Analysis

  • max time kernel
    18s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    28-04-2024 14:29

General

  • Target

    Terminator3.1.exe

  • Size

    2.0MB

  • MD5

    2bc248da7543ff3e8a7aeb2353d4daa7

  • SHA1

    2ab295c16a8b762a26b37dc71c08dacda6bf8bbe

  • SHA256

    e8419d5bb0db3e945ca90579f079fdf907237defe8017c63e0188b2de518b1d3

  • SHA512

    3bb822b668506fac45d803b7ebe2b5d5bd2ca9d851746ceedb02619fc9c1f54648a720a7d9fde6e29bb7ac017fefb721c55b2de64f5eeada3e6f2d11f3fefbdf

  • SSDEEP

    24576:qD/RbUThN+XbXgZruqHrawhaUTFR7mDdsrsG5UHulCXR+xaTSfoY4f0y3QzpCy8v:qjRbU2XlqHBNpEdsC5TSf

Malware Config

Signatures

  • Renames multiple (234) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Drops startup file 6 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies system executable filetype association 2 TTPs 16 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Terminator3.1.exe
    "C:\Users\Admin\AppData\Local\Temp\Terminator3.1.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Writes to the Master Boot Record (MBR)
    • Sets desktop wallpaper using registry
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Modifies Control Panel
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\Windows\SysWOW64\notepad.exe
      notepad C:\Users\Admin\Desktop\GOOD NEWS.txt
      2⤵
        PID:2740
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe
        2⤵
        • Modifies system executable filetype association
        • Writes to the Master Boot Record (MBR)
        • Modifies registry class
        PID:2392
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe
        2⤵
        • Writes to the Master Boot Record (MBR)
        • Modifies registry class
        PID:1916
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe
        2⤵
          PID:376
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe
          2⤵
          • Writes to the Master Boot Record (MBR)
          • Modifies registry class
          PID:1684
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x0
        1⤵
          PID:2336

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Persistence

        Event Triggered Execution

        1
        T1546

        Change Default File Association

        1
        T1546.001

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Pre-OS Boot

        1
        T1542

        Bootkit

        1
        T1542.003

        Privilege Escalation

        Event Triggered Execution

        1
        T1546

        Change Default File Association

        1
        T1546.001

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        3
        T1112

        Pre-OS Boot

        1
        T1542

        Bootkit

        1
        T1542.003

        Credential Access

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        System Information Discovery

        1
        T1082

        Collection

        Data from Local System

        1
        T1005

        Impact

        Defacement

        1
        T1491

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Private Character Editor.lnk.Terminated.Terminated.Terminated
          Filesize

          1KB

          MD5

          5c1d6c509273916156f53164100413a5

          SHA1

          b3e1ae148d992c66a0af1a12d6b38bdedac44a54

          SHA256

          e3ad9e6efabb8eb6bcb48385af893d1e4784a9aa7ac01b27f02728711e5746da

          SHA512

          6efe33c14aa6490bf0625af86b647895503550c1642786d0f6c305f1e4529f281c6620a517bb64213f12a9f6d644a0a4cbbf623f2db66855d6f4894a27efdf95

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Help.lnk.Terminated.Terminated.Terminated
          Filesize

          288B

          MD5

          0b926f9652ada0f19f4c8aa499e2ed27

          SHA1

          3272e785b27497985b537126851a2ff9dccdd913

          SHA256

          fc703c2c6605ca310575d0e2c03f99af0038aad6ce7f5b65075c2d10f72cc120

          SHA512

          73e4c8700cc9ee593a351cc23c05f63cf268113de72290ec6b7e9873f6fd34c96c9cfae81fd1cd8daf18bdd055df5dc86399d6cb179483d569eb41591d945941

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.Terminated
          Filesize

          48KB

          MD5

          1240dc71bcc0f3ead172844c8211fe72

          SHA1

          f777c8311f4503d8696b35790103c80b6661143d

          SHA256

          081fa8428d3c2a8f552278754f9573083e0ed6f29a3aad10dcab861b32d8f929

          SHA512

          154a0898d8f90d665d12ef0eeaa69b42f7db84c952614430754d5190079bc4a32b301c4273efe46eab7fe42194ecfdd76c7f56254a31d68a3a73f43fc52b4f15

        • C:\Users\Admin\Desktop\GOOD NEWS.txt
          Filesize

          12KB

          MD5

          9591a9f12d3e40cdad5a6393f90a4fe0

          SHA1

          812554e61b48153c5f516f716ff007be937aa92f

          SHA256

          8758fcc47dbd9c66513b4d22f10cc41aa84c9f9599a883eebf52d221bef57c12

          SHA512

          1517488d21e8c954327a6a5f5c81ec57f369516176721f1c6ebb98ae961357eaae3441f12a4e6ecc930aa05f709dba02e5765c7726d260cd51e10c03b816b6e0

        • \Users\Admin\AppData\Local\Temp\ExtraDll.dll
          Filesize

          97KB

          MD5

          c35425ad1f0c32225d307310deccc335

          SHA1

          b2e347b244e40ffa113dffaffd1895777e3ac30a

          SHA256

          48773d597155dc39dd172c26867972da89dd61fcee0d138433eda26a2d8633b7

          SHA512

          47b6a7447fcc4f9f21018f608fcbdb5650f16cbd869cae5d4ed5d9b88ca1e944de1cac10e9a252aa7b210f1a31456c0ed91728b8a7e24def99d7e3f9683e2bae

        • memory/2392-266-0x0000000000400000-0x0000000000417000-memory.dmp
          Filesize

          92KB

        • memory/2392-270-0x0000000000400000-0x0000000000417000-memory.dmp
          Filesize

          92KB

        • memory/2392-267-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
          Filesize

          4KB

        • memory/2392-260-0x0000000000400000-0x0000000000417000-memory.dmp
          Filesize

          92KB

        • memory/2392-254-0x0000000000400000-0x0000000000417000-memory.dmp
          Filesize

          92KB

        • memory/2392-252-0x0000000000400000-0x0000000000417000-memory.dmp
          Filesize

          92KB

        • memory/2392-250-0x0000000000400000-0x0000000000417000-memory.dmp
          Filesize

          92KB

        • memory/2392-263-0x0000000000400000-0x0000000000417000-memory.dmp
          Filesize

          92KB

        • memory/2392-257-0x0000000000400000-0x0000000000417000-memory.dmp
          Filesize

          92KB

        • memory/2912-4-0x0000000074E90000-0x0000000074ECC000-memory.dmp
          Filesize

          240KB

        • memory/2912-322-0x0000000074E90000-0x0000000074ECC000-memory.dmp
          Filesize

          240KB