Malware Analysis Report

2024-09-23 05:12

Sample ID 240613-ktd3pa1hpe
Target personalize.exe
SHA256 025f83869ee5f01bc3dfc3bb3b8843075a870037aef6be668df176108e2cf302
Tags
evasion ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

025f83869ee5f01bc3dfc3bb3b8843075a870037aef6be668df176108e2cf302

Threat Level: Likely malicious

The file personalize.exe was found to be: Likely malicious.

Malicious Activity Summary

evasion ransomware

Modifies boot configuration data using bcdedit

Unsigned PE

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-13 08:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 08:53

Reported

2024-06-13 08:56

Platform

win7-20240611-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\personalize.exe"

Signatures

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2804 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\personalize.exe C:\Windows\system32\cmd.exe
PID 2804 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\personalize.exe C:\Windows\system32\cmd.exe
PID 2804 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\personalize.exe C:\Windows\system32\cmd.exe
PID 1560 wrote to memory of 1624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1560 wrote to memory of 1624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1560 wrote to memory of 1624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1560 wrote to memory of 1808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 1560 wrote to memory of 1808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 1560 wrote to memory of 1808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 1560 wrote to memory of 2104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 1560 wrote to memory of 2104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 1560 wrote to memory of 2104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 1560 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 1560 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 1560 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe

Processes

C:\Users\Admin\AppData\Local\Temp\personalize.exe

"C:\Users\Admin\AppData\Local\Temp\personalize.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\D2A.tmp\D2B.tmp\D3C.bat C:\Users\Admin\AppData\Local\Temp\personalize.exe"

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\choice.exe

choice /c yn /n /m ""

C:\Windows\system32\choice.exe

choice /c yn /n /m ""

C:\Windows\system32\notepad.exe

notepad sources\URDED.txt

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\D2A.tmp\D2B.tmp\D3C.bat

MD5 854bb3fd367a6d061dae6f6564ff2d51
SHA1 283cbaf7f2d1ec19c67698bf90013f80397ae8ee
SHA256 4aaf15fb5689c0d61a7a62b4d40fc2494fa849c334174a69a5d99aa809512b5c
SHA512 109c05b6d83be08ffa8be3e5ae9c83153cab4b8c2c389fa15805fcb4f73feae0b7d29dd6ae80531663adde546c1b62526f7e6ae5688ba034ea28dc3825b18f3b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 08:53

Reported

2024-06-13 08:56

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

54s

Command Line

"C:\Users\Admin\AppData\Local\Temp\personalize.exe"

Signatures

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\personalize.exe

"C:\Users\Admin\AppData\Local\Temp\personalize.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4E6E.tmp\4E6F.tmp\4E70.bat C:\Users\Admin\AppData\Local\Temp\personalize.exe"

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\choice.exe

choice /c yn /n /m ""

C:\Windows\system32\choice.exe

choice /c yn /n /m ""

C:\Windows\system32\notepad.exe

notepad sources\URDED.txt

C:\Windows\system32\timeout.exe

timeout /t 5 /nobreak

Network

Files

C:\Users\Admin\AppData\Local\Temp\4E6E.tmp\4E6F.tmp\4E70.bat

MD5 854bb3fd367a6d061dae6f6564ff2d51
SHA1 283cbaf7f2d1ec19c67698bf90013f80397ae8ee
SHA256 4aaf15fb5689c0d61a7a62b4d40fc2494fa849c334174a69a5d99aa809512b5c
SHA512 109c05b6d83be08ffa8be3e5ae9c83153cab4b8c2c389fa15805fcb4f73feae0b7d29dd6ae80531663adde546c1b62526f7e6ae5688ba034ea28dc3825b18f3b