DYNAMIC ANALYSIS REPORT #2195013
Classifications: -
MALICIOUS Threat Names: Win32.Worm.Brontok.AM
Verdict Reason: -
Sample Type Windows Exe (x86-32)
File Name _default17292.pif.exe
ID #875538
MD5 db947f234febeae1c1c91e971a680eb4
SHA1 1b19ede284dd2ed36e44cdfbac9dda2d0573ca70
SHA256 b4a0a125cb13358e2319648ddc51d1e88b18766a12abaf50e6e3723a8af5c982
File Size 97.66 KB
Report Created 2021-08-24 00:36 (UTC+2)
Target Environment win10_64_th2_en_mso2016 | exe
X-Ray Vision for Malware - www.vmray.com 1 / 20 DYNAMIC ANALYSIS REPORT #2195013
OVERVIEW
VMRay Threat Identifiers (10 rules, 55 matches)
Score Category Operation Count Classification
4/5 System Modification Disables a crucial system tool 1 -
• (Process #1) _default17292.pif.exe disables the Registry Editor via registry.
4/5 Antivirus Malicious content was detected by heuristic scan 5 -
• Built-in AV detected the sample itself as "Win32.Worm.Brontok.AM".
• Built-in AV detected the dropped file C:\Windows\system32\n10767\winlogon.exe as "Win32.Worm.Brontok.AM".
• Built-in AV detected a memory dump of (process #1) _default17292.pif.exe as "Win32.Worm.Brontok.AM".
• Built-in AV detected a memory dump of (process #3) smss.exe as "Win32.Worm.Brontok.AM".
• Built-in AV detected a memory dump of (process #5) winlogon.exe as "Win32.Worm.Brontok.AM".
1/5 System Modification Modifies operating system directory 23 -
• (Process #1) _default17292.pif.exe creates file "C:\Windows\system32\n10767\smss.exe" in the OS directory.
• (Process #1) _default17292.pif.exe creates file "C:\Windows\j6199922.exe" in the OS directory.
• (Process #1) _default17292.pif.exe creates file "C:\Windows\system32\c_19992k.com" in the OS directory.
• (Process #1) _default17292.pif.exe creates file "C:\Windows\system32\n10767\sv712709030r.exe" in the OS directory.
• (Process #1) _default17292.pif.exe creates file "C:\Windows\o4199927.exe" in the OS directory.
• (Process #1) _default17292.pif.exe creates file "C:\Windows\_default19992.pif" in the OS directory.
• (Process #1) _default17292.pif.exe creates file "C:\Windows\system32\msvbvm60.dll.857" in the OS directory.
• (Process #3) smss.exe creates file "C:\Windows\system32\n10767\smss.exe" in the OS directory.
• (Process #3) smss.exe creates file "C:\Windows\j6199922.exe" in the OS directory.
• (Process #3) smss.exe creates file "C:\Windows\system32\c_19992k.com" in the OS directory.
• (Process #3) smss.exe creates file "C:\Windows\system32\n10767\sv712709030r.exe" in the OS directory.
• (Process #3) smss.exe creates file "C:\Windows\o4199927.exe" in the OS directory.
• (Process #3) smss.exe creates file "C:\Windows\_default19992.pif" in the OS directory.
• (Process #3) smss.exe creates file "C:\Windows\system32\msvbvm60.dll.871" in the OS directory.
• (Process #3) smss.exe creates file "C:\Windows\system32\n10767\sv712709030r.exemsatr.bin" in the OS directory.
• (Process #3) smss.exe creates file "C:\Windows\system32\n10767\winlogon.exe" in the OS directory.
• (Process #5) winlogon.exe creates file "C:\Windows\system32\n10767\smss.exe" in the OS directory.
• (Process #5) winlogon.exe creates file "C:\Windows\j6199922.exe" in the OS directory.
• (Process #5) winlogon.exe creates file "C:\Windows\system32\c_19992k.com" in the OS directory.
• (Process #5) winlogon.exe creates file "C:\Windows\system32\n10767\sv712709030r.exe" in the OS directory.
• (Process #5) winlogon.exe creates file "C:\Windows\o4199927.exe" in the OS directory.
• (Process #5) winlogon.exe creates file "C:\Windows\_default19992.pif" in the OS directory.
