Analysis
-
max time kernel
27s -
max time network
17s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 00:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
DonnyhubPremium.exe
Resource
win10-20240404-en
windows10-1703-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
DonnyhubPremium.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
DonnyhubPremium.exe
-
Size
722KB
-
MD5
34e3ccf886e1321131be0ea9e28d16ac
-
SHA1
545343c4298a6fa9a8e4350be6b0ef1dedfeafe0
-
SHA256
f56f8f938febb9ebade541493d3c9ea9bf64dfa78597e2ec9dba545e9afb1578
-
SHA512
ee305fc82b7e2f868a11b585861f239c7d27d149a82a483b2154f71230c4e3e94f26dd10036a2045f1a01b9f265210bbda5a18919a3b38352d729457068ae464
-
SSDEEP
12288:BO7FJJ7gIgVj2du42aCrMP5IaAPD67w9rVad7FtJ7gIDVj2du42a1:U7FJJMPRAu4fC45wu7we7FtJMsRAu4f1
Score
9/10
Malware Config
Signatures
-
Renames multiple (546) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\diagnostics\system\Video\fr-FR\DiagPackage.dll.mui DonnyhubPremium.exe File opened for modification C:\Windows\INF\hdaudbus.PNF DonnyhubPremium.exe File created C:\Windows\diagnostics\system\Keyboard\en-US\DiagPackage.dll.mui DonnyhubPremium.exe File created C:\Windows\INF\rdpidd.inf DonnyhubPremium.exe File opened for modification C:\Windows\INF\storufs.PNF DonnyhubPremium.exe File created C:\Windows\Boot\EFI\de-DE\bootmgfw.efi.mui DonnyhubPremium.exe File created C:\Windows\Fonts\ega40852.fon DonnyhubPremium.exe File created C:\Windows\Fonts\sserifft.fon DonnyhubPremium.exe File created C:\Windows\Boot\EFI\nb-NO\memtest.efi.mui DonnyhubPremium.exe File created C:\Windows\diagnostics\system\Speech\CL_Utilities.ps1 DonnyhubPremium.exe File opened for modification C:\Windows\INF\npsvctrig.PNF DonnyhubPremium.exe File opened for modification C:\Windows\INF\wvmgid.PNF DonnyhubPremium.exe File created C:\Windows\Microsoft.NET\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\normnfkd.nlp DonnyhubPremium.exe File created C:\Windows\diagnostics\system\IESecurity\RS_IESecuritylevels.ps1 DonnyhubPremium.exe File created C:\Windows\diagnostics\system\Power\TS_IdleDiskTimeout.ps1 DonnyhubPremium.exe File created C:\Windows\diagnostics\system\WindowsMediaPlayerMediaLibrary\fr-FR\CL_LocalizationData.psd1 DonnyhubPremium.exe File created C:\Windows\diagnostics\system\WindowsUpdate\RC_Pendingupdates.ps1 DonnyhubPremium.exe File created C:\Windows\INF\circlass.inf DonnyhubPremium.exe File created C:\Windows\diagnostics\scheduled\Maintenance\RS_MachineWERQueue.ps1 DonnyhubPremium.exe File created C:\Windows\Media\Windows Battery Critical.wav DonnyhubPremium.exe File created C:\Windows\Fonts\sseriff.fon DonnyhubPremium.exe File created C:\Windows\INF\rtvdevx64.inf DonnyhubPremium.exe File created C:\Windows\diagnostics\system\Apps\it-IT\DiagPackage.dll.mui DonnyhubPremium.exe File created C:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\TS_NetworkCacheCorrupted.ps1 DonnyhubPremium.exe File created C:\Windows\ImmersiveControlPanel\images\logo.scale-200_altform-unplated.png DonnyhubPremium.exe File created C:\Windows\Boot\EFI\nl-NL\memtest.efi.mui DonnyhubPremium.exe File created C:\Windows\Cursors\busy_i.cur DonnyhubPremium.exe File created C:\Windows\Help\mui\040C\odbcjet.chm DonnyhubPremium.exe File created C:\Windows\ImmersiveControlPanel\images\TileSmall.contrast-black_scale-100.png DonnyhubPremium.exe File created C:\Windows\ImmersiveControlPanel\images\TileSmall.scale-125.png DonnyhubPremium.exe File created C:\Windows\INF\mdmntt1.inf DonnyhubPremium.exe File created C:\Windows\Boot\PCAT\nl-NL\bootmgr.exe.mui DonnyhubPremium.