Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 22:53
Static task
static1
Behavioral task
behavioral1
Sample
Done.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
Done.exe
Resource
win10v2004-20240426-en
General
-
Target
Done.exe
-
Size
118KB
-
MD5
7ab0af2a1153adcf3237b3bcf1b35419
-
SHA1
f5e9dc83eb95ae4b1118b034e91e937c9b884bca
-
SHA256
a45219c59e190f25ad6d40db0ae74cd8af0b4222b9d7d409322de7dd2ae2373a
-
SHA512
e5736298809fdeb6b66766ae3a8db355a152ca784ad8ccf8500e4496cf869f320c11f6dd4e5ca484e56ef7819d13f52f2bb668ae7db06ab4ef3e439c231cc723
-
SSDEEP
3072:8ZbACwLtsHStagQqAzbt9LbjdcVONk2p38SnLtoA6:feSta6AzbnS0Nk2pMSnLtX
Malware Config
Signatures
-
Renames multiple (63) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops desktop.ini file(s) 1 IoCs
Processes:
Done.exedescription ioc process File created C:\Users\Admin\Desktop\desktop.ini Done.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 12 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\RobCryptor_auto_file\shell\edit\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\RobCryptor_auto_file\shell\open rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\RobCryptor_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\RobCryptor_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\RobCryptor_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.RobCryptor rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.RobCryptor\ = "RobCryptor_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\RobCryptor_auto_file\shell\edit rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\RobCryptor_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\RobCryptor_auto_file\shell\open\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\RobCryptor_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2192 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Done.exedescription pid process Token: SeDebugPrivilege 2900 Done.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2024 wrote to memory of 2192 2024 rundll32.exe NOTEPAD.EXE PID 2024 wrote to memory of 2192 2024 rundll32.exe NOTEPAD.EXE PID 2024 wrote to memory of 2192 2024 rundll32.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Done.exe"C:\Users\Admin\AppData\Local\Temp\Done.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\WatchCompress.xltx.RobCryptor.RobCryptor.RobCryptor1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WatchCompress.xltx.RobCryptor.RobCryptor.RobCryptor2⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\WatchCompress.xltx.RobCryptor.RobCryptor.RobCryptorFilesize
769KB
MD5dde303f9d6b15ded3c03e2b859dbecae
SHA1489dea66233d59c714e45db67a731141765a1716
SHA2562d8bad2ae7c866de14b517fdf8b04ddde6d0cd08e0bab48b1efd759d6bf779c9
SHA512bc678763f32b295e2c6a8ef658bf05935337013e8172d03cb84a7cd8bb217a60abfd7304ed9587bcc4bfc2317a89e8debaa687b4580b555252e7569aaae3c63e
-
memory/2900-0-0x000007FEF5F43000-0x000007FEF5F44000-memory.dmpFilesize
4KB
-
memory/2900-1-0x0000000000DF0000-0x0000000000E14000-memory.dmpFilesize
144KB
-
memory/2900-2-0x0000000000240000-0x000000000024E000-memory.dmpFilesize
56KB
-
memory/2900-3-0x000007FEF5F40000-0x000007FEF692C000-memory.dmpFilesize
9.9MB
-
memory/2900-172-0x000007FEF5F40000-0x000007FEF692C000-memory.dmpFilesize
9.9MB