Resubmissions
28-08-2020 12:47
200828-nd915gcv5n 828-08-2020 12:45
200828-q7w77zyk92 828-08-2020 12:39
200828-h3kmc18276 8Analysis
-
max time kernel
144s -
max time network
20s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
28-08-2020 12:45
Static task
static1
Behavioral task
behavioral1
Sample
myfile.exe
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
myfile.exe
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
myfile.exe
-
Size
4.3MB
-
MD5
0a438448cebd370318b5294775e2405c
-
SHA1
60abd37bf94ee406653af60e5b72f1f69f646308
-
SHA256
1e40bce6e476e4c0485b3f813cff5d493b1e07f52a89b56a31765529b809ea33
-
SHA512
dc21a068d6aa3ce93a399d2b636a4dc17fd9b2f60c921eaadaef4eb0049c4ef5d1c09479c906660d0fa7bb7e688cdae54a36d9e73e35ac209e469a862c992976
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
HexInformation.exeHexDecryptor.exeHexLocker.exepid process 1820 HexInformation.exe 1816 HexDecryptor.exe 708 HexLocker.exe -
Enumerates connected drives 3 TTPs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
HexLocker.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg" HexLocker.exe -
Modifies Control Panel 1 IoCs
Processes:
HexLocker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop HexLocker.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs
Processes:
HexInformation.exeHexDecryptor.exeHexLocker.exepid process 1820 HexInformation.exe 1816 HexDecryptor.exe 708 HexLocker.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
HexInformation.exepid process 1820 HexInformation.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
myfile.execmd.exeHexDecryptor.exedescription pid process target process PID 1620 wrote to memory of 1788 1620 myfile.exe cmd.exe PID 1620 wrote to memory of 1788 1620 myfile.exe cmd.exe PID 1620 wrote to memory of 1788 1620 myfile.exe cmd.exe PID 1620 wrote to memory of 1788 1620 myfile.exe cmd.exe PID 1788 wrote to memory of 1192 1788 cmd.exe tree.com PID 1788 wrote to memory of 1192 1788 cmd.exe tree.com PID 1788 wrote to memory of 1192 1788 cmd.exe tree.com PID 1788 wrote to memory of 1864 1788 cmd.exe tree.com PID 1788 wrote to memory of 1864 1788 cmd.exe tree.com PID 1788 wrote to memory of 1864 1788 cmd.exe tree.com PID 1788 wrote to memory of 1876 1788 cmd.exe tree.com PID 1788 wrote to memory of 1876 1788 cmd.exe tree.com PID 1788 wrote to memory of 1876 1788 cmd.exe tree.com PID 1788 wrote to memory of 1888 1788 cmd.exe tree.com PID 1788 wrote to memory of 1888 1788 cmd.exe tree.com PID 1788 wrote to memory of 1888 1788 cmd.exe tree.com PID 1788 wrote to memory of 1900 1788 cmd.exe tree.com PID 1788 wrote to memory of 1900 1788 cmd.exe tree.com PID 1788 wrote to memory of 1900 1788 cmd.exe tree.com PID 1788 wrote to memory of 1820 1788 cmd.exe HexInformation.exe PID 1788 wrote to memory of 1820 