Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 06:03
Static task
static1
Behavioral task
behavioral1
Sample
FastAimX64.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
FastAimX64.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Automatic_converter_rff_to_mp4.exe
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
Automatic_converter_rff_to_mp4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
install.bat
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
install.bat
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
install_python.bat
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
install_python.bat
Resource
win10v2004-20240508-en
General
-
Target
Automatic_converter_rff_to_mp4.exe
-
Size
322KB
-
MD5
1b4f89bdb12a349de92ca7f1261e67a0
-
SHA1
f368916850332757d7ed2f0ee335c16b9c9fc95b
-
SHA256
d4c83205cf6f3098ab6a757312525f4d14a57a819306eeea5c0d022b00b38cf3
-
SHA512
f2f7985fbf462bc35e099b58308ddef91320d3d81040f77e7c1c0a3cfc3a4da50c849efd0f063c839848a80927398cc24bc8368d5b0b92014abe2ea7bdc2ddeb
-
SSDEEP
6144:iibVlHNEHBpDDf2vfQ21NV0zUiCqWjH6YPON9q:igtCpPfGfZSWPf
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
WormLocker2.0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" WormLocker2.0.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 2304 takeown.exe 4228 icacls.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Automatic_converter_rff_to_mp4.exeWormLocker2.0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Automatic_converter_rff_to_mp4.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation WormLocker2.0.exe -
Executes dropped EXE 1 IoCs
Processes:
WormLocker2.0.exepid process 1540 WormLocker2.0.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 2304 takeown.exe 4228 icacls.exe -
Drops file in System32 directory 6 IoCs
Processes:
Automatic_converter_rff_to_mp4.exedescription ioc process File opened for modification C:\Windows\System32\WormLocker2.0.exe Automatic_converter_rff_to_mp4.exe File created C:\Windows\System32\LogonUItrue.exe Automatic_converter_rff_to_mp4.exe File opened for modification C:\Windows\System32\LogonUItrue.exe Automatic_converter_rff_to_mp4.exe File created C:\Windows\System32\LogonUI.exe Automatic_converter_rff_to_mp4.exe File opened for modification C:\Windows\System32\LogonUIinf.exe Automatic_converter_rff_to_mp4.exe File opened for modification C:\Windows\System32\ransom_voice.vbs Automatic_converter_rff_to_mp4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
WormLocker2.0.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings WormLocker2.0.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
WormLocker2.0.exepid process 1540 WormLocker2.0.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
takeown.exeWormLocker2.0.exeAUDIODG.EXEdescription pid process Token: SeTakeOwnershipPrivilege 2304 takeown.exe Token: SeDebugPrivilege 1540 WormLocker2.0.exe Token: 33 1188 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1188 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Automatic_converter_rff_to_mp4.execmd.exeWormLocker2.0.exedescription pid process target process PID 4528 wrote to memory of 2720 4528 Automatic_converter_rff_to_mp4.exe cmd.exe PID 4528 wrote to memory of 2720 4528 Automatic_converter_rff_to_mp4.exe cmd.exe PID 2720 wrote to memory of 2304 2720 cmd.exe takeown.exe PID 2720 wrote to memory of 2304 2720 cmd.exe takeown.exe PID 2720 wrote to memory of 4228 2720 cmd.exe icacls.exe PID 2720 wrote to memory of 4228 2720 cmd.exe icacls.exe PID 4528 wrote to memory of 1540 4528 Automatic_converter_rff_to_mp4.exe WormLocker2.0.exe PID 4528 wrote to memory of 1540 4528 Automatic_converter_rff_to_mp4.exe WormLocker2.0.exe PID 1540 wrote to memory of 4484 1540 WormLocker2.0.exe WScript.exe PID 1540 wrote to memory of 4484 1540 WormLocker2.0.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Automatic_converter_rff_to_mp4.exe"C:\Users\Admin\AppData\Local\Temp\Automatic_converter_rff_to_mp4.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\WormLocker2.0.exe"C:\Windows\System32\WormLocker2.0.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\System32\ransom_voice.vbs"3⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3f0 0x5281⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_05C46ECA458C43CF9D8A3985DAC7D582.datFilesize
940B
MD547aa12ad798f1d8ceaa6a6aa5cfeae50
SHA12294b41df32dd91bab588d11318a461a6097f742
SHA256d1d7f95546fac981ad0c4b3c54d6d6a333eedeb2b036941f2506f521bbfa1fd6
SHA5126d14bea39a164b98f723d792e2ad63b8d9faea25bcfe112708ef8a064f3765687f5c9cb8281d62132cda09613e6f7b0f00e7887a01d83eb6975a24ea187a01da
-
C:\Windows\System32\WormLocker2.0.exeFilesize
116KB
MD5041aa5e99ae545dac5f9306bb20d869e
SHA188ea126645bfd418abba44cca4a16adf12084d2f
SHA256830c271c8aca775457a090a51c93ad08f9665361eeeaa3fda3f9ae032202ad73
SHA5124b8007dddd519c77bb596f6d17f270da62b236894b6fd7f1c528e553b1aac3a7f9c0df4bb40b678461f70bde3c5a8ac4b5e97e5372dd127a8184862c7f6f4c7c
-
C:\Windows\System32\ransom_voice.vbsFilesize
397B
MD5c1f9613622f740c2f00c2fa8881ba7ba
SHA1bf3271720634bebb3c41ef2b33af525b62f931bc
SHA256d200a1e942b8cfdcd8190d1ad59f92e27e39b919ba230f2dd88d70c3df428c7b
SHA51249e00bb3c76f7e69818a889f045f3d3c43badf2116facccbbf69c61de19f91a42aee891b9a5b72a256453e2fc5c637adac1e354cf88e6782679afa886ad1c615
-
memory/1540-21-0x0000000000890000-0x00000000008B2000-memory.dmpFilesize
136KB
-
memory/1540-23-0x00007FFCBF2A0000-0x00007FFCBFD61000-memory.dmpFilesize
10.8MB
-
memory/1540-100-0x00007FFCBF2A0000-0x00007FFCBFD61000-memory.dmpFilesize
10.8MB
-
memory/4528-1-0x0000000000AC0000-0x0000000000B16000-memory.dmpFilesize
344KB
-
memory/4528-0-0x00007FFCBF2A3000-0x00007FFCBF2A5000-memory.dmpFilesize
8KB
-
memory/4528-2-0x00007FFCBF2A0000-0x00007FFCBFD61000-memory.dmpFilesize
10.8MB
-
memory/4528-22-0x00007FFCBF2A0000-0x00007FFCBFD61000-memory.dmpFilesize
10.8MB