a8792f56e1551e5d640be438830297e1e8a2503201e8b41062d4e2ba99131fd9

Analysis

max time kernel
94s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rkill.exe
Size

1.7MB
MD5

6d622dcc87edc9a7b10d35372ade816b
SHA1

47d98825b03c507b85dec02a2297e03ebc925f30
SHA256

d4ac5b3c525a5fd94019d80ff81b552e73b19b1bd0a554b9609cdd5e1b00955a
SHA512

ed06f872a7c66ffeeb8cb8f6fedca06ccabf623f9cd188c4c7105428e8d6521ef8da0bac0564e14d2da914d2846369a9c04577a8cf7fb80cb62831e5497f2a58
SSDEEP

49152:KpEsgw14kZV2HXsMnmjEREseBSsxHnfXsrHYi2Yijig:0wYJYW

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

rkill64.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts rkill64.exe
Executes dropped EXE 1 IoCs

Processes:

rkill64.exe

pid process

1480 rkill64.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

rkill.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rkill.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

Notepad.exe

pid process

2984 Notepad.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rkill64.exe

pid process

1480 rkill64.exe
1480 rkill64.exe
1480 rkill64.exe
1480 rkill64.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rkill.exerkill64.exe

description pid process

Token: SeDebugPrivilege 5084 rkill.exe
Token: SeDebugPrivilege 1480 rkill64.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	rkill64.exe

pid	process
1480	rkill64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rkill.exe

pid	process
2984	Notepad.exe

pid	process
1480	rkill64.exe
1480	rkill64.exe
1480	rkill64.exe
1480	rkill64.exe

description	pid	process
Token: SeDebugPrivilege	5084	rkill.exe
Token: SeDebugPrivilege	1480	rkill64.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

rkill.exerkill64.exe

description	pid	process	target process
PID 5084 wrote to memory of 1480	5084	rkill.exe	rkill64.exe
PID 5084 wrote to memory of 1480	5084	rkill.exe	rkill64.exe
PID 1480 wrote to memory of 2984	1480	rkill64.exe	Notepad.exe
PID 1480 wrote to memory of 2984	1480	rkill64.exe	Notepad.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\rkill.exe
"C:\Users\Admin\AppData\Local\Temp\rkill.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Users\Admin\AppData\Local\Temp\rkill64.exe
  C:\Users\Admin\AppData\Local\Temp\rkill.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\System32\Notepad.exe
    Notepad.exe C:\Users\Admin\Desktop\Rkill.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rkill64.exe

Filesize
964KB

MD5
ae368c10327fe7a8e5c875360e529b35

SHA1
d69fad67631f48f2eee9109a368eb176356da531

SHA256
797f0917162e74e64f556fd467cc13d10401e826309c3ed889574889a96b88c7

SHA512
e7e6e4d29dfdc537b21fdffc6c1ac0674b55fdf6c61e5fecfbdde1fa271903db1291c50bac3263bc9f4ee7797689542f29770e0d98b8180453c39bc6058a5c67

Download Submit
C:\Users\Admin\Desktop\Rkill.txt

Filesize
514B

MD5
4748e8bc20393b0eba2ec46550720d40

SHA1
2d2938d66d1365f918464d147ef5fc0c33051c1d

SHA256
ecf35b01f5e6db3d1b766d8cb67d1280c9318ea7285b233f2c5fcf6c2f298826

SHA512
5d0394f15efeeff0c2b60e8870f91789f3e310f354dc45137f89aa77afefe645d22ebdb5ab7f319b52c554f8f37bf4d74f19ce92d5408f341e58a253fe02492c

Download Submit
C:\Users\Admin\Desktop\Rkill.txt

Filesize
3KB

MD5
8b6a29ccf063a54527d207b01be5e999

SHA1
6efab8a54679ea5aa75292747831b1ea06d90ea9

SHA256
f5173c83e6f8e2e86405a7f891ae179faa4009fd05a28815ddf6f2466845e90e

SHA512
255a0742eae75237659e048b3820ca3e2caed3a3bf5e4053491770b660124b0a8d962dcb5b794d766ea32ca02826a5888f42f81a8a022533835ed9cebf8fb845

Download Submit