Analysis
-
max time kernel
138s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2024, 23:15
Static task
static1
Behavioral task
behavioral1
Sample
killer.exe
Resource
win10v2004-20240709-en
General
-
Target
killer.exe
-
Size
166KB
-
MD5
7b3a7907f0489945935bd78d6a8c8df7
-
SHA1
09baf051a0fcbfec678f5962678ef1041d06b325
-
SHA256
16512770eb74b8a655e747a260302126936ca1d426ed79d9fd7aadd371317579
-
SHA512
c6da2f2d19b1f195ba738b619daf0db54d1384678c2b97a13760f6e72315b10dfe0eed228b0a777e2ba7e487306a400d202d48b16271c5880e2e4ad6030f5082
-
SSDEEP
3072:oahKyd2n3175GWp1icKAArDZz4N9GhbkrNEk+5fJ3qa1qtzF:oahOTp0yN90QE0
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" killer.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 59 ipinfo.io -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4656 NOTEPAD.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4656 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1136 wrote to memory of 4364 1136 killer.exe 84 PID 1136 wrote to memory of 4364 1136 killer.exe 84 PID 4364 wrote to memory of 3868 4364 cmd.exe 86 PID 4364 wrote to memory of 3868 4364 cmd.exe 86 PID 4364 wrote to memory of 4236 4364 cmd.exe 106 PID 4364 wrote to memory of 4236 4364 cmd.exe 106 PID 4364 wrote to memory of 2248 4364 cmd.exe 107 PID 4364 wrote to memory of 2248 4364 cmd.exe 107 PID 4364 wrote to memory of 1680 4364 cmd.exe 108 PID 4364 wrote to memory of 1680 4364 cmd.exe 108 PID 4364 wrote to memory of 1324 4364 cmd.exe 109 PID 4364 wrote to memory of 1324 4364 cmd.exe 109 PID 4364 wrote to memory of 2400 4364 cmd.exe 110 PID 4364 wrote to memory of 2400 4364 cmd.exe 110 PID 4364 wrote to memory of 2312 4364 cmd.exe 111 PID 4364 wrote to memory of 2312 4364 cmd.exe 111 PID 4364 wrote to memory of 3412 4364 cmd.exe 112 PID 4364 wrote to memory of 3412 4364 cmd.exe 112 PID 4364 wrote to memory of 1492 4364 cmd.exe 113 PID 4364 wrote to memory of 1492 4364 cmd.exe 113 PID 4364 wrote to memory of 2216 4364 cmd.exe 114 PID 4364 wrote to memory of 2216 4364 cmd.exe 114 PID 4364 wrote to memory of 3504 4364 cmd.exe 115 PID 4364 wrote to memory of 3504 4364 cmd.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\killer.exe"C:\Users\Admin\AppData\Local\Temp\killer.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SYSTEM32\cmd.execmd /c "killer.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:3868
-
-
C:\Windows\system32\curl.execurl -s ipinfo.io/1.1.1.13⤵PID:4236
-
-
C:\Windows\system32\findstr.exefindstr /R /C:"\"city\":" /C:"\"postal\":" /C:"\"country\":" /C:"\"loc\":" /C:"\"timezone\":"3⤵PID:2248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "3⤵PID:1680
-
-
C:\Windows\system32\findstr.exefindstr /r /i /c:"^\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}$"3⤵PID:1324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "3⤵PID:2400
-
-
C:\Windows\system32\findstr.exefindstr /r /i /c:"^\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}$"3⤵PID:2312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "3⤵PID:3412
-
-
C:\Windows\system32\findstr.exefindstr /r /i /c:"^\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}$"3⤵PID:1492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "3⤵PID:2216
-
-
C:\Windows\system32\findstr.exefindstr /r /i /c:"^\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}$"3⤵PID:3504
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3048
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\killer.bat1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:4656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD58ca095c00bed0f626ecfeb9d008b47cc
SHA1582a3ffa8e1daa39b724af58abba84b679b4c937
SHA2568c53f3acac40a6269c54c7428828f550dd7c3ce5eea5ff51bf54bd3e7db42032
SHA512afc87aad633305c812ed03fb1f3da02e4f9f49c3d5a3a467cde25ce855ba0db86f75ac4f393f5e8f07b3694dd412ab63a70afc986e7ccfcd348f5624622a6936