MALICIOUS Threat Names: Win32.Worm.Brontok.AM

DYNAMIC ANALYSIS REPORT #2195013

Classifications: -

Verdict Reason: -

Sample Type Windows Exe (x86-32)

File Name _default17292.pif.exe

ID #875538

MD5 db947f234febeae1c1c91e971a680eb4

SHA1 1b19ede284dd2ed36e44cdfbac9dda2d0573ca70

SHA256 b4a0a125cb13358e2319648ddc51d1e88b18766a12abaf50e6e3723a8af5c982

File Size 97.66 KB

Report Created 2021-08-24 00:36 (UTC+2)

Target Environment win10_64_th2_en_mso2016 | exe

X-Ray Vision for Malware - www.vmray.com 1 / 20 DYNAMIC ANALYSIS REPORT #2195013

OVERVIEW

VMRay Threat Identifiers (10 rules, 55 matches)

Score Category Operation Count Classification

4/5 System Modification Disables a crucial system tool 1 -

• (Process #1) _default17292.pif.exe disables the Registry Editor via registry.

4/5 Antivirus Malicious content was detected by heuristic scan 5 -

• Built-in AV detected the sample itself as "Win32.Worm.Brontok.AM".

• Built-in AV detected the dropped file C:\Windows\system32\n10767\winlogon.exe as "Win32.Worm.Brontok.AM".

• Built-in AV detected a memory dump of (process #1) _default17292.pif.exe as "Win32.Worm.Brontok.AM".

• Built-in AV detected a memory dump of (process #3) smss.exe as "Win32.Worm.Brontok.AM".

• Built-in AV detected a memory dump of (process #5) winlogon.exe as "Win32.Worm.Brontok.AM".

1/5 System Modification Modifies operating system directory 23 -

• (Process #1) _default17292.pif.exe creates file "C:\Windows\system32\n10767\smss.exe" in the OS directory.

• (Process #1) _default17292.pif.exe creates file "C:\Windows\j6199922.exe" in the OS directory.

• (Process #1) _default17292.pif.exe creates file "C:\Windows\system32\c_19992k.com" in the OS directory.

• (Process #1) _default17292.pif.exe creates file "C:\Windows\system32\n10767\sv712709030r.exe" in the OS directory.

• (Process #1) _default17292.pif.exe creates file "C:\Windows\o4199927.exe" in the OS directory.

• (Process #1) _default17292.pif.exe creates file "C:\Windows\_default19992.pif" in the OS directory.

• (Process #1) _default17292.pif.exe creates file "C:\Windows\system32\msvbvm60.dll.857" in the OS directory.

• (Process #3) smss.exe creates file "C:\Windows\system32\n10767\smss.exe" in the OS directory.

• (Process #3) smss.exe creates file "C:\Windows\j6199922.exe" in the OS directory.

• (Process #3) smss.exe creates file "C:\Windows\system32\c_19992k.com" in the OS directory.

• (Process #3) smss.exe creates file "C:\Windows\system32\n10767\sv712709030r.exe" in the OS directory.

• (Process #3) smss.exe creates file "C:\Windows\o4199927.exe" in the OS directory.

• (Process #3) smss.exe creates file "C:\Windows\_default19992.pif" in the OS directory.

• (Process #3) smss.exe creates file "C:\Windows\system32\msvbvm60.dll.871" in the OS directory.

• (Process #3) smss.exe creates file "C:\Windows\system32\n10767\sv712709030r.exemsatr.bin" in the OS directory.

• (Process #3) smss.exe creates file "C:\Windows\system32\n10767\winlogon.exe" in the OS directory.

• (Process #5) winlogon.exe creates file "C:\Windows\system32\n10767\smss.exe" in the OS directory.

• (Process #5) winlogon.exe creates file "C:\Windows\j6199922.exe" in the OS directory.

• (Process #5) winlogon.exe creates file "C:\Windows\system32\c_19992k.com" in the OS directory.

• (Process #5) winlogon.exe creates file "C:\Windows\system32\n10767\sv712709030r.exe" in the OS directory.

• (Process #5) winlogon.exe creates file "C:\Windows\o4199927.exe" in the OS directory.