• (Process #5) winlogon.exe creates file "C:\Windows\system32\msvbvm60.dll.874" in the OS directory.
1/5 Persistence Installs system startup script or application 18 -
X-Ray Vision for Malware - www.vmray.com 2 / 20 DYNAMIC ANALYSIS REPORT #2195013
Score Category Operation Count Classification
• (Process #1) _default17292.pif.exe adds ""C:\Windows\system32\n10767\sv712709030r.exe"" to Windows startup via registry.
• (Process #1) _default17292.pif.exe adds ""C:\Users\RDhJ0CNFevzX\AppData\Local\dv6270900x\yesbron.com"" to Windows startup via registry.
• (Process #1) _default17292.pif.exe adds ""C:\Windows\j6199922.exe"" to Windows startup via registry.
• (Process #1) _default17292.pif.exe adds "Explorer.exe "C:\Windows\o4199927.exe"" to Windows startup via registry.
• (Process #1) _default17292.pif.exe adds ""C:\Windows\_default19992.pif"" to Windows startup via registry.
• (Process #1) _default17292.pif.exe adds "C:\Windows\system32\userinit.exe,C:\Windows\j6199922.exe" to Windows startup via registry.
• (Process #3) smss.exe adds ""C:\Windows\system32\n10767\sv712709030r.exe"" to Windows startup via registry.
• (Process #3) smss.exe adds ""C:\Users\RDhJ0CNFevzX\AppData\Local\dv6270900x\yesbron.com"" to Windows startup via registry.
• (Process #3) smss.exe adds ""C:\Windows\j6199922.exe"" to Windows startup via registry.
• (Process #3) smss.exe adds "Explorer.exe "C:\Windows\o4199927.exe"" to Windows startup via registry.
• (Process #3) smss.exe adds ""C:\Windows\_default19992.pif"" to Windows startup via registry.
• (Process #3) smss.exe adds "C:\Windows\system32\userinit.exe,C:\Windows\j6199922.exe" to Windows startup via registry.
• (Process #5) winlogon.exe adds ""C:\Windows\system32\n10767\sv712709030r.exe"" to Windows startup via registry.
• (Process #5) winlogon.exe adds ""C:\Users\RDhJ0CNFevzX\AppData\Local\dv6270900x\yesbron.com"" to Windows startup via registry.
• (Process #5) winlogon.exe adds ""C:\Windows\j6199922.exe"" to Windows startup via registry.
• (Process #5) winlogon.exe adds "Explorer.exe "C:\Windows\o4199927.exe"" to Windows startup via registry.
• (Process #5) winlogon.exe adds ""C:\Windows\_default19992.pif"" to Windows startup via registry.
• (Process #5) winlogon.exe adds "C:\Windows\system32\userinit.exe,C:\Windows\j6199922.exe" to Windows startup via registry.
1/5 Hide Tracks Creates process with hidden window 2 -
• (Process #1) _default17292.pif.exe starts (process #3) smss.exe with a hidden window.
• (Process #3) smss.exe starts (process #5) winlogon.exe with a hidden window.
1/5 Discovery Enumerates running processes 1 -
• (Process #5) winlogon.exe enumerates running processes.
1/5 Privilege Escalation Enables process privilege 1 -
• (Process #5) winlogon.exe enables process privilege "SeDebugPrivilege".
1/5 Execution Executes itself 2 -
• (Process #1) _default17292.pif.exe executes a copy of the sample at C:\Users\RDhJ0CNFevzX\Desktop\_default17292.pif.exe.
• (Process #3) smss.exe executes a copy of the sample at C:\Users\RDhJ0CNFevzX\Desktop\_default17292.pif.exe.
1/5 Execution Drops PE file 1 -
• (Process #3) smss.exe drops file "C:\Windows\system32\n10767\winlogon.exe".
1/5 Execution Executes dropped PE file 1 -
• Executes dropped file "C:\Windows\system32\n10767\winlogon.exe".
