Malware Analysis Report

2024-09-23 12:04

Sample ID 240612-nmdecswgkq
Target Ransomware PowerPoint.exe
SHA256 9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

Threat Level: Shows suspicious behavior

The file Ransomware PowerPoint.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Loads dropped DLL

Deletes itself

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Unsigned PE

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-12 11:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 11:30

Reported

2024-06-12 11:30

Platform

win7-20240508-en

Max time kernel

3s

Max time network

3s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ransomware PowerPoint.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\Ransomware PowerPoint.exe N/A
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ransomware PowerPoint.exe

"C:\Users\Admin\AppData\Local\Temp\Ransomware PowerPoint.exe"

C:\Users\Admin\AppData\Local\Temp\sys3.exe

C:\Users\Admin\AppData\Local\Temp\\sys3.exe

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

memory/2368-0-0x000000002AA00000-0x000000002AA24000-memory.dmp

\Users\Admin\AppData\Local\Temp\sys3.exe

MD5 70108103a53123201ceb2e921fcfe83c
SHA1 c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3
SHA256 9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d
SHA512 996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

memory/2368-9-0x000000002AA00000-0x000000002AA24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\systm.txt

MD5 214748056d47a2418b469bf7520556f2
SHA1 93c561cac44213ad6de3ccf0e6b6dcb0a39cb09e
SHA256 5ecbf39656b95ffa447f42cace84eb2c01fd5af713c9fd0e33e78b9d138ef42f
SHA512 55fb4805bcbed7fcd437a4bfb1de6a1b233cc2294a5082a8e1f782673f62061c9714547cd2853f5c6cb77882f7e560bcfc1db7eb0526f6eb967565c979f78017

memory/2696-12-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/2476-13-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 11:30

Reported

2024-06-12 11:31

Platform

win10v2004-20240611-en

Max time kernel

2s

Max time network

7s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ransomware PowerPoint.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\Ransomware PowerPoint.exe N/A
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "197" C:\Windows\system32\LogonUI.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sys3.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ransomware PowerPoint.exe

"C:\Users\Admin\AppData\Local\Temp\Ransomware PowerPoint.exe"

C:\Users\Admin\AppData\Local\Temp\sys3.exe

C:\Users\Admin\AppData\Local\Temp\\sys3.exe

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3994855 /state1:0x41c64e6d

Network

N/A

Files

memory/3528-0-0x000000002AA00000-0x000000002AA24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sys3.exe

MD5 70108103a53123201ceb2e921fcfe83c
SHA1 c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3
SHA256 9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d
SHA512 996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

C:\Users\Admin\AppData\Local\Temp\systm.txt

MD5 214748056d47a2418b469bf7520556f2
SHA1 93c561cac44213ad6de3ccf0e6b6dcb0a39cb09e
SHA256 5ecbf39656b95ffa447f42cace84eb2c01fd5af713c9fd0e33e78b9d138ef42f
SHA512 55fb4805bcbed7fcd437a4bfb1de6a1b233cc2294a5082a8e1f782673f62061c9714547cd2853f5c6cb77882f7e560bcfc1db7eb0526f6eb967565c979f78017