1788 cmd.exe HexInformation.exe PID 1788 wrote to memory of 1820 1788 cmd.exe HexInformation.exe PID 1788 wrote to memory of 1820 1788 cmd.exe HexInformation.exe PID 1788 wrote to memory of 1816 1788 cmd.exe HexDecryptor.exe PID 1788 wrote to memory of 1816 1788 cmd.exe HexDecryptor.exe PID 1788 wrote to memory of 1816 1788 cmd.exe HexDecryptor.exe PID 1788 wrote to memory of 1816 1788 cmd.exe HexDecryptor.exe PID 1788 wrote to memory of 708 1788 cmd.exe HexLocker.exe PID 1788 wrote to memory of 708 1788 cmd.exe HexLocker.exe PID 1788 wrote to memory of 708 1788 cmd.exe HexLocker.exe PID 1788 wrote to memory of 708 1788 cmd.exe HexLocker.exe PID 1816 wrote to memory of 1440 1816 HexDecryptor.exe cmd.exe PID 1816 wrote to memory of 1440 1816 HexDecryptor.exe cmd.exe PID 1816 wrote to memory of 1440 1816 HexDecryptor.exe cmd.exe PID 1816 wrote to memory of 1440 1816 HexDecryptor.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\myfile.exe"C:\Users\Admin\AppData\Local\Temp\myfile.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\B203.bat C:\Users\Admin\AppData\Local\Temp\myfile.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tree.comtree3⤵
-
C:\Windows\system32\tree.comtree3⤵
-
C:\Windows\system32\tree.comtree3⤵
-
C:\Windows\system32\tree.comtree3⤵
-
C:\Windows\system32\tree.comtree3⤵
-
C:\Users\Admin\Desktop\HexInformation.exeHexInformation.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\HexDecryptor.exeHexDecryptor.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B8C4.tmp\B8C5.tmp\B8C6.bat C:\Users\Admin\Desktop\HexDecryptor.exe"4⤵
-
C:\Users\Admin\Desktop\HexLocker.exeHexLocker.exe3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: CmdExeWriteProcessMemorySpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\B203.bat
-
C:\Users\Admin\AppData\Local\Temp\B8C4.tmp\B8C5.tmp\B8C6.bat
-
C:\Users\Admin\AppData\Local\Temp\HexDCIF.hex
-
C:\Users\Admin\AppData\Local\Temp\HexIF.hex
-
C:\Users\Admin\AppData\Local\Temp\HexLK.hex
-
C:\Users\Admin\AppData\Local\Temp\rd000db.dll
-
C:\Users\Admin\Desktop\HexDecryptor.exe
-
C:\Users\Admin\Desktop\HexDecryptor.exe
-
C:\Users\Admin\Desktop\HexInformation.exe
-
C:\Users\Admin\Desktop\HexInformation.exe
-
C:\Users\Admin\Desktop\HexLocker.exe
-
C:\Users\Admin\Desktop\HexLocker.exe
-
C:\Users\Admin\Desktop\Lock.ConfirmUse.7z
-
C:\Users\Admin\Desktop\Lock.ConvertConvertFrom.odp
-
C:\Users\Admin\Desktop\Lock.ConvertDisable.potx
-
C:\Users\Admin\Desktop\Lock.DenyClear.xht
-
C:\Users\Admin\Desktop\Lock.DisableOptimize.png
-
C:\Users\Admin\Desktop\Lock.DisableRename.rtf
-
C:\Users\Admin\Desktop\Lock.DisableRename.rtf - Shortcut (2).lnk
-
C:\Users\Admin\Desktop\Lock.DisableRename.rtf - Shortcut (3).lnk
-
C:\Users\Admin\Desktop\Lock.DisableRename.rtf - Shortcut.lnk
-
