Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
11-11-2024 06:13
General
-
Target
rkill.exe
-
Size
1.7MB
-
MD5
6d622dcc87edc9a7b10d35372ade816b
-
SHA1
47d98825b03c507b85dec02a2297e03ebc925f30
-
SHA256
d4ac5b3c525a5fd94019d80ff81b552e73b19b1bd0a554b9609cdd5e1b00955a
-
SHA512
ed06f872a7c66ffeeb8cb8f6fedca06ccabf623f9cd188c4c7105428e8d6521ef8da0bac0564e14d2da914d2846369a9c04577a8cf7fb80cb62831e5497f2a58
-
SSDEEP
49152:KpEsgw14kZV2HXsMnmjEREseBSsxHnfXsrHYi2Yijig:0wYJYW
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Modifies system executable filetype association 2 TTPs 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 64 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\rkill.exe"C:\Users\Admin\AppData\Local\Temp\rkill.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rkill64.exeC:\Users\Admin\AppData\Local\Temp\rkill.exe2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Notepad.exeNotepad.exe C:\Users\Admin\Desktop\Rkill.txt3⤵
- Opens file in notepad (likely ransom note)
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD54f071695e8365426203fee885604b5d4
SHA1a4421229b249a73f93d36bda16d266bf39b952c9
SHA256a0ffc62ff9c749d9066fede80f4ba5c4fed8795b7eed8644b6f70602d94e9b5d
SHA512406153329bf80aef5894298e54e75fb855290c0e3a64e591dd4f00b53a1372337189e2bc9a84fc358508b054ee4bc7ffd2b3be7ba58345412b8739df55b7bfe4
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
964KB
MD5ae368c10327fe7a8e5c875360e529b35
SHA1d69fad67631f48f2eee9109a368eb176356da531
SHA256797f0917162e74e64f556fd467cc13d10401e826309c3ed889574889a96b88c7
SHA512e7e6e4d29dfdc537b21fdffc6c1ac0674b55fdf6c61e5fecfbdde1fa271903db1291c50bac3263bc9f4ee7797689542f29770e0d98b8180453c39bc6058a5c67