DYNAMIC ANALYSIS REPORT #2195013 Classifications: - MALICIOUS Threat Names: Win32.Worm.Brontok.AM Verdict Reason: - Sample Type Windows Exe (x86-32) File Name _default17292.pif.exe ID #875538 MD5 db947f234febeae1c1c91e971a680eb4 SHA1 1b19ede284dd2ed36e44cdfbac9dda2d0573ca70 SHA256 b4a0a125cb13358e2319648ddc51d1e88b18766a12abaf50e6e3723a8af5c982 File Size 97.66 KB Report Created 2021-08-24 00:36 (UTC+2) Target Environment win10_64_th2_en_mso2016 | exe X-Ray Vision for Malware - www.vmray.com 1 / 20 DYNAMIC ANALYSIS REPORT #2195013 OVERVIEW VMRay Threat Identifiers (10 rules, 55 matches) Score Category Operation Count Classification 4/5 System Modification Disables a crucial system tool 1 - • (Process #1) _default17292.pif.exe disables the Registry Editor via registry. 4/5 Antivirus Malicious content was detected by heuristic scan 5 - • Built-in AV detected the sample itself as "Win32.Worm.Brontok.AM". • Built-in AV detected the dropped file C:\Windows\system32\n10767\winlogon.exe as "Win32.Worm.Brontok.AM". • Built-in AV detected a memory dump of (process #1) _default17292.pif.exe as "Win32.Worm.Brontok.AM". • Built-in AV detected a memory dump of (process #3) smss.exe as "Win32.Worm.Brontok.AM". • Built-in AV detected a memory dump of (process #5) winlogon.exe as "Win32.Worm.Brontok.AM". 1/5 System Modification Modifies operating system directory 23 - • (Process #1) _default17292.pif.exe creates file "C:\Windows\system32\n10767\smss.exe" in the OS directory. • (Process #1) _default17292.pif.exe creates file "C:\Windows\j6199922.exe" in the OS directory. • (Process #1) _default17292.pif.exe creates file "C:\Windows\system32\c_19992k.com" in the OS directory. • (Process #1) _default17292.pif.exe creates file "C:\Windows\system32\n10767\sv712709030r.exe" in the OS directory. • (Process #1) _default17292.pif.exe creates file "C:\Windows\o4199927.exe" in the OS directory. • (Process #1) _default17292.pif.exe creates file "C:\Windows\_default19992.pif" in the OS directory. • (Process #1) _default17292.pif.exe creates file "C:\Windows\system32\msvbvm60.dll.857" in the OS directory. • (Process #3) smss.exe creates file "C:\Windows\system32\n10767\smss.exe" in the OS directory. • (Process #3) smss.exe creates file "C:\Windows\j6199922.exe" in the OS directory. • (Process #3) smss.exe creates file "C:\Windows\system32\c_19992k.com" in the OS directory. • (Process #3) smss.exe creates file "C:\Windows\system32\n10767\sv712709030r.exe" in the OS directory. • (Process #3) smss.exe creates file "C:\Windows\o4199927.exe" in the OS directory. • (Process #3) smss.exe creates file "C:\Windows\_default19992.pif" in the OS directory. • (Process #3) smss.exe creates file "C:\Windows\system32\msvbvm60.dll.871" in the OS directory. • (Process #3) smss.exe creates file "C:\Windows\system32\n10767\sv712709030r.exemsatr.bin" in the OS directory. • (Process #3) smss.exe creates file "C:\Windows\system32\n10767\winlogon.exe" in the OS directory. • (Process #5) winlogon.exe creates file "C:\Windows\system32\n10767\smss.exe" in the OS directory. • (Process #5) winlogon.exe creates file "C:\Windows\j6199922.exe" in the OS directory. • (Process #5) winlogon.exe creates file "C:\Windows\system32\c_19992k.com" in the OS directory. • (Process #5) winlogon.exe creates file "C:\Windows\system32\n10767\sv712709030r.exe" in the OS directory. • (Process #5) winlogon.exe creates file "C:\Windows\o4199927.exe" in the OS directory. • (Process #5) winlogon.exe creates file "C:\Windows\_default19992.pif" in the OS directory. • (Process #5) winlogon.exe creates file "C:\Windows\system32\msvbvm60.dll.874" in the OS directory. 1/5 Persistence Installs system startup script or application 18 - X-Ray Vision for Malware - www.vmray.com 2 / 20 DYNAMIC ANALYSIS REPORT #2195013 Score Category Operation Count Classification • (Process #1) _default17292.pif.exe adds ""C:\Windows\system32\n10767\sv712709030r.exe"" to Windows startup via registry. • (Process #1) _default17292.pif.exe adds ""C:\Users\RDhJ0CNFevzX\AppData\Local\dv6270900x\yesbron.com"" to Windows startup via registry. • (Process #1) _default17292.pif.exe adds ""C:\Windows\j6199922.exe"" to Windows startup via registry. • (Process #1) _default17292.pif.exe adds "Explorer.exe "C:\Windows\o4199927.exe"" to Windows startup via registry. • (Process #1) _default17292.pif.exe adds ""C:\Windows\_default19992.pif"" to Windows startup via registry. • (Process #1) _default17292.pif.exe adds "C:\Windows\system32\userinit.exe,C:\Windows\j6199922.exe" to Windows startup via registry. • (Process #3) smss.exe adds ""C:\Windows\system32\n10767\sv712709030r.exe"" to Windows startup via registry. • (Process #3) smss.exe adds ""C:\Users\RDhJ0CNFevzX\AppData\Local\dv6270900x\yesbron.com"" to