Resubmissions
28-08-2020 12:47
200828-nd915gcv5n 828-08-2020 12:45
200828-q7w77zyk92 828-08-2020 12:39
200828-h3kmc18276 8Analysis
-
max time kernel
87s -
max time network
21s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
28-08-2020 12:47
Static task
static1
Behavioral task
behavioral1
Sample
myfile.exe
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
myfile.exe
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
myfile.exe
-
Size
4.3MB
-
MD5
0a438448cebd370318b5294775e2405c
-
SHA1
60abd37bf94ee406653af60e5b72f1f69f646308
-
SHA256
1e40bce6e476e4c0485b3f813cff5d493b1e07f52a89b56a31765529b809ea33
-
SHA512
dc21a068d6aa3ce93a399d2b636a4dc17fd9b2f60c921eaadaef4eb0049c4ef5d1c09479c906660d0fa7bb7e688cdae54a36d9e73e35ac209e469a862c992976
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
HexInformation.exeHexDecryptor.exeHexLocker.exeWindowsSystemTools.exepid process 1812 HexInformation.exe 1800 HexDecryptor.exe 732 HexLocker.exe 844 WindowsSystemTools.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1040 cmd.exe -
Enumerates connected drives 3 TTPs
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
HexLocker.exeWindowsSystemTools.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg" HexLocker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Web\\Wallpaper\\Windows\\img0.jpg" WindowsSystemTools.exe -
Modifies Control Panel 2 IoCs
Processes:
WindowsSystemTools.exeHexLocker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop WindowsSystemTools.exe Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop HexLocker.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
POWERPNT.EXEpid process 1492 POWERPNT.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs
Processes:
HexInformation.exeHexDecryptor.exeHexLocker.exepid process 1812 HexInformation.exe 1800 HexDecryptor.exe 732 HexLocker.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
HexInformation.exepid process 1812 HexInformation.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
POWERPNT.EXEpid process 1492 POWERPNT.EXE -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
myfile.execmd.exeHexDecryptor.execmd.exedescription pid process target process PID 1332 wrote to memory of 1056 1332 myfile.exe cmd.exe PID 1332 wrote to memory of 1056 1332 myfile.exe cmd.exe PID 1332 wrote to memory of 1056 1332 myfile.exe cmd.exe PID 1332 wrote to memory of 1056 1332 myfile.exe cmd.exe PID 1056 wrote to memory of 1704 1056 cmd.exe tree.com PID 1056 wrote to memory of 1704 1056 cmd.exe tree.com PID 1056 wrote to memory of 1704 1056 cmd.exe tree.com PID 1056 wrote to memory of 1356 1056 cmd.exe tree.com PID 1056 wrote to memory of 1356 1056 cmd.exe tree.com PID 1056 wrote to memory of 1356 1056 cmd.exe tree.com PID 1056 wrote to memory of 1784 1056 cmd.exe tree.com PID 1056 wrote to memory of 1784 1056 cmd.exe tree.com PID 1056 wrote to memory of 1784 1056 cmd.exe tree.com PID 1056 wrote to memory of 1756 1056 cmd.exe tree.com PID 1056 wrote to memory of 1756 1056 cmd.exe tree.com PID 1056 wrote to memory of 1756 1056 cmd.exe tree.com PID 1056 wrote to memory of 1820 1056 cmd.exe tree.com PID 1056 wrote to memory of 1820 1056 cmd.exe tree.com PID 