• (Process #5) winlogon.exe creates file "C:\Windows\_default19992.pif" in the OS directory.

• (Process #5) winlogon.exe creates file "C:\Windows\system32\msvbvm60.dll.874" in the OS directory.

1/5 Persistence Installs system startup script or application 18 -

X-Ray Vision for Malware - www.vmray.com 2 / 20 DYNAMIC ANALYSIS REPORT #2195013

Score Category Operation Count Classification

• (Process #1) _default17292.pif.exe adds ""C:\Windows\system32\n10767\sv712709030r.exe"" to Windows startup via registry.

• (Process #1) _default17292.pif.exe adds ""C:\Users\RDhJ0CNFevzX\AppData\Local\dv6270900x\yesbron.com"" to Windows startup via registry.

• (Process #1) _default17292.pif.exe adds ""C:\Windows\j6199922.exe"" to Windows startup via registry.

• (Process #1) _default17292.pif.exe adds "Explorer.exe "C:\Windows\o4199927.exe"" to Windows startup via registry.

• (Process #1) _default17292.pif.exe adds ""C:\Windows\_default19992.pif"" to Windows startup via registry.

• (Process #1) _default17292.pif.exe adds "C:\Windows\system32\userinit.exe,C:\Windows\j6199922.exe" to Windows startup via registry.

• (Process #3) smss.exe adds ""C:\Windows\system32\n10767\sv712709030r.exe"" to Windows startup via registry.

• (Process #3) smss.exe adds ""C:\Users\RDhJ0CNFevzX\AppData\Local\dv6270900x\yesbron.com"" to Windows startup via registry.

• (Process #3) smss.exe adds ""C:\Windows\j6199922.exe"" to Windows startup via registry.

• (Process #3) smss.exe adds "Explorer.exe "C:\Windows\o4199927.exe"" to Windows startup via registry.

• (Process #3) smss.exe adds ""C:\Windows\_default19992.pif"" to Windows startup via registry.

• (Process #3) smss.exe adds "C:\Windows\system32\userinit.exe,C:\Windows\j6199922.exe" to Windows startup via registry.

• (Process #5) winlogon.exe adds ""C:\Windows\system32\n10767\sv712709030r.exe"" to Windows startup via registry.

• (Process #5) winlogon.exe adds ""C:\Users\RDhJ0CNFevzX\AppData\Local\dv6270900x\yesbron.com"" to Windows startup via registry.

• (Process #5) winlogon.exe adds ""C:\Windows\j6199922.exe"" to Windows startup via registry.

• (Process #5) winlogon.exe adds "Explorer.exe "C:\Windows\o4199927.exe"" to Windows startup via registry.

• (Process #5) winlogon.exe adds ""C:\Windows\_default19992.pif"" to Windows startup via registry.

• (Process #5) winlogon.exe adds "C:\Windows\system32\userinit.exe,C:\Windows\j6199922.exe" to Windows startup via registry.

1/5 Hide Tracks Creates process with hidden window 2 -

• (Process #1) _default17292.pif.exe starts (process #3) smss.exe with a hidden window.

• (Process #3) smss.exe starts (process #5) winlogon.exe with a hidden window.

1/5 Discovery Enumerates running processes 1 -

• (Process #5) winlogon.exe enumerates running processes.

1/5 Privilege Escalation Enables process privilege 1 -

• (Process #5) winlogon.exe enables process privilege "SeDebugPrivilege".

1/5 Execution Executes itself 2 -

• (Process #1) _default17292.pif.exe executes a copy of the sample at C:\Users\RDhJ0CNFevzX\Desktop\_default17292.pif.exe.

• (Process #3) smss.exe executes a copy of the sample at C:\Users\RDhJ0CNFevzX\Desktop\_default17292.pif.exe.

1/5 Execution Drops PE file 1 -

• (Process #3) smss.exe drops file "C:\Windows\system32\n10767\winlogon.exe".

1/5 Execution Executes dropped PE file 1 -

• Executes dropped file "C:\Windows\system32\n10767\winlogon.exe".

