Analysis
-
max time kernel
150s -
max time network
47s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 05:54
Static task
static1
Behavioral task
behavioral1
Sample
FastAimX64.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
FastAimX64.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Automatic_converter_rff_to_mp4.exe
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
Automatic_converter_rff_to_mp4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
install.bat
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
install.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
install_python.bat
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
install_python.bat
Resource
win10v2004-20240508-en
General
-
Target
Automatic_converter_rff_to_mp4.exe
-
Size
322KB
-
MD5
1b4f89bdb12a349de92ca7f1261e67a0
-
SHA1
f368916850332757d7ed2f0ee335c16b9c9fc95b
-
SHA256
d4c83205cf6f3098ab6a757312525f4d14a57a819306eeea5c0d022b00b38cf3
-
SHA512
f2f7985fbf462bc35e099b58308ddef91320d3d81040f77e7c1c0a3cfc3a4da50c849efd0f063c839848a80927398cc24bc8368d5b0b92014abe2ea7bdc2ddeb
-
SSDEEP
6144:iibVlHNEHBpDDf2vfQ21NV0zUiCqWjH6YPON9q:igtCpPfGfZSWPf
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
WormLocker2.0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" WormLocker2.0.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 2 IoCs
Processes:
icacls.exetakeown.exepid process 220 icacls.exe 224 takeown.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Automatic_converter_rff_to_mp4.exeWormLocker2.0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Automatic_converter_rff_to_mp4.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WormLocker2.0.exe -
Executes dropped EXE 1 IoCs
Processes:
WormLocker2.0.exepid process 536 WormLocker2.0.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 224 takeown.exe 220 icacls.exe -
Drops file in System32 directory 6 IoCs
Processes:
Automatic_converter_rff_to_mp4.exedescription ioc process File opened for modification C:\Windows\System32\WormLocker2.0.exe Automatic_converter_rff_to_mp4.exe File created C:\Windows\System32\LogonUItrue.exe Automatic_converter_rff_to_mp4.exe File opened for modification C:\Windows\System32\LogonUItrue.exe Automatic_converter_rff_to_mp4.exe File created C:\Windows\System32\LogonUI.exe Automatic_converter_rff_to_mp4.exe File opened for modification C:\Windows\System32\LogonUIinf.exe Automatic_converter_rff_to_mp4.exe File opened for modification C:\Windows\System32\ransom_voice.vbs Automatic_converter_rff_to_mp4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
WormLocker2.0.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings WormLocker2.0.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
WormLocker2.0.exepid process 536 WormLocker2.0.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
takeown.exeWormLocker2.0.exeAUDIODG.EXEdescription pid process Token: SeTakeOwnershipPrivilege 224 takeown.exe Token: SeDebugPrivilege 536 WormLocker2.0.exe Token: 33 2320 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2320 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Automatic_converter_rff_to_mp4.execmd.exeWormLocker2.0.exedescription pid process target process PID 928 wrote to memory of 4912 928 Automatic_converter_rff_to_mp4.exe cmd.exe PID 928 wrote to memory of 4912 928 Automatic_converter_rff_to_mp4.exe cmd.exe PID 4912 wrote to memory of 224 4912 cmd.exe takeown.exe PID 4912 wrote to memory of 224 4912 cmd.exe takeown.exe PID 4912 wrote to memory of 220 4912 cmd.exe icacls.exe PID 4912 wrote to memory of 220 4912 cmd.exe icacls.exe PID 928 wrote to memory of 536 928 Automatic_converter_rff_to_mp4.exe WormLocker2.0.exe PID 928 wrote to memory of 536 928 Automatic_converter_rff_to_mp4.exe WormLocker2.0.exe PID 536 wrote to memory of 612 536 WormLocker2.0.exe WScript.exe PID 536 wrote to memory of 612 536 WormLocker2.0.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Automatic_converter_rff_to_mp4.exe"C:\Users\Admin\AppData\Local\Temp\Automatic_converter_rff_to_mp4.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\WormLocker2.0.exe"C:\Windows\System32\WormLocker2.0.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\System32\ransom_voice.vbs"3⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4a0 0x3fc1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_6835D4BB44574040A0AB5177E8458061.datFilesize
940B
MD500a7e2bc2429a29d0b395c5241f23773
SHA192c4b0571e13bde0669bd955626414a21e264d53
SHA2566cf5d282a4ca62e0bcf0737e66de9a039643defcbd8470faed5cf3879c182f07
SHA5121e8e88a318c5590cfaf4cc585fd12e7c65463a2ab2356f6249581128a46cec74e0387a2569980993631c4ce22bb61d2d3709751e276f829a2b54fbceea70eff4
-
C:\Windows\System32\WormLocker2.0.exeFilesize
116KB
MD5041aa5e99ae545dac5f9306bb20d869e
SHA188ea126645bfd418abba44cca4a16adf12084d2f
SHA256830c271c8aca775457a090a51c93ad08f9665361eeeaa3fda3f9ae032202ad73
SHA5124b8007dddd519c77bb596f6d17f270da62b236894b6fd7f1c528e553b1aac3a7f9c0df4bb40b678461f70bde3c5a8ac4b5e97e5372dd127a8184862c7f6f4c7c
-
C:\Windows\System32\ransom_voice.vbsFilesize
397B
MD5c1f9613622f740c2f00c2fa8881ba7ba
SHA1bf3271720634bebb3c41ef2b33af525b62f931bc
SHA256d200a1e942b8cfdcd8190d1ad59f92e27e39b919ba230f2dd88d70c3df428c7b
SHA51249e00bb3c76f7e69818a889f045f3d3c43badf2116facccbbf69c61de19f91a42aee891b9a5b72a256453e2fc5c637adac1e354cf88e6782679afa886ad1c615
-
memory/536-21-0x0000000000960000-0x0000000000982000-memory.dmpFilesize
136KB
-
memory/536-22-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmpFilesize
10.8MB
-
memory/536-97-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmpFilesize
10.8MB
-
memory/928-0-0x00007FFC0ADF3000-0x00007FFC0ADF5000-memory.dmpFilesize
8KB
-
memory/928-1-0x0000000000250000-0x00000000002A6000-memory.dmpFilesize
344KB
-
memory/928-2-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmpFilesize
10.8MB
-
memory/928-23-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmpFilesize
10.8MB