C:\Users\Admin\Desktop\Lock.EnableRestore.wav
-
C:\Users\Admin\Desktop\Lock.EnableRestore.wav - Shortcut (2).lnk
-
C:\Users\Admin\Desktop\Lock.EnableRestore.wav - Shortcut (3).lnk
-
C:\Users\Admin\Desktop\Lock.EnableRestore.wav - Shortcut.lnk
-
C:\Users\Admin\Desktop\Lock.GetOut.vsd
-
C:\Users\Admin\Desktop\Lock.GetOut.vsd - Shortcut (2).lnk
-
C:\Users\Admin\Desktop\Lock.GetOut.vsd - Shortcut (3).lnk
-
C:\Users\Admin\Desktop\Lock.GetOut.vsd - Shortcut.lnk
-
C:\Users\Admin\Desktop\Lock.GrantResolve.asx
-
C:\Users\Admin\Desktop\Lock.GrantResolve.asx - Shortcut (2).lnk
-
C:\Users\Admin\Desktop\Lock.GrantResolve.asx - Shortcut (3).lnk
-
C:\Users\Admin\Desktop\Lock.GrantResolve.asx - Shortcut.lnk
-
C:\Users\Admin\Desktop\Lock.GroupConvert.vsd
-
C:\Users\Admin\Desktop\Lock.GroupConvert.vsd - Shortcut (2).lnk
-
C:\Users\Admin\Desktop\Lock.GroupConvert.vsd - Shortcut (3).lnk
-
C:\Users\Admin\Desktop\Lock.GroupConvert.vsd - Shortcut.lnk
-
C:\Users\Admin\Desktop\Lock.HexDecryptor.exe
-
C:\Users\Admin\Desktop\Lock.HexDecryptor.exe - Shortcut (2).lnk
-
C:\Users\Admin\Desktop\Lock.HexDecryptor.exe - Shortcut (3).lnk
-
C:\Users\Admin\Desktop\Lock.HexDecryptor.exe - Shortcut.lnk
-
C:\Users\Admin\Desktop\Lock.HexInformation.exe
-
C:\Users\Admin\Desktop\Lock.HexInformation.exe - Shortcut (2).lnk
-
C:\Users\Admin\Desktop\Lock.HexInformation.exe - Shortcut (3).lnk
-
C:\Users\Admin\Desktop\Lock.HexInformation.exe - Shortcut.lnk
-
C:\Users\Admin\Desktop\Lock.HexLocker.exe
-
C:\Users\Admin\Desktop\Lock.HexLocker.exe - Shortcut (2).lnk
-
C:\Users\Admin\Desktop\Lock.HexLocker.exe - Shortcut (3).lnk
-
C:\Users\Admin\Desktop\Lock.HexLocker.exe - Shortcut.lnk
-
C:\Users\Admin\Desktop\Lock.HideExit.dotx
-
C:\Users\Admin\Desktop\Lock.HideExit.dotx - Shortcut (2).lnk
-
C:\Users\Admin\Desktop\Lock.HideExit.dotx - Shortcut (3).lnk
-
C:\Users\Admin\Desktop\Lock.HideExit.dotx - Shortcut.lnk
-
C:\Users\Admin\Desktop\Lock.ImportMerge.ppsx
-
C:\Users\Admin\Desktop\Lock.ImportMerge.ppsx - Shortcut (2).lnk
-
C:\Users\Admin\Desktop\Lock.ImportMerge.ppsx - Shortcut (3).lnk
-
C:\Users\Admin\Desktop\Lock.ImportMerge.ppsx - Shortcut.lnk
-
C:\Users\Admin\Desktop\Lock.InstallReceive (2).lnk
-
C:\Users\Admin\Desktop\Lock.InstallReceive (3).lnk
-
C:\Users\Admin\Desktop\Lock.InstallReceive (4).lnk
-
C:\Users\Admin\Desktop\Lock.InstallReceive.lnk
-
C:\Users\Admin\Desktop\Lock.MeasureRename.mpe
-
C:\Users\Admin\Desktop\Lock.MeasureRename.mpe - Shortcut (2).lnk
-
C:\Users\Admin\Desktop\Lock.MeasureRename.mpe - Shortcut (3).lnk
-
C:\Users\Admin\Desktop\Lock.MeasureRename.mpe - Shortcut.lnk
-
C:\Users\Admin\Desktop\Lock.OptimizeBackup.otf
-
C:\Users\Admin\Desktop\Lock.OptimizeBackup.otf - Shortcut (2).lnk
-
C:\Users\Admin\Desktop\Lock.OptimizeBackup.otf - Shortcut (3).lnk
-
C:\Users\Admin\Desktop\Lock.OptimizeBackup.otf - Shortcut.lnk