X-Ray Vision for Malware - www.vmray.com 3 / 20 DYNAMIC ANALYSIS REPORT #2195013

Mitre ATT&CK Matrix

Privilege Defense Credential Lateral Command Initial Access Execution Persistence Discovery Collection Exfiltration Impact Escalation Evasion Access Movement and Control

#T1060 #T1057 Registry Run #T1112 Modify Process Keys / Startup Registry Discovery Folder

#T1143 Hidden Window

X-Ray Vision for Malware - www.vmray.com 4 / 20 DYNAMIC ANALYSIS REPORT #2195013

Sample Information

ID #875538

MD5 db947f234febeae1c1c91e971a680eb4

SHA1 1b19ede284dd2ed36e44cdfbac9dda2d0573ca70

SHA256 b4a0a125cb13358e2319648ddc51d1e88b18766a12abaf50e6e3723a8af5c982

SSDeep 1536:5vXMoORizUPliPsm/gL16ZpQGh6MgHN+PhuLGR/11QrtpvvMoOM:RXxOMUMPsgQvTMY+PhGGR/11QrnvxOM

ImpHash 1af1161d37f455fda94db97751b0224e

File Name _default17292.pif.exe

File Size 97.66 KB

Sample Type Windows Exe (x86-32)

Has Macros

Analysis Information

Creation Time 2021-08-24 00:36 (UTC+2)

Analysis Duration 00:04:00

Termination Reason Timeout

Number of Monitored Processes 3

Execution Successful False

Reputation Enabled

WHOIS Enabled

Built-in AV Enabled

Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of AV Matches 8

YARA Enabled

YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of YARA Matches 0

X-Ray Vision for Malware - www.vmray.com 5 / 20 DYNAMIC ANALYSIS REPORT #2195013

X-Ray Vision for Malware - www.vmray.com 6 / 20 DYNAMIC ANALYSIS REPORT #2195013

Screenshots truncated

X-Ray Vision for Malware - www.vmray.com 7 / 20 DYNAMIC ANALYSIS REPORT #2195013

NETWORK

General

0 bytes total sent

0 bytes total received

0 ports

0 contacted IP addresses

0 URLs extracted

0 files downloaded

0 malicious hosts detected

DNS

0 DNS requests for 0 domains

0 nameservers contacted

0 total requests returned errors

HTTP/S

0 URLs contacted, 0 servers

0 sessions, 0 bytes sent, 0 bytes received

X-Ray Vision for Malware - www.vmray.com 8 / 20 DYNAMIC ANALYSIS REPORT #2195013

BEHAVIOR

Process Graph

#1 Child Process #3 Child Process #5 Sample Start _default17292.pif.exe smss.exe winlogon.exe

X-Ray Vision for Malware - www.vmray.com 9 / 20 DYNAMIC ANALYSIS REPORT #2195013

Process #1: _default17292.pif.exe

ID 1

File Name c:\users\rdhj0cnfevzx\desktop\_default17292.pif.exe

Command Line "C:\Users\RDhJ0CNFevzX\Desktop\_default17292.pif.exe"

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 57752, Reason: Analysis Target

Unmonitor End Time End Time: 108474, Reason: Terminated

Monitor duration 50.72s

Return Code 0

PID 5064

Parent PID 1652

Bitness 32 Bit

Dropped Files (3)

File Name File Size SHA256 YARA Match

b4a0a125cb13358e2319648ddc51d1e88b18766a12abaf50e6e3723a8af C:\Windows\system32\n10767\smss.exe 97.66 KB 5c982

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852 - 0 bytes b855

4df268732106e38082ff5ac79d84bdc78109f37a434e31497297beae85a8 C:\Windows\j6199922.exe 97.66 KB be42

Host Behavior

Type Count

System 25

Window 1

User 1

Registry 131

File 39

Process 1

X-Ray Vision for Malware - www.vmray.com 10 / 20 DYNAMIC ANALYSIS REPORT #2195013

Process #3: smss.exe

ID 3

File Name c:\windows\syswow64\n10767\smss.exe

Command Line "C:\Windows\system32\n10767\smss.exe" ~Brontok~Log~

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 107309, Reason: Child Process

Unmonitor End Time End Time: 112509, Reason: Terminated

Monitor duration 5.20s

Return Code 0

PID 4000

Parent PID 5064

Bitness 32 Bit

Dropped Files (2)