X-Ray Vision for Malware - www.vmray.com 3 / 20 DYNAMIC ANALYSIS REPORT #2195013
Mitre ATT&CK Matrix
Privilege Defense Credential Lateral Command Initial Access Execution Persistence Discovery Collection Exfiltration Impact Escalation Evasion Access Movement and Control
#T1060 #T1057 Registry Run #T1112 Modify Process Keys / Startup Registry Discovery Folder
#T1143 Hidden Window
X-Ray Vision for Malware - www.vmray.com 4 / 20 DYNAMIC ANALYSIS REPORT #2195013
Sample Information
ID #875538
MD5 db947f234febeae1c1c91e971a680eb4
SHA1 1b19ede284dd2ed36e44cdfbac9dda2d0573ca70
SHA256 b4a0a125cb13358e2319648ddc51d1e88b18766a12abaf50e6e3723a8af5c982
SSDeep 1536:5vXMoORizUPliPsm/gL16ZpQGh6MgHN+PhuLGR/11QrtpvvMoOM:RXxOMUMPsgQvTMY+PhGGR/11QrnvxOM
ImpHash 1af1161d37f455fda94db97751b0224e
File Name _default17292.pif.exe
File Size 97.66 KB
Sample Type Windows Exe (x86-32)
Has Macros
Analysis Information
Creation Time 2021-08-24 00:36 (UTC+2)
Analysis Duration 00:04:00
Termination Reason Timeout
Number of Monitored Processes 3
Execution Successful False
Reputation Enabled
WHOIS Enabled
Built-in AV Enabled
Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of AV Matches 8
YARA Enabled
YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of YARA Matches 0
X-Ray Vision for Malware - www.vmray.com 5 / 20 DYNAMIC ANALYSIS REPORT #2195013
X-Ray Vision for Malware - www.vmray.com 6 / 20 DYNAMIC ANALYSIS REPORT #2195013
Screenshots truncated
X-Ray Vision for Malware - www.vmray.com 7 / 20 DYNAMIC ANALYSIS REPORT #2195013
NETWORK
General
0 bytes total sent
0 bytes total received
0 ports
0 contacted IP addresses
0 URLs extracted
0 files downloaded
0 malicious hosts detected
DNS
0 DNS requests for 0 domains
0 nameservers contacted
0 total requests returned errors
HTTP/S
0 URLs contacted, 0 servers
0 sessions, 0 bytes sent, 0 bytes received
X-Ray Vision for Malware - www.vmray.com 8 / 20 DYNAMIC ANALYSIS REPORT #2195013
BEHAVIOR
Process Graph
#1 Child Process #3 Child Process #5 Sample Start _default17292.pif.exe smss.exe winlogon.exe
X-Ray Vision for Malware - www.vmray.com 9 / 20 DYNAMIC ANALYSIS REPORT #2195013
Process #1: _default17292.pif.exe
ID 1
File Name c:\users\rdhj0cnfevzx\desktop\_default17292.pif.exe
Command Line "C:\Users\RDhJ0CNFevzX\Desktop\_default17292.pif.exe"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 57752, Reason: Analysis Target
Unmonitor End Time End Time: 108474, Reason: Terminated
Monitor duration 50.72s
Return Code 0
PID 5064
Parent PID 1652
Bitness 32 Bit
Dropped Files (3)
File Name File Size SHA256 YARA Match
b4a0a125cb13358e2319648ddc51d1e88b18766a12abaf50e6e3723a8af C:\Windows\system32\n10767\smss.exe 97.66 KB 5c982
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852 - 0 bytes b855
4df268732106e38082ff5ac79d84bdc78109f37a434e31497297beae85a8 C:\Windows\j6199922.exe 97.66 KB be42
Host Behavior
Type Count
System 25
Window 1
User 1
Registry 131
File 39
Process 1
X-Ray Vision for Malware - www.vmray.com 10 / 20 DYNAMIC ANALYSIS REPORT #2195013
Process #3: smss.exe
ID 3
File Name c:\windows\syswow64\n10767\smss.exe
Command Line "C:\Windows\system32\n10767\smss.exe" ~Brontok~Log~
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 107309, Reason: Child Process
Unmonitor End Time End Time: 112509, Reason: Terminated
Monitor duration 5.20s
Return Code 0
PID 4000
Parent PID 5064
Bitness 32 Bit
Dropped Files (2)
File Name File Size SHA256 YARA Match
b4a0a125cb13358e2319648ddc51d1e88b18766a12abaf50e6e3723a8af C:\Windows\system32\n10767\sv712709030r.exemsatr.bin 97.66 KB 5c982
4df268732106e38082ff5ac79d84bdc78109f37a434e31497297beae85a8 C:\Windows\system32\n10767\winlogon.exe 97.66 KB be42
Host Behavior
Type Count
System 27
Window 1
User 1
Registry 129
File 50
Process 1
X-Ray Vision for Malware - www.vmray.com 11 / 20 DYNAMIC ANALYSIS REPORT #2195013
Process #5: winlogon.exe
ID 5
File Name c:\windows\syswow64\n10767\winlogon.exe
Command Line "C:\Windows\system32\n10767\winlogon.exe" ~Brontok~Is~The~Best~
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 109806, Reason: Child Process
Unmonitor End Time End Time: 122380, Reason: Terminated
Monitor duration 12.57s
Return Code 1073807364
PID 4048
Parent PID 4000
Bitness 32 Bit
Host Behavior
Type Count
System 52
Window 1
User 2
Registry 129
File 41
Module 1683
Process 2733