1056 wrote to memory of 1820 1056 cmd.exe tree.com PID 1056 wrote to memory of 1812 1056 cmd.exe HexInformation.exe PID 1056 wrote to memory of 1812 1056 cmd.exe HexInformation.exe PID 1056 wrote to memory of 1812 1056 cmd.exe HexInformation.exe PID 1056 wrote to memory of 1812 1056 cmd.exe HexInformation.exe PID 1056 wrote to memory of 1800 1056 cmd.exe HexDecryptor.exe PID 1056 wrote to memory of 1800 1056 cmd.exe HexDecryptor.exe PID 1056 wrote to memory of 1800 1056 cmd.exe HexDecryptor.exe PID 1056 wrote to memory of 1800 1056 cmd.exe HexDecryptor.exe PID 1056 wrote to memory of 732 1056 cmd.exe HexLocker.exe PID 1056 wrote to memory of 732 1056 cmd.exe HexLocker.exe PID 1056 wrote to memory of 732 1056 cmd.exe HexLocker.exe PID 1056 wrote to memory of 732 1056 cmd.exe HexLocker.exe PID 1800 wrote to memory of 1040 1800 HexDecryptor.exe cmd.exe PID 1800 wrote to memory of 1040 1800 HexDecryptor.exe cmd.exe PID 1800 wrote to memory of 1040 1800 HexDecryptor.exe cmd.exe PID 1800 wrote to memory of 1040 1800 HexDecryptor.exe cmd.exe PID 1040 wrote to memory of 844 1040 cmd.exe WindowsSystemTools.exe PID 1040 wrote to memory of 844 1040 cmd.exe WindowsSystemTools.exe PID 1040 wrote to memory of 844 1040 cmd.exe WindowsSystemTools.exe PID 1040 wrote to memory of 844 1040 cmd.exe WindowsSystemTools.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\myfile.exe"C:\Users\Admin\AppData\Local\Temp\myfile.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ABE9.tmp\ABEA.tmp\ABEB.bat C:\Users\Admin\AppData\Local\Temp\myfile.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tree.comtree3⤵
-
C:\Windows\system32\tree.comtree3⤵
-
C:\Windows\system32\tree.comtree3⤵
-
C:\Windows\system32\tree.comtree3⤵
-
C:\Windows\system32\tree.comtree3⤵
-
C:\Users\Admin\Desktop\HexInformation.exeHexInformation.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\HexDecryptor.exeHexDecryptor.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B24F.tmp\B250.tmp\B260.bat C:\Users\Admin\Desktop\HexDecryptor.exe"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WindowsSystemTools.exeWindowsSystemTools.exe5⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Modifies Control Panel
-
C:\Users\Admin\Desktop\HexLocker.exeHexLocker.exe3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\Fixed.UnlockPublish.ppsx"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8x8x8
-
C:\Users\Admin\AppData\Local\Temp\ABE9.tmp\ABEA.tmp\ABEB.bat
-
C:\Users\Admin\AppData\Local\Temp\B24F.tmp\B250.tmp\B260.bat
-
C:\Users\Admin\AppData\Local\Temp\HexDCIF.hex
-
C:\Users\Admin\AppData\Local\Temp\HexIF.hex
-
C:\Users\Admin\AppData\Local\Temp\HexLK.hex
-
C:\Users\Admin\AppData\Local\Temp\rd000db.dll
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\MicrosoftNTSystem.sys
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WindowsSystemTools.exe
-
C:\Users\Admin\Desktop\Fixed.UnlockPublish.ppsx
-
C:\Users\Admin\Desktop\HexDecryptor.exe
-
C:\Users\Admin\Desktop\HexDecryptor.exe
-
C:\Users\Admin\Desktop\HexInformation.exe
-
C:\Users\Admin\Desktop\HexInformation.exe
-
C:\Users\Admin\Desktop\HexLocker.exe
-
C:\Users\Admin\Desktop\HexLocker.exe
-
