Overview

overview

10

Static

static

3

000.exe

windows7-x64

000.exe

windows10-2004-x64

Ana.exe

windows7-x64

8

Ana.exe

windows10-2004-x64

Bad Rabit.exe

windows7-x64

10

Bad Rabit.exe

windows10-2004-x64

10

Desktop Puzzle.exe

windows7-x64

1

Desktop Puzzle.exe

windows10-2004-x64

1

Memz.exe

windows7-x64

6

Memz.exe

windows10-2004-x64

7

NoEscape.exe

windows7-x64

1

NoEscape.exe

windows10-2004-x64

WannaCrypt0r.exe

windows7-x64

10

WannaCrypt0r.exe

windows10-2004-x64

10

Resubmissions

08-06-2024 08:50

240608-krvyesae91 10

08-05-2024 16:15

240508-tqnx6ach3w 10

08-05-2024 16:07

240508-tkr3mafa54 10

01-05-2024 18:02

240501-wmf49acg3s 6

27-04-2024 08:46

240427-kpfeysff8s 10

25-04-2024 21:25

240425-z9y55afb7v 10

25-04-2024 21:16

240425-z4pphafa97 10

25-04-2024 18:27

240425-w3929sde33 10

25-04-2024 18:17

240425-ww4a5sdc8x 10

Analysis

  • max time kernel
    47s
  • max time network
    62s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-04-2024 18:09

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-25T18:11:02Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240226-en/instance_7-dirty.qcow2\"}"
Report Analysis Logs

General

  • Target

    000.exe

  • Size

    6.7MB

  • MD5

    f2b7074e1543720a9a98fda660e02688

  • SHA1

    1029492c1a12789d8af78d54adcb921e24b9e5ca

  • SHA256

    4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

  • SHA512

    73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

  • SSDEEP

    3072:eaLA1++iCeFj0im6X/AXpT8vVMCcHVcdhghUuz1o9Y:fLJlC6j0CX4XmvWHVcd62uO9

Score
8/10
evasionpersistenceransomware

Malware Config

Signatures

  • Disables Task Manager via registry modification
    evasion
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\000.exe
    "C:\Users\Admin\AppData\Local\Temp\000.exe"
    1⤵
    • Enumerates connected drives
    • Modifies WinLogon
    • Sets desktop wallpaper using registry
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3248
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im explorer.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2172
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im taskmgr.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3424
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic useraccount where name='Admin' set FullName='UR NEXT'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1156
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic useraccount where name='Admin' rename 'UR NEXT'
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3656
      • C:\Windows\SysWOW64\shutdown.exe
        shutdown /f /r /t 0
        3⤵
          PID:4248
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa398f855 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:5028

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
      Filesize

      64KB

      MD5

      e16129a01ecd035ae804959605a88835

      SHA1

      58ad281cf5d3780678feb1f3052ea25b225a31f8

      SHA256

      c7bf9459833ca54b1ec8e730e5d938e488d4d747c43a49d497f98403d3c10177

      SHA512

      8c511704960ca74c358211d1cdcbe23e6b3e852a995c93831d83ce22bf21c77d1d23ac034f39c8265137665a73fcacd55b5263b776a920bba42dad7834eeb50f

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
      Filesize

      9KB

      MD5

      7050d5ae8acfbe560fa11073fef8185d

      SHA1

      5bc38e77ff06785fe0aec5a345c4ccd15752560e

      SHA256

      cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

      SHA512

      a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\one.rtf
      Filesize

      403B

      MD5

      6fbd6ce25307749d6e0a66ebbc0264e7

      SHA1

      faee71e2eac4c03b96aabecde91336a6510fff60

      SHA256

      e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

      SHA512

      35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\rniw.exe
      Filesize

      76KB

      MD5

      9232120b6ff11d48a90069b25aa30abc

      SHA1

      97bb45f4076083fca037eee15d001fd284e53e47

      SHA256

      70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

      SHA512

      b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\v.mp4
      Filesize

      81KB

      MD5

      d2774b188ab5dde3e2df5033a676a0b4

      SHA1

      6e8f668cba211f1c3303e4947676f2fc9e4a1bcc

      SHA256

      95374cf300097872a546d89306374e7cf2676f7a8b4c70274245d2dccfc79443

      SHA512

      3047a831ed9c8690b00763061807e98e15e9534ebc9499e3e5abb938199f9716c0e24a83a13291a8fd5b91a6598aeeef377d6793f6461fc0247ec4bbd901a131

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\windl.bat
      Filesize

      771B

      MD5

      a9401e260d9856d1134692759d636e92

      SHA1

      4141d3c60173741e14f36dfe41588bb2716d2867

      SHA256

      b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

      SHA512

      5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

      Download Submit

    • C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt
      Filesize

      396B

      MD5

      9037ebf0a18a1c17537832bc73739109

      SHA1

      1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

      SHA256

      38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

      SHA512

      4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

      Download Submit

    • memory/3248-497-0x000000000BF90000-0x000000000BFA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3248-557-0x000000000BF90000-0x000000000BFA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3248-3-0x0000000005B70000-0x0000000006114000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3248-192-0x000000000BF20000-0x000000000BF58000-memory.dmp

      Filesize

      224KB

      Download

    • memory/3248-197-0x000000000BEE0000-0x000000000BEEE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3248-482-0x000000000BF90000-0x000000000BFA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3248-483-0x000000000BF90000-0x000000000BFA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3248-486-0x000000000BF90000-0x000000000BFA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3248-493-0x000000000BF90000-0x000000000BFA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3248-0-0x0000000074AB0000-0x0000000075260000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3248-498-0x000000000BF90000-0x000000000BFA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3248-543-0x000000000C150000-0x000000000C160000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3248-553-0x000000000C150000-0x000000000C160000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3248-11-0x00000000053D0000-0x00000000053E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3248-556-0x000000000C150000-0x000000000C160000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3248-555-0x000000000BF90000-0x000000000BFA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3248-562-0x000000000C150000-0x000000000C160000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3248-567-0x0000000074AB0000-0x0000000075260000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3248-571-0x000000000C150000-0x000000000C160000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3248-570-0x000000000BF90000-0x000000000BFA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3248-2-0x00000000053D0000-0x00000000053E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3248-864-0x00000000053D0000-0x00000000053E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3248-1-0x0000000000390000-0x0000000000A3E000-memory.dmp

      Filesize

      6.7MB

      Download

    • memory/3248-868-0x00000000053D0000-0x00000000053E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3248-877-0x0000000074AB0000-0x0000000075260000-memory.dmp

      Filesize

      7.7MB

      Download