e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30

Analysis

max time kernel
133s
max time network
72s
platform
windows10_x64
resource
win10v200430
submitted
10-07-2020 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe
Size

643KB
MD5

ce9c4f5439c48aeeca3bc9f2cdfaf826
SHA1

8ec10319d7a8f3dc651d4a66d3b8297abf1f895e
SHA256

e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30
SHA512

574549c5d2554889a96fd985a806ed01db0028890c5f114af7c59eb4b59990979652b214e92fb0126fc61719144ff162465020940d87c825e37744d92e43f4da

Score

10^/10

ransomware

Malware Config

Extracted

Path

\??\Volume{44af7660-0000-0000-0000-500600000000}\odt\!!FAQ for Decryption!!.txt

Ransom Note

Good day. All your files are encrypted. For decryption contact us. Write here achtung_admin@protonmail.com We also inform that your databases, ftp server and file server were downloaded by us to our servers. * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss.

Emails

achtung_admin@protonmail.com

Signatures

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe

pid	process
1300	e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe
1300	e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe
1300	e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe
1300	e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe
1300	e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe
1300	e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe
1300	e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe
1300	e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe
1300	e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe
1300	e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe
1300	e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe
1300	e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe
1300	e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe
1300	e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe

description	pid	process	target process
PID 1300 wrote to memory of 4076	1300	e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe	cmd.exe
PID 1300 wrote to memory of 4076	1300	e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe	cmd.exe
PID 1300 wrote to memory of 4076	1300	e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe
"C:\Users\Admin\AppData\Local\Temp\e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\cmd.exe
/c del C:\Users\Admin\AppData\Local\Temp\e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30.bin.exe >> NUL
2⤵
PID:4076

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1300-0-0x0000000004213000-0x0000000004214000-memory.dmp

Filesize
4KB

Download
memory/1300-1-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/4076-2-0x0000000000000000-mapping.dmp

Download