1e40bce6e476e4c0485b3f813cff5d493b1e07f52a89b56a31765529b809ea33

Resubmissions

28-08-2020 12:47

200828-nd915gcv5n 8

28-08-2020 12:45

200828-q7w77zyk92 8

28-08-2020 12:39

200828-h3kmc18276 8

Analysis

max time kernel
144s
max time network
20s
platform
windows7_x64
resource
win7v200722
submitted
28-08-2020 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

myfile.exe
Size

4.3MB
MD5

0a438448cebd370318b5294775e2405c
SHA1

60abd37bf94ee406653af60e5b72f1f69f646308
SHA256

1e40bce6e476e4c0485b3f813cff5d493b1e07f52a89b56a31765529b809ea33
SHA512

dc21a068d6aa3ce93a399d2b636a4dc17fd9b2f60c921eaadaef4eb0049c4ef5d1c09479c906660d0fa7bb7e688cdae54a36d9e73e35ac209e469a862c992976

Score

8^/10

ransomware

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

HexInformation.exeHexDecryptor.exeHexLocker.exe

pid process

1820 HexInformation.exe
1816 HexDecryptor.exe
708 HexLocker.exe
Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

pid	process
1820	HexInformation.exe
1816	HexDecryptor.exe
708	HexLocker.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

HexLocker.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg"	HexLocker.exe

Modifies Control Panel 1 IoCs
evasion

Processes:

HexLocker.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop HexLocker.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs

Processes:

HexInformation.exeHexDecryptor.exeHexLocker.exe

pid process

1820 HexInformation.exe
1816 HexDecryptor.exe
708 HexLocker.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

HexInformation.exe

pid process

1820 HexInformation.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop	HexLocker.exe

pid	process
1820	HexInformation.exe
1816	HexDecryptor.exe
708	HexLocker.exe

pid	process
1820	HexInformation.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

myfile.execmd.exeHexDecryptor.exe

description	pid	process	target process
PID 1620 wrote to memory of 1788	1620	myfile.exe	cmd.exe
PID 1620 wrote to memory of 1788	1620	myfile.exe	cmd.exe
PID 1620 wrote to memory of 1788	1620	myfile.exe	cmd.exe
PID 1620 wrote to memory of 1788	1620	myfile.exe	cmd.exe
PID 1788 wrote to memory of 1192	1788	cmd.exe	tree.com
PID 1788 wrote to memory of 1192	1788	cmd.exe	tree.com
PID 1788 wrote to memory of 1192	1788	cmd.exe	tree.com
PID 1788 wrote to memory of 1864	1788	cmd.exe	tree.com
PID 1788 wrote to memory of 1864	1788	cmd.exe	tree.com
PID 1788 wrote to memory of 1864	1788	cmd.exe	tree.com
PID 1788 wrote to memory of 1876	1788	cmd.exe	tree.com
PID 1788 wrote to memory of 1876	1788	cmd.exe	tree.com
PID 1788 wrote to memory of 1876	1788	cmd.exe	tree.com
PID 1788 wrote to memory of 1888	1788	cmd.exe	tree.com
PID 1788 wrote to memory of 1888	1788	cmd.exe	tree.com
PID 1788 wrote to memory of 1888	1788	cmd.exe	tree.com
PID 1788 wrote to memory of 1900	1788	cmd.exe	tree.com
PID 1788 wrote to memory of 1900	1788	cmd.exe	tree.com
PID 1788 wrote to memory of 1900	1788	cmd.exe	tree.com
PID 1788 wrote to memory of 1820	1788	cmd.exe	HexInformation.exe
PID 1788 wrote to memory of 1820	1788	cmd.exe	HexInformation.exe
PID 1788 wrote to memory of 1820	1788	cmd.exe	HexInformation.exe
PID 1788 wrote to memory of 1820	1788	cmd.exe	HexInformation.exe
PID 1788 wrote to memory of 1816	1788	cmd.exe	HexDecryptor.exe
PID 1788 wrote to memory of 1816	1788	cmd.exe	HexDecryptor.exe
PID 1788 wrote to memory of 1816	1788	cmd.exe	HexDecryptor.exe
PID 1788 wrote to memory of 1816	1788	cmd.exe	HexDecryptor.exe
PID 1788 wrote to memory of 708	1788	cmd.exe	HexLocker.exe
PID 1788 wrote to memory of 708	1788	cmd.exe	HexLocker.exe
PID 1788 wrote to memory of 708	1788	cmd.exe	HexLocker.exe
PID 1788 wrote to memory of 708	1788	cmd.exe	HexLocker.exe
PID 1816 wrote to memory of 1440	1816	HexDecryptor.exe	cmd.exe
PID 1816 wrote to memory of 1440	1816	HexDecryptor.exe	cmd.exe
PID 1816 wrote to memory of 1440	1816	HexDecryptor.exe	cmd.exe
PID 1816 wrote to memory of 1440	1816	HexDecryptor.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\myfile.exe
"C:\Users\Admin\AppData\Local\Temp\myfile.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\B203.bat C:\Users\Admin\AppData\Local\Temp\myfile.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\system32\tree.com
tree
3⤵
PID:1192

C:\Windows\system32\tree.com
tree
3⤵
PID:1864

C:\Windows\system32\tree.com
tree
3⤵
PID:1876

C:\Windows\system32\tree.com
tree
3⤵
PID:1888

C:\Windows\system32\tree.com
tree
3⤵
PID:1900

C:\Users\Admin\Desktop\HexInformation.exe
HexInformation.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
PID:1820

C:\Users\Admin\Desktop\HexDecryptor.exe
HexDecryptor.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B8C4.tmp\B8C5.tmp\B8C6.bat C:\Users\Admin\Desktop\HexDecryptor.exe"
4⤵
PID:1440

C:\Users\Admin\Desktop\HexLocker.exe
HexLocker.exe
3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:708

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact