskschd.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\en-US\DDACLSys.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\en-US\DShowRdpFilter.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\en-US\sppc.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\locale.nls	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\WEB.rs	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\msscript.ocx.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\en-US\MFReadWrite.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\en-US\Mystify.scr.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\en-US\spwizres.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\dssec.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\msadp32.acm.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\de-DE\psr.exe.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\en-US\choice.exe.mui	DonnyhubPremium.exe
File created	C:\Windows\SysWOW64\en-US\EhStorPwdMgr.dll.mui	DonnyhubPremium.exe

Drops file in Windows directory 64 IoCs

Processes:

DonnyhubPremium.exe

description	ioc	process
File created	C:\Windows\Help\Windows\de-DE\Windows.h1c	DonnyhubPremium.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-ClipsInTheLibrary-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.mum	DonnyhubPremium.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-OfflineFiles-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	DonnyhubPremium.exe
File created	C:\Windows\ehome\ja-JP\ehprivjob.exe.mui	DonnyhubPremium.exe
File opened for modification	C:\Windows\inf\wiaxx002.PNF	DonnyhubPremium.exe
File created	C:\Windows\ja-JP\twain_32.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\PolicyDefinitions\WindowsBackup.admx	DonnyhubPremium.exe
File created	C:\Windows\diagnostics\system\Power\it-IT\RS_DisableUSBSelective.psd1	DonnyhubPremium.exe
File created	C:\Windows\Help\mui\0409\wmicontrol.CHM	DonnyhubPremium.exe
File created	C:\Windows\Help\Windows\de-DE\Windows_BestBet.H1K	DonnyhubPremium.exe
File created	C:\Windows\Media\Windows Notify.wav	DonnyhubPremium.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-Shell-HomeGroup-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.mum	DonnyhubPremium.exe
File created	C:\Windows\Speech\Engines\SR\fr-FR\s1036.dlm	DonnyhubPremium.exe
File created	C:\Windows\diagnostics\system\HomeGroup\RS_LaunchInteraction.ps1	DonnyhubPremium.exe
File opened for modification	C:\Windows\inf\mdmirmdm.PNF	DonnyhubPremium.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif	DonnyhubPremium.exe
File created	C:\Windows\PLA\Rules\ja-JP\Rules.System.Configuration.xml	DonnyhubPremium.exe
File created	C:\Windows\servicing\ja-JP\TrustedInstaller.exe.mui	DonnyhubPremium.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~sv-SE~7.1.7601.16492.cat	DonnyhubPremium.exe
File created	C:\Windows\Help\Help\ja-JP\Help_LinkTerm.H1K	DonnyhubPremium.exe
File opened for modification	C:\Windows\inf\mdmtexas.PNF	DonnyhubPremium.exe
File opened for modification	C:\Windows\inf\prnhp003.inf	DonnyhubPremium.exe
File created	C:\Windows\Cursors\size4_rl.cur	DonnyhubPremium.exe
File created	C:\Windows\diagnostics\system\Search\de-DE\CL_LocalizationData.psd1	DonnyhubPremium.exe
File opened for modification	C:\Windows\Fonts\constanb.ttf	DonnyhubPremium.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\big5.nlp	DonnyhubPremium.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\es-ES\PresentationHostDLL.dll.mui	DonnyhubPremium.exe
File created	C:\Windows\PolicyDefinitions\es-ES\FileRecovery.adml	DonnyhubPremium.exe
File created	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~bg-BG~7.1.7601.16492.cat	DonnyhubPremium.exe
File created	C:\Windows\Boot\Fonts\jpn_boot.ttf	DonnyhubPremium.exe
File opened for modification	C:\Windows\Fonts\PALSCRI.TTF	DonnyhubPremium.exe
File created	C:\Windows\Help\Windows\ja-JP\articon.h1s	DonnyhubPremium.exe
File opened for modification	C:\Windows\inf\mdmpenr.PNF	DonnyhubPremium.exe