File Name File Size SHA256 YARA Match

b4a0a125cb13358e2319648ddc51d1e88b18766a12abaf50e6e3723a8af C:\Windows\system32\n10767\sv712709030r.exemsatr.bin 97.66 KB 5c982

4df268732106e38082ff5ac79d84bdc78109f37a434e31497297beae85a8 C:\Windows\system32\n10767\winlogon.exe 97.66 KB be42

Host Behavior

Type Count

System 27

Window 1

User 1

Registry 129

File 50

Process 1

X-Ray Vision for Malware - www.vmray.com 11 / 20 DYNAMIC ANALYSIS REPORT #2195013

Process #5: winlogon.exe

ID 5

File Name c:\windows\syswow64\n10767\winlogon.exe

Command Line "C:\Windows\system32\n10767\winlogon.exe" ~Brontok~Is~The~Best~

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 109806, Reason: Child Process

Unmonitor End Time End Time: 122380, Reason: Terminated

Monitor duration 12.57s

Return Code 1073807364

PID 4048

Parent PID 4000

Bitness 32 Bit

Host Behavior

Type Count

System 52

Window 1

User 2

Registry 129

File 41

Module 1683

Process 2733

X-Ray Vision for Malware - www.vmray.com 12 / 20 DYNAMIC ANALYSIS REPORT #2195013

ARTIFACTS

File

SHA256 File Names Category File Size MIME Type Operations Verdict

C:\Windows\j6199922.exe, C: \Windows\_default19992.pif, C: \Windows\o4199927.exe, C: \Users\RDhJ0CNFevzX\Desktop\_def b4a0a125cb13358e2319648 application/ ault17292.pif.ex... Delete, Create, Write, Read, ddc51d1e88b18766a12abaf5 Sample File 97.66 KB vnd.microsoft.portable- MALICIOUS ...tem32\n10767\winlogon.exe, C: Access 0e6e3723a8af5c982 executable \Windows\system32\n10767\sv712709 030r.exe, C: \Users\RDhJ0CNFevzX\AppData\Loc al\dv6270900x\yesbron.com

C:\Windows\j6199922.exe, C: \Windows\_default19992.pif, C: \Windows\system32\n10767\sv712709 030r.exe, C:\Windows\o4199927.exe, 4df268732106e38082ff5ac79 C:\Us... application/ d84bdc78109f37a434e31497 ...Windows\system32\c_19992k.com, Dropped File 97.66 KB vnd.microsoft.portable- Create, Write, Access, Read MALICIOUS 297beae85a8be42 C: executable \Windows\system32\n10767\winlogon. exe, C: \Users\RDhJ0CNFevzX\AppData\Loc al\dv6270900x\yesbron.com

Filename

File Name Category Operations Verdict

C:\Windows\system32\n10767 Accessed File Create, Access CLEAN

\empty.pif Accessed File Access CLEAN

\Antivirus Startup.exe Accessed File Access CLEAN

\Romantic-Devil.R.exe Accessed File Access CLEAN

\start.pif Accessed File Access CLEAN

C:\Windows\system32\n10767\Spread.Mail.Bro Accessed File Create, Access CLEAN

C:\Windows\system32\n10767\Spread.Sent.Bro Accessed File Create, Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Local\dv6270900x Accessed File Create, Access CLEAN

C:\Windows\system32\sistem.sys Accessed File Access CLEAN

C:\Windows\system32\n10767\smss.exe Dropped File, Sample File Create, Write, Access, Read CLEAN

C:\Users\RDhJ0CNFevzX\Desktop\_default17292.pif.exe Dropped File, Sample File Access CLEAN

C:\Windows\j6199922.exe Dropped File, Sample File Create, Write, Access CLEAN

C:\Windows\system32\c_19992k.com Dropped File, Sample File Create, Write, Access CLEAN

C:\Windows\system32\n10767\sv712709030r.exe Dropped File, Sample File Create, Write, Access CLEAN

C:\Windows\o4199927.exe Dropped File, Sample File Create, Write, Access CLEAN

C:\Windows\_default19992.pif Dropped File, Sample File Create, Write, Access CLEAN

