a45219c59e190f25ad6d40db0ae74cd8af0b4222b9d7d409322de7dd2ae2373a

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 22:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Done.exe
Size

118KB
MD5

7ab0af2a1153adcf3237b3bcf1b35419
SHA1

f5e9dc83eb95ae4b1118b034e91e937c9b884bca
SHA256

a45219c59e190f25ad6d40db0ae74cd8af0b4222b9d7d409322de7dd2ae2373a
SHA512

e5736298809fdeb6b66766ae3a8db355a152ca784ad8ccf8500e4496cf869f320c11f6dd4e5ca484e56ef7819d13f52f2bb668ae7db06ab4ef3e439c231cc723
SSDEEP

3072:8ZbACwLtsHStagQqAzbt9LbjdcVONk2p38SnLtoA6:feSta6AzbnS0Nk2pMSnLtX

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (63) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Drops desktop.ini file(s) 1 IoCs

Processes:

Done.exe

description ioc process

File created C:\Users\Admin\Desktop\desktop.ini Done.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Users\Admin\Desktop\desktop.ini	Done.exe

Modifies registry class 12 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\RobCryptor_auto_file\shell\edit\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\RobCryptor_auto_file\shell\open	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\RobCryptor_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\RobCryptor_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\RobCryptor_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.RobCryptor	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.RobCryptor\ = "RobCryptor_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\RobCryptor_auto_file\shell\edit	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\RobCryptor_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\RobCryptor_auto_file\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\RobCryptor_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2192 NOTEPAD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Done.exe

description pid process

Token: SeDebugPrivilege 2900 Done.exe

pid	process
2192	NOTEPAD.EXE

description	pid	process
Token: SeDebugPrivilege	2900	Done.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2024 wrote to memory of 2192	2024	rundll32.exe	NOTEPAD.EXE
PID 2024 wrote to memory of 2192	2024	rundll32.exe	NOTEPAD.EXE
PID 2024 wrote to memory of 2192	2024	rundll32.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\Done.exe
"C:\Users\Admin\AppData\Local\Temp\Done.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\WatchCompress.xltx.RobCryptor.RobCryptor.RobCryptor
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WatchCompress.xltx.RobCryptor.RobCryptor.RobCryptor
2⤵
- Opens file in notepad (likely ransom note)
PID:2192

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\WatchCompress.xltx.RobCryptor.RobCryptor.RobCryptor
Filesize
769KB

MD5
dde303f9d6b15ded3c03e2b859dbecae

SHA1
489dea66233d59c714e45db67a731141765a1716

SHA256
2d8bad2ae7c866de14b517fdf8b04ddde6d0cd08e0bab48b1efd759d6bf779c9

SHA512
bc678763f32b295e2c6a8ef658bf05935337013e8172d03cb84a7cd8bb217a60abfd7304ed9587bcc4bfc2317a89e8debaa687b4580b555252e7569aaae3c63e

Download Submit
memory/2900-0-0x000007FEF5F43000-0x000007FEF5F44000-memory.dmp

Filesize
4KB

Download
memory/2900-1-0x0000000000DF0000-0x0000000000E14000-memory.dmp

Filesize
144KB

Download
memory/2900-2-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/2900-3-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

Filesize
9.9MB

Download
memory/2900-172-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

Filesize
9.9MB

Download