Windows startup via registry. • (Process #3) smss.exe adds ""C:\Windows\j6199922.exe"" to Windows startup via registry. • (Process #3) smss.exe adds "Explorer.exe "C:\Windows\o4199927.exe"" to Windows startup via registry. • (Process #3) smss.exe adds ""C:\Windows\_default19992.pif"" to Windows startup via registry. • (Process #3) smss.exe adds "C:\Windows\system32\userinit.exe,C:\Windows\j6199922.exe" to Windows startup via registry. • (Process #5) winlogon.exe adds ""C:\Windows\system32\n10767\sv712709030r.exe"" to Windows startup via registry. • (Process #5) winlogon.exe adds ""C:\Users\RDhJ0CNFevzX\AppData\Local\dv6270900x\yesbron.com"" to Windows startup via registry. • (Process #5) winlogon.exe adds ""C:\Windows\j6199922.exe"" to Windows startup via registry. • (Process #5) winlogon.exe adds "Explorer.exe "C:\Windows\o4199927.exe"" to Windows startup via registry. • (Process #5) winlogon.exe adds ""C:\Windows\_default19992.pif"" to Windows startup via registry. • (Process #5) winlogon.exe adds "C:\Windows\system32\userinit.exe,C:\Windows\j6199922.exe" to Windows startup via registry. 1/5 Hide Tracks Creates process with hidden window 2 - • (Process #1) _default17292.pif.exe starts (process #3) smss.exe with a hidden window. • (Process #3) smss.exe starts (process #5) winlogon.exe with a hidden window. 1/5 Discovery Enumerates running processes 1 - • (Process #5) winlogon.exe enumerates running processes. 1/5 Privilege Escalation Enables process privilege 1 - • (Process #5) winlogon.exe enables process privilege "SeDebugPrivilege". 1/5 Execution Executes itself 2 - • (Process #1) _default17292.pif.exe executes a copy of the sample at C:\Users\RDhJ0CNFevzX\Desktop\_default17292.pif.exe. • (Process #3) smss.exe executes a copy of the sample at C:\Users\RDhJ0CNFevzX\Desktop\_default17292.pif.exe. 1/5 Execution Drops PE file 1 - • (Process #3) smss.exe drops file "C:\Windows\system32\n10767\winlogon.exe". 1/5 Execution Executes dropped PE file 1 - • Executes dropped file "C:\Windows\system32\n10767\winlogon.exe". X-Ray Vision for Malware - www.vmray.com 3 / 20 DYNAMIC ANALYSIS REPORT #2195013 Mitre ATT&CK Matrix Privilege Defense Credential Lateral Command Initial Access Execution Persistence Discovery Collection Exfiltration Impact Escalation Evasion Access Movement and Control #T1060 #T1057 Registry Run #T1112 Modify Process Keys / Startup Registry Discovery Folder #T1143 Hidden Window X-Ray Vision for Malware - www.vmray.com 4 / 20 DYNAMIC ANALYSIS REPORT #2195013 Sample Information ID #875538 MD5 db947f234febeae1c1c91e971a680eb4 SHA1 1b19ede284dd2ed36e44cdfbac9dda2d0573ca70 SHA256 b4a0a125cb13358e2319648ddc51d1e88b18766a12abaf50e6e3723a8af5c982 SSDeep 1536:5vXMoORizUPliPsm/gL16ZpQGh6MgHN+PhuLGR/11QrtpvvMoOM:RXxOMUMPsgQvTMY+PhGGR/11QrnvxOM ImpHash 1af1161d37f455fda94db97751b0224e File Name _default17292.pif.exe File Size 97.66 KB Sample Type Windows Exe (x86-32) Has Macros Analysis Information Creation Time 2021-08-24 00:36 (UTC+2) Analysis Duration 00:04:00 Termination Reason Timeout Number of Monitored Processes 3 Execution Successful False Reputation Enabled WHOIS Enabled Built-in AV Enabled Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files Number of AV Matches 8 YARA Enabled YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files Number of YARA Matches 0 X-Ray Vision for Malware - www.vmray.com 5 / 20 DYNAMIC ANALYSIS REPORT #2195013 X-Ray Vision for Malware - www.vmray.com 6 / 20 DYNAMIC ANALYSIS REPORT #2195013 Screenshots truncated X-Ray Vision for Malware - www.vmray.com 7 / 20 DYNAMIC ANALYSIS REPORT #2195013 NETWORK General 0 bytes total sent 0 bytes total received 0 ports 0 contacted IP addresses 0 URLs extracted 0 files downloaded 0 malicious hosts detected DNS 0 DNS requests for 0 domains 0 nameservers contacted 0 total requests returned errors HTTP/S 0 URLs contacted, 0 servers 0 sessions, 0 bytes sent, 0 bytes received X-Ray Vision for Malware - www.vmray.com 8 / 20 DYNAMIC ANALYSIS REPORT #2195013 BEHAVIOR Process Graph #1 Child Process #3 Child Process #5 Sample Start _default17292.pif.exe smss.exe winlogon.exe X-Ray Vision for Malware - www.vmray.com 9 / 20 DYNAMIC ANALYSIS REPORT #2195013 Process #1: _default17292.pif.exe ID 1 File Name c:\users\rdhj0cnfevzx\desktop\_default17292.pif.exe Command Line "C:\Users\RDhJ0CNFevzX\Desktop\_default17292.pif.exe" Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\ Monitor Start Time Start Time: 57752, Reason: Analysis Target Unmonitor End Time End Time: 108474, Reason: Terminated Monitor duration 50.72s Return Code 0 PID 5064 Parent PID 1652 Bitness 32 Bit Dropped Files (3) File Name File Size SHA256 YARA Match b4a0a125cb13358e2319648ddc51d1e88b18766a12abaf50e6e3723a8af