C:\Users\RDhJ0CNFevzX\AppData\Local\dv6270900x\yesbron.com Dropped File, Sample File Create, Write, Access CLEAN

C:\Windows\system32\msvbvm60.dll Accessed File Access, Delete CLEAN

C:\Windows\system32\msvbvm60.dll.857 Accessed File Create, Write, Access CLEAN

C:\Windows\system32\msvbvm60.dll.871 Accessed File Create, Write, Access CLEAN

C:\Windows\system32\n10767\winlogon.exe Dropped File, Sample File Create, Write, Access CLEAN

Create, Write, Access, C:\Windows\system32\n10767\sv712709030r.exemsatr.bin Sample File CLEAN Delete

X-Ray Vision for Malware - www.vmray.com 13 / 20 DYNAMIC ANALYSIS REPORT #2195013

File Name Category Operations Verdict

C:\Windows\system32\msvbvm60.dll.874 Accessed File Create, Write, Access CLEAN

C:\Windows\RD28038 Accessed File Create, Access CLEAN

C:\Program Files\WindowsApps\Microsoft.Messaging_1.10.22012.0_x86__8weky Accessed File Access CLEAN b3d8bbwe\SkypeHost.exe

C:\Program Files (x86)\Common Files\within.exe Accessed File Access CLEAN

C:\Program Files (x86)\MSBuild\walkanother.exe Accessed File Access CLEAN

C:\Program Files\Windows Multimedia Accessed File Access CLEAN Platform\socialstarinvestment.exe

C:\Program Files (x86)\Internet Explorer\quicklyrise.exe Accessed File Access CLEAN

C:\Program Files\Uninstall Information\only_gun.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows Photo Viewer\however_by_upon.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows Portable Devices\drive_mention.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows Multimedia Platform\month Accessed File Access CLEAN friend.exe

C:\Program Files\Microsoft Office 15\into give issue.exe Accessed File Access CLEAN

C:\Program Files\Reference Assemblies\level-large-throughout.exe Accessed File Access CLEAN

C:\Program Files\Windows Media Player\type_page.exe Accessed File Access CLEAN

C:\Program Files\Internet Explorer\yes-attack.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows Media Player\small.exe Accessed File Access CLEAN

C:\Program Files\Windows Multimedia Platform\mainwinseries.exe Accessed File Access CLEAN

C:\Program Files (x86)\WindowsPowerShell\despite-over-central.exe Accessed File Access CLEAN

C:\Program Files\Windows Portable Devices\3dftp.exe Accessed File Access CLEAN

C:\Program Files\Windows Photo Viewer\absolutetelnet.exe Accessed File Access CLEAN

C:\Program Files\Windows Media Player\alftp.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows Multimedia Platform\barca.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows Defender\bitkinex.exe Accessed File Access CLEAN

C:\Program Files\Windows Photo Viewer\coreftp.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows Photo Viewer\far.exe Accessed File Access CLEAN

C:\Program Files (x86)\Microsoft Office\filezilla.exe Accessed File Access CLEAN

C:\Program Files\Common Files\flashfxp.exe Accessed File Access CLEAN

C:\Program Files\Uninstall Information\fling.exe Accessed File Access CLEAN

C:\Program Files (x86)\Microsoft.NET\foxmailincmail.exe Accessed File Access CLEAN

C:\Program Files\Reference Assemblies\gmailnotifierpro.exe Accessed File Access CLEAN

C:\Program Files\Uninstall Information\icq.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows Defender\leechftp.exe Accessed File Access CLEAN

C:\Program Files\WindowsPowerShell\ncftp.exe Accessed File Access CLEAN

C:\Program Files (x86)\Microsoft.NET\notepad.exe Accessed File Access CLEAN

C:\Program Files (x86)\WindowsPowerShell\operamail.exe Accessed File Access CLEAN

X-Ray Vision for Malware - www.vmray.com 14 / 20 DYNAMIC ANALYSIS REPORT #2195013