X-Ray Vision for Malware - www.vmray.com 12 / 20 DYNAMIC ANALYSIS REPORT #2195013
ARTIFACTS
File
SHA256 File Names Category File Size MIME Type Operations Verdict
C:\Windows\j6199922.exe, C: \Windows\_default19992.pif, C: \Windows\o4199927.exe, C: \Users\RDhJ0CNFevzX\Desktop\_def b4a0a125cb13358e2319648 application/ ault17292.pif.ex... Delete, Create, Write, Read, ddc51d1e88b18766a12abaf5 Sample File 97.66 KB vnd.microsoft.portable- MALICIOUS ...tem32\n10767\winlogon.exe, C: Access 0e6e3723a8af5c982 executable \Windows\system32\n10767\sv712709 030r.exe, C: \Users\RDhJ0CNFevzX\AppData\Loc al\dv6270900x\yesbron.com
C:\Windows\j6199922.exe, C: \Windows\_default19992.pif, C: \Windows\system32\n10767\sv712709 030r.exe, C:\Windows\o4199927.exe, 4df268732106e38082ff5ac79 C:\Us... application/ d84bdc78109f37a434e31497 ...Windows\system32\c_19992k.com, Dropped File 97.66 KB vnd.microsoft.portable- Create, Write, Access, Read MALICIOUS 297beae85a8be42 C: executable \Windows\system32\n10767\winlogon. exe, C: \Users\RDhJ0CNFevzX\AppData\Loc al\dv6270900x\yesbron.com
Filename
File Name Category Operations Verdict
C:\Windows\system32\n10767 Accessed File Create, Access CLEAN
\empty.pif Accessed File Access CLEAN
\Antivirus Startup.exe Accessed File Access CLEAN
\Romantic-Devil.R.exe Accessed File Access CLEAN
\start.pif Accessed File Access CLEAN
C:\Windows\system32\n10767\Spread.Mail.Bro Accessed File Create, Access CLEAN
C:\Windows\system32\n10767\Spread.Sent.Bro Accessed File Create, Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Local\dv6270900x Accessed File Create, Access CLEAN
C:\Windows\system32\sistem.sys Accessed File Access CLEAN
C:\Windows\system32\n10767\smss.exe Dropped File, Sample File Create, Write, Access, Read CLEAN
C:\Users\RDhJ0CNFevzX\Desktop\_default17292.pif.exe Dropped File, Sample File Access CLEAN
C:\Windows\j6199922.exe Dropped File, Sample File Create, Write, Access CLEAN
C:\Windows\system32\c_19992k.com Dropped File, Sample File Create, Write, Access CLEAN
C:\Windows\system32\n10767\sv712709030r.exe Dropped File, Sample File Create, Write, Access CLEAN
C:\Windows\o4199927.exe Dropped File, Sample File Create, Write, Access CLEAN
C:\Windows\_default19992.pif Dropped File, Sample File Create, Write, Access CLEAN
C:\Users\RDhJ0CNFevzX\AppData\Local\dv6270900x\yesbron.com Dropped File, Sample File Create, Write, Access CLEAN
C:\Windows\system32\msvbvm60.dll Accessed File Access, Delete CLEAN
C:\Windows\system32\msvbvm60.dll.857 Accessed File Create, Write, Access CLEAN
C:\Windows\system32\msvbvm60.dll.871 Accessed File Create, Write, Access CLEAN
C:\Windows\system32\n10767\winlogon.exe Dropped File, Sample File Create, Write, Access CLEAN
Create, Write, Access, C:\Windows\system32\n10767\sv712709030r.exemsatr.bin Sample File CLEAN Delete
X-Ray Vision for Malware - www.vmray.com 13 / 20 DYNAMIC ANALYSIS REPORT #2195013
File Name Category Operations Verdict
C:\Windows\system32\msvbvm60.dll.874 Accessed File Create, Write, Access CLEAN
C:\Windows\RD28038 Accessed File Create, Access CLEAN
C:\Program Files\WindowsApps\Microsoft.Messaging_1.10.22012.0_x86__8weky Accessed File Access CLEAN b3d8bbwe\SkypeHost.exe
C:\Program Files (x86)\Common Files\within.exe Accessed File Access CLEAN
C:\Program Files (x86)\MSBuild\walkanother.exe Accessed File Access CLEAN
C:\Program Files\Windows Multimedia Accessed File Access CLEAN Platform\socialstarinvestment.exe
C:\Program Files (x86)\Internet Explorer\quicklyrise.exe Accessed File Access CLEAN
C:\Program Files\Uninstall Information\only_gun.exe Accessed File Access CLEAN
C:\Program Files (x86)\Windows Photo Viewer\however_by_upon.exe Accessed File Access CLEAN
C:\Program Files (x86)\Windows Portable Devices\drive_mention.exe Accessed File Access CLEAN
C:\Program Files (x86)\Windows Multimedia Platform\month Accessed File Access CLEAN friend.exe
C:\Program Files\Microsoft Office 15\into give issue.exe Accessed File Access CLEAN
C:\Program Files\Reference Assemblies\level-large-throughout.exe Accessed File Access CLEAN
C:\Program Files\Windows Media Player\type_page.exe Accessed File Access CLEAN
C:\Program Files\Internet Explorer\yes-attack.exe Accessed File Access CLEAN
C:\Program Files (x86)\Windows Media Player\small.exe Accessed File Access CLEAN
C:\Program Files\Windows Multimedia Platform\mainwinseries.exe Accessed File Access CLEAN