C:\Users\Admin\Desktop\Lock.CompressStep.wmf
-
C:\Users\Admin\Desktop\Lock.ConvertToConvertFrom.pot
-
C:\Users\Admin\Desktop\Lock.DismountSplit.odp
-
C:\Users\Admin\Desktop\Lock.EnterPublish.xsl
-
C:\Users\Admin\Desktop\Lock.ExitConvert.pub
-
C:\Users\Admin\Desktop\Lock.GetStep.jpe
-
C:\Users\Admin\Desktop\Lock.HexDecryptor.exe
-
C:\Users\Admin\Desktop\Lock.HexInformation.exe
-
C:\Users\Admin\Desktop\Lock.HexLocker.exe
-
C:\Users\Admin\Desktop\Lock.MeasureDismount.clr
-
C:\Users\Admin\Desktop\Lock.MeasureEnable.bmp
-
C:\Users\Admin\Desktop\Lock.MeasureMount.php
-
C:\Users\Admin\Desktop\Lock.MountPing.xps
-
C:\Users\Admin\Desktop\Lock.NewSelect.mp3
-
C:\Users\Admin\Desktop\Lock.PopSend.lnk
-
C:\Users\Admin\Desktop\Lock.RemoveReset.wmv
-
C:\Users\Admin\Desktop\Lock.RepairComplete.xml
-
C:\Users\Admin\Desktop\Lock.SaveSubmit.gif
-
C:\Users\Admin\Desktop\Lock.SendRestart.pptx
-
C:\Users\Admin\Desktop\Lock.StartRestore.mpa
-
C:\Users\Admin\Desktop\Lock.SuspendRedo.potm
-
C:\Users\Admin\Desktop\Lock.SuspendSkip.wmf
-
C:\Users\Admin\Desktop\Lock.UnlockPublish.ppsx
-
C:\Users\Admin\Desktop\Lock.UnlockReceive.3gp
-
C:\Users\Admin\Desktop\Lock.UseClear.ttf
-
C:\Users\Admin\Desktop\Lock.WatchWait.bmp
-
C:\Users\Admin\Desktop\Lock.desktop.ini
-
C:\Users\Admin\Documents\Lock.Are.docx
-
C:\Users\Admin\Documents\Lock.AssertDebug.pub
-
C:\Users\Admin\Documents\Lock.CloseDebug.vsdm
-
C:\Users\Admin\Documents\Lock.CompressEnter.xltx
-
C:\Users\Admin\Documents\Lock.ConfirmInvoke.odt
-
C:\Users\Admin\Documents\Lock.ConvertFromPing.vsw
-
C:\Users\Admin\Documents\Lock.DenyResize.htm
-
C:\Users\Admin\Documents\Lock.EditNew.dotx
-
C:\Users\Admin\Documents\Lock.Files.docx
-
C:\Users\Admin\Documents\Lock.InitializeCheckpoint.vssm
-
C:\Users\Admin\Documents\Lock.LockRemove.ods
-
C:\Users\Admin\Documents\Lock.Opened.docx
-
C:\Users\Admin\Documents\Lock.PushGet.csv
-
C:\Users\Admin\Documents\Lock.Recently.docx
-
C:\Users\Admin\Documents\Lock.RedoHide.ppsm
-
C:\Users\Admin\Documents\Lock.RemoveWrite.vdw
-
C:\Users\Admin\Documents\Lock.ResetClose.pps
-
C:\Users\Admin\Documents\Lock.ResumeStop.wps
-
C:\Users\Admin\Documents\Lock.SaveLimit.xla
-
C:\Users\Admin\Documents\Lock.SearchEnable.vsdx
-
C:\Users\Admin\Documents\Lock.SetOpen.xlsb
-
C:\Users\Admin\Documents\Lock.SetSplit.pptx
-
C:\Users\Admin\Documents\Lock.SyncPush.xltx
-
C:\Users\Admin\Documents\Lock.These.docx
-
C:\Users\Admin\Documents\Lock.UseLimit.ppsx
-
C:\Users\Admin\Documents\Lock.desktop.ini
-
C:\Users\Admin\Music\Lock.CloseSelect.lock
-
C:\Users\Admin\Music\Lock.DismountFind.xml
-
C:\Users\Admin\Music\Lock.ExitOpen.mp3
-
C:\Users\Admin\Music\Lock.RedoComplete.rtf
-
C:\Users\Admin\Music\Lock.RemoveFormat.hta
-
C:\Users\Admin\Music\Lock.RenameSplit.xml
-
C:\Users\Admin\Music\Lock.RepairUninstall.fon
-
C:\Users\Admin\Music\Lock.ResolveExit.vsx
-
C:\Users\Admin\Music\Lock.RestoreClear.ex_
-
C:\Users\Admin\Music\Lock.RestoreConfirm.mpe
-
C:\Users\Admin\Music\Lock.ResumeOut.mp4
-
C:\Users\Admin\Music\Lock.SaveSplit.mov
-
C:\Users\Admin\Music\Lock.SkipApprove.3g2
-
C:\Users\Admin\Music\Lock.SwitchWrite.emz
-
C:\Users\Admin\Music\Lock.TestMove.mpeg2
-
C:\Users\Admin\Music\Lock.UnlockShow.xht
-
