Overview

overview

10

Static

static

6

194270766c...f6.exe

windows7_x64

10

194270766c...f6.exe

windows10_x64

10

Analysis

  • max time kernel
    136s
  • max time network
    134s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    04-07-2020 15:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe

  • Size

    2.0MB

  • MD5

    13ee6ed04ada2524eabdf26bcc4849fe

  • SHA1

    ea5aa317603aea0a39972f521792edc62d941fbc

  • SHA256

    194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6

  • SHA512

    8fd889ffc305e39702c7f2c2b798dfc5c0ea29ce9c39268321ad2917e8a90ee373862bff12bb6613f4ba3a2becc9236534f53a7aba85c248363aa419dc902920

Score
10/10
ransomwarepersistence

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\READ_ME_Heyyyyyyy.txt

Ransom Note
All your files have been encrypted! All your documents (databases, texts, images, videos, musics etc.) were encrypted. The encryption was done using a secret keythat is now on our servers. To decrypt your files you will need to buy the secret key from us. We are the only on the world who can provide this for you. What can I do? Pay the ransom, in bitcoins, in the amount and wallet below. You can use www.coindirect.com/de - coinbase.com - coinmama.com - LocalBitcoins.com to buy bitcoins. 0,036 Bitcoin = 300 EURO Send BTC Address = 1NxoWvpXufC5PkagnfWD9Rf19wm5jchVkX
Wallets

1NxoWvpXufC5PkagnfWD9Rf19wm5jchVkX

Signatures

  • Executes dropped EXE 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Adds Run entry to start application 2 TTPs 2 IoCs
    persistence
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe
    "C:\Users\Admin\AppData\Local\Temp\194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3944
    • C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe
      C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3908
      • C:\Users\Admin\AppData\Local\Temp\xX.exe
        "C:\Users\Admin\AppData\Local\Temp\xX.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Sets desktop wallpaper using registry
        • Suspicious use of WriteProcessMemory
        PID:648
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C timeout 2 && Del /Q /F C:\Users\Admin\AppData\Local\Temp\xX.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4024
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            5⤵
            • Delays execution with timeout.exe
            PID:3884
      • C:\Users\Admin\AppData\Local\Temp\xc.exe
        "C:\Users\Admin\AppData\Local\Temp\xc.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Adds Run entry to start application
        • Modifies Internet Explorer settings
        PID:752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xX.exe
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xX.exe
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xc.exe
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xc.exe
    Download Submit
  • memory/648-5-0x0000000000000000-mapping.dmp
    Download
  • memory/752-7-0x0000000000000000-mapping.dmp
    Download
  • memory/3884-12-0x0000000000000000-mapping.dmp
    Download
  • memory/3908-2-0x0000000000000000-mapping.dmp
    Download
  • memory/4024-11-0x0000000000000000-mapping.dmp
    Download