Analysis
-
max time kernel
94s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 06:13
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
rkill.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
rkill.exe
Resource
win10v2004-20241007-en
General
-
Target
rkill.exe
-
Size
1.7MB
-
MD5
6d622dcc87edc9a7b10d35372ade816b
-
SHA1
47d98825b03c507b85dec02a2297e03ebc925f30
-
SHA256
d4ac5b3c525a5fd94019d80ff81b552e73b19b1bd0a554b9609cdd5e1b00955a
-
SHA512
ed06f872a7c66ffeeb8cb8f6fedca06ccabf623f9cd188c4c7105428e8d6521ef8da0bac0564e14d2da914d2846369a9c04577a8cf7fb80cb62831e5497f2a58
-
SSDEEP
49152:KpEsgw14kZV2HXsMnmjEREseBSsxHnfXsrHYi2Yijig:0wYJYW
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts rkill64.exe -
Executes dropped EXE 1 IoCs
pid Process 1480 rkill64.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rkill.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2984 Notepad.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1480 rkill64.exe 1480 rkill64.exe 1480 rkill64.exe 1480 rkill64.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5084 rkill.exe Token: SeDebugPrivilege 1480 rkill64.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 5084 wrote to memory of 1480 5084 rkill.exe 85 PID 5084 wrote to memory of 1480 5084 rkill.exe 85 PID 1480 wrote to memory of 2984 1480 rkill64.exe 98 PID 1480 wrote to memory of 2984 1480 rkill64.exe 98 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\rkill.exe"C:\Users\Admin\AppData\Local\Temp\rkill.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\rkill64.exeC:\Users\Admin\AppData\Local\Temp\rkill.exe2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\System32\Notepad.exeNotepad.exe C:\Users\Admin\Desktop\Rkill.txt3⤵
- Opens file in notepad (likely ransom note)
PID:2984
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
964KB
MD5ae368c10327fe7a8e5c875360e529b35
SHA1d69fad67631f48f2eee9109a368eb176356da531
SHA256797f0917162e74e64f556fd467cc13d10401e826309c3ed889574889a96b88c7
SHA512e7e6e4d29dfdc537b21fdffc6c1ac0674b55fdf6c61e5fecfbdde1fa271903db1291c50bac3263bc9f4ee7797689542f29770e0d98b8180453c39bc6058a5c67
-
Filesize
514B
MD54748e8bc20393b0eba2ec46550720d40
SHA12d2938d66d1365f918464d147ef5fc0c33051c1d
SHA256ecf35b01f5e6db3d1b766d8cb67d1280c9318ea7285b233f2c5fcf6c2f298826
SHA5125d0394f15efeeff0c2b60e8870f91789f3e310f354dc45137f89aa77afefe645d22ebdb5ab7f319b52c554f8f37bf4d74f19ce92d5408f341e58a253fe02492c
-
Filesize
3KB
MD58b6a29ccf063a54527d207b01be5e999
SHA16efab8a54679ea5aa75292747831b1ea06d90ea9
SHA256f5173c83e6f8e2e86405a7f891ae179faa4009fd05a28815ddf6f2466845e90e
SHA512255a0742eae75237659e048b3820ca3e2caed3a3bf5e4053491770b660124b0a8d962dcb5b794d766ea32ca02826a5888f42f81a8a022533835ed9cebf8fb845