File Name Category Operations Verdict

C:\Program Files\WindowsPowerShell\outlook.exe Accessed File Access CLEAN

C:\Program Files (x86)\Common Files\pidgin.exe Accessed File Access CLEAN

C:\Program Files\Windows Mail\scriptftp.exe Accessed File Access CLEAN

C:\Program Files\Internet Explorer\skype.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows Multimedia Platform\smartftp.exe Accessed File Access CLEAN

C:\Program Files (x86)\MSBuild\thunderbird.exe Accessed File Access CLEAN

C:\Program Files\Windows Multimedia Platform\trillian.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows NT\webdrive.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows Mail\whatsapp.exe Accessed File Access CLEAN

C:\Program Files\Common Files\winscp.exe Accessed File Access CLEAN

C:\Program Files\Windows Multimedia Platform\yahoomessenger.exe Accessed File Access CLEAN

C:\Program Files (x86)\Common Files\active-charge.exe Accessed File Access CLEAN

C:\Program Files\Internet Explorer\accupos.exe Accessed File Access CLEAN

C:\Program Files\MSBuild\afr38.exe Accessed File Access CLEAN

C:\Program Files (x86)\WindowsPowerShell\aldelo.exe Accessed File Access CLEAN

C:\Program Files\Windows NT\ccv_server.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows Sidebar\centralcreditcard.exe Accessed File Access CLEAN

C:\Program Files\Windows Media Player\creditservice.exe Accessed File Access CLEAN

C:\Program Files (x86)\MSBuild\edcsvr.exe Accessed File Access CLEAN

C:\Program Files\Uninstall Information\fpos.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows Defender\isspos.exe Accessed File Access CLEAN

C:\Program Files\WindowsPowerShell\mxslipstream.exe Accessed File Access CLEAN

C:\Program Files (x86)\Common Files\omnipos.exe Accessed File Access CLEAN

C:\Program Files (x86)\WindowsPowerShell\spcwin.exe Accessed File Access CLEAN

C:\Program Files\Windows Mail\spgagentservice.exe Accessed File Access CLEAN

C:\Program Files (x86)\WindowsPowerShell\utg2.exe Accessed File Access CLEAN

C:\Program Files\MSBuild\region-enter.exe Accessed File Access CLEAN

C:\Program Files\Windows Multimedia Platform\sontravelopen.exe Accessed File Access CLEAN

C:\Program Files\Windows Sidebar\information.exe Accessed File Access CLEAN

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE Accessed File Access CLEAN

C:\Windows\SysWOW64\n10767\winlogon.exe Dropped File, Sample File Access CLEAN

Registry

Registry Key Operations Parent Process Name Verdict

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer write, access winlogon.exe, smss.exe, _default17292.pif.exe MALICIOUS sion\Policies\System\DisableRegistryTools

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Explorer\Shell Folders

X-Ray Vision for Malware - www.vmray.com 15 / 20 DYNAMIC ANALYSIS REPORT #2195013

Registry Key Operations Parent Process Name Verdict

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, read winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Explorer\Shell Folders\Local AppData

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, read winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Explorer\Shell Folders\Startup

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, read winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Explorer\Shell Folders\Templates

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access _default17292.pif.exe CLEAN sion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer write, access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\y4434RDh

HKEY_CURRENT_USER\software\microsoft\windows\currentversi access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN on\explorer\advanced

HKEY_CURRENT_USER\software\microsoft\windows\currentversi write, access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN on\explorer\advanced\Hidden

HKEY_CURRENT_USER\software\microsoft\windows\currentversi write, access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN on\explorer\advanced\HideFileExt

HKEY_CURRENT_USER\software\microsoft\windows\currentversi write, access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN on\explorer\advanced\ShowSuperHidden

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer create, access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Policies\System

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Tok-Cirrhatus-4434RDhc

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Tok-Cirrhatus

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Tok-Cirrhatus-4434

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Policies\Explorer

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Sy access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN stem

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer create, access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Policies\Explorer\run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer write, access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Policies\Explorer\run\y4434RDh

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Policies\Explorer\run\Tok-Cirrhatus-4434RDhc

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Policies\Explorer\run\brl

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access _default17292.pif.exe CLEAN sion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer write, access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\N3093c