C:\Users\Admin\Music\Lock.UnregisterResume.jfif
-
C:\Users\Admin\Music\Lock.WaitRepair.css
-
C:\Users\Admin\Music\Lock.desktop.ini
-
C:\Users\Admin\Pictures\Lock.AssertRegister.pcx
-
C:\Users\Admin\Pictures\Lock.ConnectDebug.jpeg
-
C:\Users\Admin\Pictures\Lock.DisableExpand.tiff
-
C:\Users\Admin\Pictures\Lock.EditRepair.png
-
C:\Users\Admin\Pictures\Lock.EditSelect.dib
-
C:\Users\Admin\Pictures\Lock.EnableUnpublish.jpg
-
C:\Users\Admin\Pictures\Lock.EnterResume.jpg
-
C:\Users\Admin\Pictures\Lock.EnterStop.raw
-
C:\Users\Admin\Pictures\Lock.ExitRestore.svgz
-
C:\Users\Admin\Pictures\Lock.ExpandSplit.jpg
-
C:\Users\Admin\Pictures\Lock.FormatRedo.ico
-
C:\Users\Admin\Pictures\Lock.GrantOptimize.dwg
-
C:\Users\Admin\Pictures\Lock.GrantRestart.dxf
-
C:\Users\Admin\Pictures\Lock.GroupDismount.jpeg
-
C:\Users\Admin\Pictures\Lock.GroupInstall.jpeg
-
C:\Users\Admin\Pictures\Lock.HidePing.tiff
-
C:\Users\Admin\Pictures\Lock.LimitInvoke.tif
-
C:\Users\Admin\Pictures\Lock.LockGrant.emf
-
C:\Users\Admin\Pictures\Lock.PopAdd.emz
-
C:\Users\Admin\Pictures\Lock.ProtectEnter.svg
-
C:\Users\Admin\Pictures\Lock.ReceiveRevoke.dxf
-
C:\Users\Admin\Pictures\Lock.RemoveFind.ico
-
C:\Users\Admin\Pictures\Lock.RenameHide.eps
-
C:\Users\Admin\Pictures\Lock.RepairRead.emz
-
C:\Users\Admin\Pictures\Lock.ResetExport.bmp
-
C:\Users\Admin\Pictures\Lock.ResetRepair.raw
-
C:\Users\Admin\Pictures\Lock.ShowMount.ico
-
C:\Users\Admin\Pictures\Lock.ShowUnprotect.dxf
-
C:\Users\Admin\Pictures\Lock.SplitWait.dib
-
C:\Users\Admin\Pictures\Lock.StartClose.dxf
-
C:\Users\Admin\Pictures\Lock.StepPublish.jpg
-
C:\Users\Admin\Pictures\Lock.StopGroup.tiff
-
C:\Users\Admin\Pictures\Lock.SubmitSkip.emf
-
C:\Users\Admin\Pictures\Lock.SwitchHide.eps
-
C:\Users\Admin\Pictures\Lock.UseDisconnect.wmf
-
C:\Users\Admin\Pictures\Lock.Wallpaper.jpg
-
C:\Users\Admin\Pictures\Lock.WatchEnter.raw
-
C:\Users\Admin\Pictures\Lock.desktop.ini
-
C:\Users\Admin\Videos\Lock.desktop.ini
-
C:\Users\Public\Documents\Lock.desktop.ini
-
C:\Users\Public\Pictures\Lock.desktop.ini
-
C:\Users\Public\Videos\Lock.desktop.ini
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\WindowsSystemTools.exe
-
memory/732-18-0x0000000000000000-mapping.dmp
-
memory/732-17-0x0000000000000000-mapping.dmp
-
memory/844-30-0x0000000000000000-mapping.dmp
-
memory/844-31-0x0000000000000000-mapping.dmp
-
memory/1040-23-0x0000000000000000-mapping.dmp
-
memory/1056-0-0x0000000000000000-mapping.dmp
-
memory/1356-3-0x0000000000000000-mapping.dmp
-
memory/1492-150-0x0000000004C30000-0x0000000004C34000-memory.dmpFilesize
16KB
-
memory/1596-148-0x000007FEF83B0000-0x000007FEF862A000-memory.dmpFilesize
2.5MB
-
memory/1704-2-0x0000000000000000-mapping.dmp
-
memory/1756-5-0x0000000000000000-mapping.dmp
-
memory/1784-4-0x0000000000000000-mapping.dmp
-
memory/1800-14-0x0000000000000000-mapping.dmp
-
memory/1800-15-0x0000000000000000-mapping.dmp
-
memory/1812-22-0x0000000074670000-0x0000000074D5E000-memory.dmpFilesize
6.9MB
-
memory/1812-11-0x0000000000000000-mapping.dmp
-
memory/1812-12-0x0000000000000000-mapping.dmp
-
memory/1812-26-0x0000000001190000-0x0000000001191000-memory.dmpFilesize
4KB
-
memory/1820-6-0x0000000000000000-mapping.dmp