C:\Program Files (x86)\WindowsPowerShell\despite-over-central.exe Accessed File Access CLEAN
C:\Program Files\Windows Portable Devices\3dftp.exe Accessed File Access CLEAN
C:\Program Files\Windows Photo Viewer\absolutetelnet.exe Accessed File Access CLEAN
C:\Program Files\Windows Media Player\alftp.exe Accessed File Access CLEAN
C:\Program Files (x86)\Windows Multimedia Platform\barca.exe Accessed File Access CLEAN
C:\Program Files (x86)\Windows Defender\bitkinex.exe Accessed File Access CLEAN
C:\Program Files\Windows Photo Viewer\coreftp.exe Accessed File Access CLEAN
C:\Program Files (x86)\Windows Photo Viewer\far.exe Accessed File Access CLEAN
C:\Program Files (x86)\Microsoft Office\filezilla.exe Accessed File Access CLEAN
C:\Program Files\Common Files\flashfxp.exe Accessed File Access CLEAN
C:\Program Files\Uninstall Information\fling.exe Accessed File Access CLEAN
C:\Program Files (x86)\Microsoft.NET\foxmailincmail.exe Accessed File Access CLEAN
C:\Program Files\Reference Assemblies\gmailnotifierpro.exe Accessed File Access CLEAN
C:\Program Files\Uninstall Information\icq.exe Accessed File Access CLEAN
C:\Program Files (x86)\Windows Defender\leechftp.exe Accessed File Access CLEAN
C:\Program Files\WindowsPowerShell\ncftp.exe Accessed File Access CLEAN
C:\Program Files (x86)\Microsoft.NET\notepad.exe Accessed File Access CLEAN
C:\Program Files (x86)\WindowsPowerShell\operamail.exe Accessed File Access CLEAN
X-Ray Vision for Malware - www.vmray.com 14 / 20 DYNAMIC ANALYSIS REPORT #2195013
File Name Category Operations Verdict
C:\Program Files\WindowsPowerShell\outlook.exe Accessed File Access CLEAN
C:\Program Files (x86)\Common Files\pidgin.exe Accessed File Access CLEAN
C:\Program Files\Windows Mail\scriptftp.exe Accessed File Access CLEAN
C:\Program Files\Internet Explorer\skype.exe Accessed File Access CLEAN
C:\Program Files (x86)\Windows Multimedia Platform\smartftp.exe Accessed File Access CLEAN
C:\Program Files (x86)\MSBuild\thunderbird.exe Accessed File Access CLEAN
C:\Program Files\Windows Multimedia Platform\trillian.exe Accessed File Access CLEAN
C:\Program Files (x86)\Windows NT\webdrive.exe Accessed File Access CLEAN
C:\Program Files (x86)\Windows Mail\whatsapp.exe Accessed File Access CLEAN
C:\Program Files\Common Files\winscp.exe Accessed File Access CLEAN
C:\Program Files\Windows Multimedia Platform\yahoomessenger.exe Accessed File Access CLEAN
C:\Program Files (x86)\Common Files\active-charge.exe Accessed File Access CLEAN
C:\Program Files\Internet Explorer\accupos.exe Accessed File Access CLEAN
C:\Program Files\MSBuild\afr38.exe Accessed File Access CLEAN
C:\Program Files (x86)\WindowsPowerShell\aldelo.exe Accessed File Access CLEAN
C:\Program Files\Windows NT\ccv_server.exe Accessed File Access CLEAN
C:\Program Files (x86)\Windows Sidebar\centralcreditcard.exe Accessed File Access CLEAN
C:\Program Files\Windows Media Player\creditservice.exe Accessed File Access CLEAN
C:\Program Files (x86)\MSBuild\edcsvr.exe Accessed File Access CLEAN
C:\Program Files\Uninstall Information\fpos.exe Accessed File Access CLEAN
C:\Program Files (x86)\Windows Defender\isspos.exe Accessed File Access CLEAN
C:\Program Files\WindowsPowerShell\mxslipstream.exe Accessed File Access CLEAN
C:\Program Files (x86)\Common Files\omnipos.exe Accessed File Access CLEAN
C:\Program Files (x86)\WindowsPowerShell\spcwin.exe Accessed File Access CLEAN
C:\Program Files\Windows Mail\spgagentservice.exe Accessed File Access CLEAN
C:\Program Files (x86)\WindowsPowerShell\utg2.exe Accessed File Access CLEAN
C:\Program Files\MSBuild\region-enter.exe Accessed File Access CLEAN
C:\Program Files\Windows Multimedia Platform\sontravelopen.exe Accessed File Access CLEAN
C:\Program Files\Windows Sidebar\information.exe Accessed File Access CLEAN
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE Accessed File Access CLEAN
C:\Windows\SysWOW64\n10767\winlogon.exe Dropped File, Sample File Access CLEAN
Registry
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer write, access winlogon.exe, smss.exe, _default17292.pif.exe MALICIOUS sion\Policies\System\DisableRegistryTools
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Explorer\Shell Folders
X-Ray Vision for Malware - www.vmray.com 15 / 20 DYNAMIC ANALYSIS REPORT #2195013