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Bron-Spizaetus-3093XC6M

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN NT\CurrentVersion\Winlogon

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows write, access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN NT\CurrentVersion\Winlogon\Shell

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer create, access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Policies\Explorer\run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer write, access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Policies\Explorer\run\N3093c

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows write, access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN NT\CurrentVersion\Winlogon\Userinit

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Bron-Spizaetus

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Policies\Explorer\run\Bron-Spizaetus-3093XC6M

X-Ray Vision for Malware - www.vmray.com 16 / 20 DYNAMIC ANALYSIS REPORT #2195013

Registry Key Operations Parent Process Name Verdict

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safe access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN Boot

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safe write, access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN Boot\AlternateShell

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\MsPatch

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\MsPatch

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\LoadService

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\LoadService

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\LoadServices

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\LoadServices

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\CCAPPS

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\CCAPPS

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\ccapp

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\ccapp

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\OSA

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\OSA

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\SymRun

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\SymRun

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\local service

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\local service

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Security

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Security

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\dkernel

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\dkernel

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\dkernel.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\dkernel.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\lExplorer

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\lExplorer

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\iExplorer

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\iExplorer

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\DllHost

X-Ray Vision for Malware - www.vmray.com 17 / 20 DYNAMIC ANALYSIS REPORT #2195013

Registry Key Operations Parent Process Name Verdict

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\DllHost

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Pluto

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Pluto

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\SysRia

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\SysRia

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Sys_Romantic-Devil.R

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Sys_Romantic-Devil.R

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\SysDiaz

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\SysDiaz

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\SysYuni

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\SysYuni

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Adie Strio X

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Adie Strio X

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Adie Suka Kamu

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Adie Suka Kamu

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe CLEAN sion\Policies\Explorer\NoFolderOptions

Process

Process Name Commandline Verdict

_default17292.pif.exe "C:\Users\RDhJ0CNFevzX\Desktop\_default17292.pif.exe" MALICIOUS

smss.exe "C:\Windows\system32\n10767\smss.exe" ~Brontok~Log~ MALICIOUS

winlogon.exe "C:\Windows\system32\n10767\winlogon.exe" ~Brontok~Is~The~Best~ MALICIOUS

X-Ray Vision for Malware - www.vmray.com 18 / 20 DYNAMIC ANALYSIS REPORT #2195013

YARA / AV

Antivirus (8)

File Type Threat Name File Name Verdict

Sample File Win32.Worm.Brontok.AM C:\Users\RDhJ0CNFevzX\Desktop\_default17292.pif.exe MALICIOUS

Dropped File Win32.Worm.Brontok.AM C:\Windows\system32\n10767\winlogon.exe MALICIOUS

Memory Dump Win32.Worm.Brontok.AM - MALICIOUS

X-Ray Vision for Malware - www.vmray.com 19 / 20 DYNAMIC ANALYSIS REPORT #2195013

ENVIRONMENT

Virtual Machine Information

Name win10_64_th2_en_mso2016

Description win10_64_th2_en_mso2016

Architecture x86 64-bit

Operating System Windows 10 Threshold 2

Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379)

Network Scheme Name Local Gateway

Network Config Name Local Gateway

Analyzer Information

Analyzer Version 4.2.2

Dynamic Engine Version 4.2.2 / 07/23/2021 03:44

Static Engine Version 4.2.2.0

Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (March 15, 2021)

Built-in AV Database Update Release 2021-08-23 19:57:04+00:00 Date

AV Exceptions Version 4.2.2.54 / 2021-07-23 03:00:10

VTI Ruleset Version 4.2.2.38 / 2021-08-23 11:23:52

YARA Built-in Ruleset Version 4.2.2.35

Link Detonation Heuristics Version -

Signature Trust Store Version 4.2.2.54 / 2021-07-23 03:00:10

Analysis Report Layout Version 10

Software Information

Adobe Acrobat Reader Version Not installed

Microsoft Office 2016

Microsoft Office Version 16.0.4266.1003

Internet Explorer Version 11.0.10586.0

Chrome Version Not installed

Firefox Version Not installed

Flash Version Not installed

Java Version Not installed

X-Ray Vision for Malware - www.vmray.com 20 / 20