Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 06:03
Static task
static1
Behavioral task
behavioral1
Sample
FastAimX64.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
FastAimX64.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Automatic_converter_rff_to_mp4.exe
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
Automatic_converter_rff_to_mp4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
install.bat
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
install.bat
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
install_python.bat
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
install_python.bat
Resource
win10v2004-20240508-en
General
-
Target
Automatic_converter_rff_to_mp4.exe
-
Size
322KB
-
MD5
1b4f89bdb12a349de92ca7f1261e67a0
-
SHA1
f368916850332757d7ed2f0ee335c16b9c9fc95b
-
SHA256
d4c83205cf6f3098ab6a757312525f4d14a57a819306eeea5c0d022b00b38cf3
-
SHA512
f2f7985fbf462bc35e099b58308ddef91320d3d81040f77e7c1c0a3cfc3a4da50c849efd0f063c839848a80927398cc24bc8368d5b0b92014abe2ea7bdc2ddeb
-
SSDEEP
6144:iibVlHNEHBpDDf2vfQ21NV0zUiCqWjH6YPON9q:igtCpPfGfZSWPf
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
WormLocker2.0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" WormLocker2.0.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 2640 takeown.exe 2712 icacls.exe -
Executes dropped EXE 1 IoCs
Processes:
WormLocker2.0.exepid process 2612 WormLocker2.0.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 2640 takeown.exe 2712 icacls.exe -
Drops file in System32 directory 6 IoCs
Processes:
Automatic_converter_rff_to_mp4.exedescription ioc process File opened for modification C:\Windows\System32\LogonUItrue.exe Automatic_converter_rff_to_mp4.exe File created C:\Windows\System32\LogonUI.exe Automatic_converter_rff_to_mp4.exe File opened for modification C:\Windows\System32\LogonUIinf.exe Automatic_converter_rff_to_mp4.exe File opened for modification C:\Windows\System32\ransom_voice.vbs Automatic_converter_rff_to_mp4.exe File opened for modification C:\Windows\System32\WormLocker2.0.exe Automatic_converter_rff_to_mp4.exe File created C:\Windows\System32\LogonUItrue.exe Automatic_converter_rff_to_mp4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
WormLocker2.0.exepid process 2612 WormLocker2.0.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
takeown.exeWormLocker2.0.exedescription pid process Token: SeTakeOwnershipPrivilege 2640 takeown.exe Token: SeDebugPrivilege 2612 WormLocker2.0.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Automatic_converter_rff_to_mp4.execmd.exeWormLocker2.0.exedescription pid process target process PID 2576 wrote to memory of 832 2576 Automatic_converter_rff_to_mp4.exe cmd.exe PID 2576 wrote to memory of 832 2576 Automatic_converter_rff_to_mp4.exe cmd.exe PID 2576 wrote to memory of 832 2576 Automatic_converter_rff_to_mp4.exe cmd.exe PID 832 wrote to memory of 2640 832 cmd.exe takeown.exe PID 832 wrote to memory of 2640 832 cmd.exe takeown.exe PID 832 wrote to memory of 2640 832 cmd.exe takeown.exe PID 832 wrote to memory of 2712 832 cmd.exe icacls.exe PID 832 wrote to memory of 2712 832 cmd.exe icacls.exe PID 832 wrote to memory of 2712 832 cmd.exe icacls.exe PID 2576 wrote to memory of 2612 2576 Automatic_converter_rff_to_mp4.exe WormLocker2.0.exe PID 2576 wrote to memory of 2612 2576 Automatic_converter_rff_to_mp4.exe WormLocker2.0.exe PID 2576 wrote to memory of 2612 2576 Automatic_converter_rff_to_mp4.exe WormLocker2.0.exe PID 2612 wrote to memory of 364 2612 WormLocker2.0.exe WScript.exe PID 2612 wrote to memory of 364 2612 WormLocker2.0.exe WScript.exe PID 2612 wrote to memory of 364 2612 WormLocker2.0.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Automatic_converter_rff_to_mp4.exe"C:\Users\Admin\AppData\Local\Temp\Automatic_converter_rff_to_mp4.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\WormLocker2.0.exe"C:\Windows\System32\WormLocker2.0.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\System32\ransom_voice.vbs"3⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\System32\WormLocker2.0.exeFilesize
116KB
MD5041aa5e99ae545dac5f9306bb20d869e
SHA188ea126645bfd418abba44cca4a16adf12084d2f
SHA256830c271c8aca775457a090a51c93ad08f9665361eeeaa3fda3f9ae032202ad73
SHA5124b8007dddd519c77bb596f6d17f270da62b236894b6fd7f1c528e553b1aac3a7f9c0df4bb40b678461f70bde3c5a8ac4b5e97e5372dd127a8184862c7f6f4c7c
-
C:\Windows\System32\ransom_voice.vbsFilesize
397B
MD5c1f9613622f740c2f00c2fa8881ba7ba
SHA1bf3271720634bebb3c41ef2b33af525b62f931bc
SHA256d200a1e942b8cfdcd8190d1ad59f92e27e39b919ba230f2dd88d70c3df428c7b
SHA51249e00bb3c76f7e69818a889f045f3d3c43badf2116facccbbf69c61de19f91a42aee891b9a5b72a256453e2fc5c637adac1e354cf88e6782679afa886ad1c615
-
memory/2576-0-0x000007FEF5E23000-0x000007FEF5E24000-memory.dmpFilesize
4KB
-
memory/2576-1-0x0000000000270000-0x00000000002C6000-memory.dmpFilesize
344KB
-
memory/2576-2-0x000007FEF5E20000-0x000007FEF680C000-memory.dmpFilesize
9.9MB
-
memory/2576-14-0x000007FEF5E20000-0x000007FEF680C000-memory.dmpFilesize
9.9MB
-
memory/2612-13-0x0000000001210000-0x0000000001232000-memory.dmpFilesize
136KB