a8792f56e1551e5d640be438830297e1e8a2503201e8b41062d4e2ba99131fd9

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rkill.exe
Size

1.7MB
MD5

6d622dcc87edc9a7b10d35372ade816b
SHA1

47d98825b03c507b85dec02a2297e03ebc925f30
SHA256

d4ac5b3c525a5fd94019d80ff81b552e73b19b1bd0a554b9609cdd5e1b00955a
SHA512

ed06f872a7c66ffeeb8cb8f6fedca06ccabf623f9cd188c4c7105428e8d6521ef8da0bac0564e14d2da914d2846369a9c04577a8cf7fb80cb62831e5497f2a58
SSDEEP

49152:KpEsgw14kZV2HXsMnmjEREseBSsxHnfXsrHYi2Yijig:0wYJYW

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

rkill64.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts rkill64.exe
Executes dropped EXE 1 IoCs

Processes:

rkill64.exe

pid process

1640 rkill64.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

rkill.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rkill.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

Notepad.exe

pid process

4496 Notepad.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rkill64.exe

pid process

1640 rkill64.exe
1640 rkill64.exe
1640 rkill64.exe
1640 rkill64.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rkill.exerkill64.exe

description pid process

Token: SeDebugPrivilege 316 rkill.exe
Token: SeDebugPrivilege 1640 rkill64.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	rkill64.exe

pid	process
1640	rkill64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rkill.exe

pid	process
4496	Notepad.exe

pid	process
1640	rkill64.exe
1640	rkill64.exe
1640	rkill64.exe
1640	rkill64.exe

description	pid	process
Token: SeDebugPrivilege	316	rkill.exe
Token: SeDebugPrivilege	1640	rkill64.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

rkill.exerkill64.exe

description	pid	process	target process
PID 316 wrote to memory of 1640	316	rkill.exe	rkill64.exe
PID 316 wrote to memory of 1640	316	rkill.exe	rkill64.exe
PID 1640 wrote to memory of 4496	1640	rkill64.exe	Notepad.exe
PID 1640 wrote to memory of 4496	1640	rkill64.exe	Notepad.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\rkill.exe
"C:\Users\Admin\AppData\Local\Temp\rkill.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316
- C:\Users\Admin\AppData\Local\Temp\rkill64.exe
  C:\Users\Admin\AppData\Local\Temp\rkill.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\System32\Notepad.exe
    Notepad.exe C:\Users\Admin\Desktop\Rkill.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rkill64.exe

Filesize
964KB

MD5
ae368c10327fe7a8e5c875360e529b35

SHA1
d69fad67631f48f2eee9109a368eb176356da531

SHA256
797f0917162e74e64f556fd467cc13d10401e826309c3ed889574889a96b88c7

SHA512
e7e6e4d29dfdc537b21fdffc6c1ac0674b55fdf6c61e5fecfbdde1fa271903db1291c50bac3263bc9f4ee7797689542f29770e0d98b8180453c39bc6058a5c67

Download Submit
C:\Users\Admin\Desktop\Rkill.txt

Filesize
3KB

MD5
01ba8825a1c700292260b77327b7be3a

SHA1
228128bbf8971cb54712ef18873350c5402df09e

SHA256
c9b15ebfee13d24cf60dd7d3065a6d34a52f93ad603f3b297910230fb216ecf3

SHA512
818db28a3217170ea0dfffe16cdb5bbab4a0e33a8ba28185c6d99ebc01b5d1e3ca66345a1c6ae556c080941c6bdf303c1335a27103edca1b7a3e48fbc33b99cc

Download Submit
C:\Users\Admin\Desktop\Rkill.txt

Filesize
514B

MD5
4748e8bc20393b0eba2ec46550720d40

SHA1
2d2938d66d1365f918464d147ef5fc0c33051c1d

SHA256
ecf35b01f5e6db3d1b766d8cb67d1280c9318ea7285b233f2c5fcf6c2f298826

SHA512
5d0394f15efeeff0c2b60e8870f91789f3e310f354dc45137f89aa77afefe645d22ebdb5ab7f319b52c554f8f37bf4d74f19ce92d5408f341e58a253fe02492c

Download Submit