File opened for modification	C:\Windows\inf\scrawpdo.PNF	DonnyhubPremium.exe
File opened for modification	C:\Windows\inf\wiasa002.inf	DonnyhubPremium.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\Browsers\nokia.browser	DonnyhubPremium.exe
File created	C:\Windows\PolicyDefinitions\de-DE\AttachmentManager.adml	DonnyhubPremium.exe
File opened for modification	C:\Windows\Fonts\calibri.ttf	DonnyhubPremium.exe
File created	C:\Windows\Help\Windows\it-IT\Windows.H1T	DonnyhubPremium.exe
File created	C:\Windows\Help\Windows\ja-JP\netproj.h1s	DonnyhubPremium.exe
File opened for modification	C:\Windows\inf\usbprint.PNF	DonnyhubPremium.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\normnfd.nlp	DonnyhubPremium.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Providers\App_LocalResources\providerList.ascx.resx	DonnyhubPremium.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Vbe.Interop\14.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Vbe.Interop.config	DonnyhubPremium.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\addUser.aspx.de.resx	DonnyhubPremium.exe
File created	C:\Windows\PolicyDefinitions\de-DE\DWM.adml	DonnyhubPremium.exe
File created	C:\Windows\PolicyDefinitions\fr-FR\WindowsBackup.adml	DonnyhubPremium.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-RemoteFX-VM-Setup-LanguagePack~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat	DonnyhubPremium.exe
File created	C:\Windows\servicing\Packages\Package_1_for_KB2999226~31bf3856ad364e35~amd64~~6.1.1.7.mum	DonnyhubPremium.exe
File opened for modification	C:\Windows\Fonts\IMPRISHA.TTF	DonnyhubPremium.exe
File opened for modification	C:\Windows\inf\netr28x.PNF	DonnyhubPremium.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~uk-UA~7.1.7601.16492.cat	DonnyhubPremium.exe
File created	C:\Windows\Help\Windows\de-DE\ra.h1s	DonnyhubPremium.exe
File opened for modification	C:\Windows\inf\netw5v64.inf	DonnyhubPremium.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Internals.aspx.it.resx	DonnyhubPremium.exe
File created	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~es-ES~7.1.7601.16492.mum	DonnyhubPremium.exe
File created	C:\Windows\Speech\Engines\Lexicon\fr-FR\lsr1036.lxa	DonnyhubPremium.exe
File created	C:\Windows\Help\Windows\it-IT\browser.h1s	DonnyhubPremium.exe
File created	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Multimedia-Package~31bf3856ad364e35~amd64~tr-TR~7.1.7601.16492.cat	DonnyhubPremium.exe
File opened for modification	C:\Windows\inf\rspndr.PNF	DonnyhubPremium.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp.aspx.resx	DonnyhubPremium.exe
File created	C:\Windows\PolicyDefinitions\fr-FR\UserProfiles.adml	DonnyhubPremium.exe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-GPUPipeline-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	DonnyhubPremium.exe
File created	C:\Windows\PolicyDefinitions\ja-JP\WindowsExplorer.adml	DonnyhubPremium.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DonnyhubPremium.exe

pid process

1084 DonnyhubPremium.exe

pid	process
1084	DonnyhubPremium.exe

C:\Users\Admin\AppData\Local\Temp\DonnyhubPremium.exe
"C:\Users\Admin\AppData\Local\Temp\DonnyhubPremium.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:1084

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1084-0-0x0000000000A80000-0x0000000000B3A000-memory.dmp

Filesize
744KB

Download
memory/1084-1-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/1084-2-0x00000000044A0000-0x00000000044E0000-memory.dmp

Filesize
256KB

Download
memory/1084-3-0x00000000044A0000-0x00000000044E0000-memory.dmp

Filesize
256KB

Download
memory/1084-4-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download
memory/1084-5-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download
memory/1084-14-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/1084-15-0x00000000044A0000-0x00000000044E0000-memory.dmp

Filesize
256KB

Download
memory/1084-16-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads