e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30

Analysis

max time kernel
62s
max time network
75s
platform
windows7_x64
resource
win7
submitted
10/07/2020, 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe
Size

643KB
MD5

ce9c4f5439c48aeeca3bc9f2cdfaf826
SHA1

8ec10319d7a8f3dc651d4a66d3b8297abf1f895e
SHA256

e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30
SHA512

574549c5d2554889a96fd985a806ed01db0028890c5f114af7c59eb4b59990979652b214e92fb0126fc61719144ff162465020940d87c825e37744d92e43f4da

Score

10^/10

ransomware

Malware Config

Extracted

Path

\??\Volume{a2da1a04-afea-11ea-ab7e-806e6f6e6963}\Program Files\7-Zip\Lang\!!FAQ for Decryption!!.txt

Ransom Note

Good day. All your files are encrypted. For decryption contact us. Write here [email protected] We also inform that your databases, ftp server and file server were downloaded by us to our servers. * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss.

Emails

[email protected]

Signatures

Deletes itself 1 IoCs

pid	Process
1428	cmd.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1088	e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe
1088	e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe
1088	e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe
1088	e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe
1088	e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe
1088	e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe
1088	e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 1428	1088	e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe	25
PID 1088 wrote to memory of 1428	1088	e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe	25
PID 1088 wrote to memory of 1428	1088	e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe	25
PID 1088 wrote to memory of 1428	1088	e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe	25

C:\Users\Admin\AppData\Local\Temp\e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe
"C:\Users\Admin\AppData\Local\Temp\e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\SysWOW64\cmd.exe
  /c del C:\Users\Admin\AppData\Local\Temp\e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe >> NUL
  2⤵
  - Deletes itself
  PID:1428

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1088-0-0x00000000041CA000-0x00000000041CB000-memory.dmp

Filesize
4KB

Download
memory/1088-1-0x00000000042B0000-0x00000000042C1000-memory.dmp

Filesize
68KB

Download