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, read winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Explorer\Shell Folders\Local AppData
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, read winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Explorer\Shell Folders\Startup
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, read winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Explorer\Shell Folders\Templates
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access _default17292.pif.exe CLEAN sion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer write, access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\y4434RDh
HKEY_CURRENT_USER\software\microsoft\windows\currentversi access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN on\explorer\advanced
HKEY_CURRENT_USER\software\microsoft\windows\currentversi write, access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN on\explorer\advanced\Hidden
HKEY_CURRENT_USER\software\microsoft\windows\currentversi write, access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN on\explorer\advanced\HideFileExt
HKEY_CURRENT_USER\software\microsoft\windows\currentversi write, access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN on\explorer\advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer create, access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Policies\System
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Tok-Cirrhatus-4434RDhc
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Tok-Cirrhatus
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Tok-Cirrhatus-4434
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Policies\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Sy access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN stem
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer create, access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Policies\Explorer\run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer write, access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Policies\Explorer\run\y4434RDh
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Policies\Explorer\run\Tok-Cirrhatus-4434RDhc
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Policies\Explorer\run\brl
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access _default17292.pif.exe CLEAN sion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer write, access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\N3093c
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Bron-Spizaetus-3093XC6M
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows write, access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN NT\CurrentVersion\Winlogon\Shell
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer create, access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Policies\Explorer\run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer write, access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Policies\Explorer\run\N3093c
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows write, access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN NT\CurrentVersion\Winlogon\Userinit
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Bron-Spizaetus
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Policies\Explorer\run\Bron-Spizaetus-3093XC6M
X-Ray Vision for Malware - www.vmray.com 16 / 20 DYNAMIC ANALYSIS REPORT #2195013
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safe access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN Boot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safe write, access winlogon.exe, smss.exe, _default17292.pif.exe CLEAN Boot\AlternateShell
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\MsPatch
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\MsPatch
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\LoadService
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\LoadService
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\LoadServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\LoadServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\CCAPPS
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\CCAPPS
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\ccapp
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\ccapp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\OSA