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.PowerPoint\15.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.PowerPoint.config DonnyhubPremium.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.SmartTag\15.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.SmartTag.config DonnyhubPremium.exe File created C:\Windows\INF\.NET CLR Networking 4.0.0.0\_NetworkingPerfCounters.h DonnyhubPremium.exe File created C:\Windows\L2Schemas\LAN_policy_v1.xsd DonnyhubPremium.exe File created C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\msbuild.exe.config DonnyhubPremium.exe File created C:\Windows\diagnostics\system\BITS\uk-UA\CL_LocalizationData.psd1 DonnyhubPremium.exe File created C:\Windows\diagnostics\system\PCW\en-US\CL_LocalizationData.psd1 DonnyhubPremium.exe File created C:\Windows\diagnostics\system\Speech\fr-FR\DiagPackage.dll.mui DonnyhubPremium.exe File created C:\Windows\diagnostics\system\WindowsUpdate\VF_GenWUError.ps1 DonnyhubPremium.exe File created C:\Windows\INF\hdaudio.inf DonnyhubPremium.exe File opened for modification C:\Windows\INF\PERFLIB\0000\perfc.dat DonnyhubPremium.exe File created C:\Windows\Boot\Resources\es-ES\bootres.dll.mui DonnyhubPremium.exe File created C:\Windows\diagnostics\system\Networking\DiagPackage.diagpkg DonnyhubPremium.exe File created C:\Windows\diagnostics\system\WindowsUpdate\it-IT\CL_LocalizationData.psd1 DonnyhubPremium.exe File created C:\Windows\Fonts\serifee.fon DonnyhubPremium.exe File created C:\Windows\INF\mdmar1.inf DonnyhubPremium.exe File created C:\Windows\it-IT\winhlp32.exe.mui DonnyhubPremium.exe File created C:\Windows\diagnostics\system\Device\ja-JP\CL_LocalizationData.psd1 DonnyhubPremium.exe File created C:\Windows\Fonts\cga40857.fon DonnyhubPremium.exe File created C:\Windows\diagnostics\system\Search\RS_StartIndexingService.ps1 DonnyhubPremium.exe File created C:\Windows\Cursors\aero_unavail_xl.cur DonnyhubPremium.exe File created C:\Windows\diagnostics\system\Audio\RS_ChangeVolume.ps1 DonnyhubPremium.exe File created C:\Windows\diagnostics\system\IEBrowseWeb\TS_IEconnection.ps1 DonnyhubPremium.exe File created C:\Windows\diagnostics\system\IEBrowseWeb\en-US\RS_RestoreIEconnection.psd1 DonnyhubPremium.exe File created C:\Windows\diagnostics\system\IEBrowseWeb\fr-FR\RS_DisableAddon.psd1 DonnyhubPremium.exe File created C:\Windows\Logs\waasmedic\waasmedic.20240508_120938_890.etl DonnyhubPremium.exe File created C:\Windows\Media\Windows Notify.wav DonnyhubPremium.exe File opened for modification C:\Windows\INF\wgencounter.PNF DonnyhubPremium.exe File created C:\Windows\apppatch\sysmain.sdb DonnyhubPremium.exe File created C:\Windows\Cursors\size2_rm.cur DonnyhubPremium.exe File created C:\Windows\Cursors\wait_rl.cur DonnyhubPremium.exe File created C:\Windows\Help\mui\0409\odbcinst.chm DonnyhubPremium.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 1608 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1608 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1992 DonnyhubPremium.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DonnyhubPremium.exe"C:\Users\Admin\AppData\Local\Temp\DonnyhubPremium.exe"1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:1992
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\StepNew.cmd" "1⤵PID:2592
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x494 0x5081⤵
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\StepNew.cmd" "1⤵PID:1696
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\StepNew.cmd" "1⤵PID:1548
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\ConvertSplit.cmd" "1⤵PID:2292