Overview

overview

8

Static

static

8

myfile.exe

windows7_x64

8

myfile.exe

windows10_x64

8

Resubmissions

28/08/2020, 12:47 UTC

200828-nd915gcv5n 8

28/08/2020, 12:45 UTC

200828-q7w77zyk92 8

28/08/2020, 12:39 UTC

200828-h3kmc18276 8

Analysis

  • max time kernel
    87s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    28/08/2020, 12:47 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    myfile.exe

  • Size

    4.3MB

  • MD5

    0a438448cebd370318b5294775e2405c

  • SHA1

    60abd37bf94ee406653af60e5b72f1f69f646308

  • SHA256

    1e40bce6e476e4c0485b3f813cff5d493b1e07f52a89b56a31765529b809ea33

  • SHA512

    dc21a068d6aa3ce93a399d2b636a4dc17fd9b2f60c921eaadaef4eb0049c4ef5d1c09479c906660d0fa7bb7e688cdae54a36d9e73e35ac209e469a862c992976

Score
8/10
ransomware

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\myfile.exe
    "C:\Users\Admin\AppData\Local\Temp\myfile.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1332
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ABE9.tmp\ABEA.tmp\ABEB.bat C:\Users\Admin\AppData\Local\Temp\myfile.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1056
      • C:\Windows\system32\tree.com
        tree
        3⤵
          PID:1704
        • C:\Windows\system32\tree.com
          tree
          3⤵
            PID:1356
          • C:\Windows\system32\tree.com
            tree
            3⤵
              PID:1784
            • C:\Windows\system32\tree.com
              tree
              3⤵
                PID:1756
              • C:\Windows\system32\tree.com
                tree
                3⤵
                  PID:1820
                • C:\Users\Admin\Desktop\HexInformation.exe
                  HexInformation.exe
                  3⤵
                  • Executes dropped EXE
                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                  • Suspicious use of FindShellTrayWindow
                  PID:1812
                • C:\Users\Admin\Desktop\HexDecryptor.exe
                  HexDecryptor.exe
                  3⤵
                  • Executes dropped EXE
                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                  • Suspicious use of WriteProcessMemory
                  PID:1800
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B24F.tmp\B250.tmp\B260.bat C:\Users\Admin\Desktop\HexDecryptor.exe"
                    4⤵
                    • Loads dropped DLL
                    • Suspicious use of WriteProcessMemory
                    PID:1040
                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WindowsSystemTools.exe
                      WindowsSystemTools.exe
                      5⤵
                      • Executes dropped EXE
                      • Sets desktop wallpaper using registry
                      • Modifies Control Panel
                      PID:844
                • C:\Users\Admin\Desktop\HexLocker.exe
                  HexLocker.exe
                  3⤵
                  • Executes dropped EXE
                  • Sets desktop wallpaper using registry
                  • Modifies Control Panel
                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                  PID:732
            • C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE
              "C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\Fixed.UnlockPublish.ppsx"
              1⤵
              • Suspicious behavior: AddClipboardFormatListener
              • Suspicious use of SetWindowsHookEx
              PID:1492

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/1492-150-0x0000000004C30000-0x0000000004C34000-memory.dmp

              Filesize

              16KB

              Download

            • memory/1596-148-0x000007FEF83B0000-0x000007FEF862A000-memory.dmp

              Filesize

              2.5MB

              Download

            • memory/1812-22-0x0000000074670000-0x0000000074D5E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/1812-26-0x0000000001190000-0x0000000001191000-memory.dmp

              Filesize

              4KB

              Download

            We care about your privacy.

            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.