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\OSA
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\SymRun
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\SymRun
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\local service
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\local service
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Security
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Security
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\dkernel
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\dkernel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\dkernel.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\dkernel.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\lExplorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\lExplorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\iExplorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\iExplorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\DllHost
X-Ray Vision for Malware - www.vmray.com 17 / 20 DYNAMIC ANALYSIS REPORT #2195013
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\DllHost
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Pluto
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Pluto
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\SysRia
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\SysRia
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Sys_Romantic-Devil.R
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Sys_Romantic-Devil.R
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\SysDiaz
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\SysDiaz
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\SysYuni
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\SysYuni
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Adie Strio X
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Adie Strio X
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Adie Suka Kamu
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe, _default17292.pif.exe CLEAN sion\Run\Adie Suka Kamu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer access, delete winlogon.exe, smss.exe CLEAN sion\Policies\Explorer\NoFolderOptions
Process
Process Name Commandline Verdict
_default17292.pif.exe "C:\Users\RDhJ0CNFevzX\Desktop\_default17292.pif.exe" MALICIOUS
smss.exe "C:\Windows\system32\n10767\smss.exe" ~Brontok~Log~ MALICIOUS
winlogon.exe "C:\Windows\system32\n10767\winlogon.exe" ~Brontok~Is~The~Best~ MALICIOUS
X-Ray Vision for Malware - www.vmray.com 18 / 20 DYNAMIC ANALYSIS REPORT #2195013
YARA / AV
Antivirus (8)
File Type Threat Name File Name Verdict
Sample File Win32.Worm.Brontok.AM C:\Users\RDhJ0CNFevzX\Desktop\_default17292.pif.exe MALICIOUS
Dropped File Win32.Worm.Brontok.AM C:\Windows\system32\n10767\winlogon.exe MALICIOUS
Memory Dump Win32.Worm.Brontok.AM - MALICIOUS
Memory Dump Win32.Worm.Brontok.AM - MALICIOUS
Memory Dump Win32.Worm.Brontok.AM - MALICIOUS
Memory Dump Win32.Worm.Brontok.AM - MALICIOUS
Memory Dump Win32.Worm.Brontok.AM - MALICIOUS
Memory Dump Win32.Worm.Brontok.AM - MALICIOUS
X-Ray Vision for Malware - www.vmray.com 19 / 20 DYNAMIC ANALYSIS REPORT #2195013
ENVIRONMENT
Virtual Machine Information
Name win10_64_th2_en_mso2016
Description win10_64_th2_en_mso2016
Architecture x86 64-bit
Operating System Windows 10 Threshold 2
Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379)
Network Scheme Name Local Gateway
Network Config Name Local Gateway
Analyzer Information
Analyzer Version 4.2.2
Dynamic Engine Version 4.2.2 / 07/23/2021 03:44
Static Engine Version 4.2.2.0
Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (March 15, 2021)
Built-in AV Database Update Release 2021-08-23 19:57:04+00:00 Date
AV Exceptions Version 4.2.2.54 / 2021-07-23 03:00:10
VTI Ruleset Version 4.2.2.38 / 2021-08-23 11:23:52
YARA Built-in Ruleset Version 4.2.2.35
Link Detonation Heuristics Version -
Signature Trust Store Version 4.2.2.54 / 2021-07-23 03:00:10
Analysis Report Layout Version 10
Software Information
Adobe Acrobat Reader Version Not installed
Microsoft Office 2016
Microsoft Office Version 16.0.4266.1003
Internet Explorer Version 11.0.10586.0
Chrome Version Not installed
Firefox Version Not installed
Flash Version Not installed
Java Version Not installed
X-Ray Vision for Malware - www.vmray.com 20 / 20