-
C:\Users\Admin\Desktop\Lock.PublishMerge.htm
-
C:\Users\Admin\Desktop\Lock.PublishMerge.htm - Shortcut (2).lnk
-
C:\Users\Admin\Desktop\Lock.PublishMerge.htm - Shortcut (3).lnk
-
C:\Users\Admin\Desktop\Lock.PublishMerge.htm - Shortcut.lnk
-
C:\Users\Admin\Desktop\Lock.ReceiveAssert.odp
-
C:\Users\Admin\Desktop\Lock.ReceiveAssert.odp - Shortcut (2).lnk
-
C:\Users\Admin\Desktop\Lock.ReceiveAssert.odp - Shortcut (3).lnk
-
C:\Users\Admin\Desktop\Lock.ReceiveAssert.odp - Shortcut.lnk
-
C:\Users\Admin\Desktop\Lock.ResizeConvertTo.emf
-
C:\Users\Admin\Desktop\Lock.ResizeConvertTo.emf - Shortcut (2).lnk
-
C:\Users\Admin\Desktop\Lock.ResizeConvertTo.emf - Shortcut (3).lnk
-
C:\Users\Admin\Desktop\Lock.ResizeConvertTo.emf - Shortcut.lnk
-
C:\Users\Admin\Desktop\Lock.SendTest.iso
-
C:\Users\Admin\Desktop\Lock.SendTest.iso - Shortcut (2).lnk
-
C:\Users\Admin\Desktop\Lock.SendTest.iso - Shortcut (3).lnk
-
C:\Users\Admin\Desktop\Lock.SendTest.iso - Shortcut.lnk
-
C:\Users\Admin\Desktop\Lock.StartUpdate.rm
-
C:\Users\Admin\Desktop\Lock.StartUpdate.rm - Shortcut (2).lnk
-
C:\Users\Admin\Desktop\Lock.StartUpdate.rm - Shortcut (3).lnk
-
C:\Users\Admin\Desktop\Lock.StartUpdate.rm - Shortcut.lnk
-
C:\Users\Admin\Desktop\Lock.StepSearch.txt
-
C:\Users\Admin\Desktop\Lock.StepSearch.txt - Shortcut (2).lnk
-
C:\Users\Admin\Desktop\Lock.StepSearch.txt - Shortcut (3).lnk
-
C:\Users\Admin\Desktop\Lock.StepSearch.txt - Shortcut.lnk
-
C:\Users\Admin\Desktop\Lock.SwitchSubmit.dib
-
C:\Users\Admin\Desktop\Lock.SwitchSubmit.dib - Shortcut (2).lnk
-
C:\Users\Admin\Desktop\Lock.SwitchSubmit.dib - Shortcut (3).lnk
-
C:\Users\Admin\Desktop\Lock.SwitchSubmit.dib - Shortcut.lnk
-
C:\Users\Admin\Desktop\Lock.SyncUnpublish.js
-
C:\Users\Admin\Desktop\Lock.SyncUnpublish.js - Shortcut (2).lnk
-
C:\Users\Admin\Desktop\Lock.SyncUnpublish.js - Shortcut (3).lnk
-
C:\Users\Admin\Desktop\Lock.SyncUnpublish.js - Shortcut.lnk
-
C:\Users\Admin\Desktop\Lock.UnlockGroup.dll
-
C:\Users\Admin\Desktop\Lock.UnlockGroup.dll - Shortcut (2).lnk
-
C:\Users\Admin\Desktop\Lock.UnlockGroup.dll - Shortcut (3).lnk
-
C:\Users\Admin\Desktop\Lock.UnlockGroup.dll - Shortcut.lnk
-
C:\Users\Admin\Desktop\Lock.desktop.ini
-
memory/628-28-0x000007FEF8510000-0x000007FEF878A000-memory.dmpFilesize
2.5MB
-
memory/708-17-0x0000000000000000-mapping.dmp
-
memory/708-18-0x0000000000000000-mapping.dmp
-
memory/1192-2-0x0000000000000000-mapping.dmp
-
memory/1440-22-0x0000000000000000-mapping.dmp
-
memory/1788-0-0x0000000000000000-mapping.dmp
-
memory/1816-15-0x0000000000000000-mapping.dmp
-
memory/1816-14-0x0000000000000000-mapping.dmp
-
memory/1820-26-0x0000000001070000-0x0000000001071000-memory.dmpFilesize
4KB
-
memory/1820-24-0x0000000074650000-0x0000000074D3E000-memory.dmpFilesize
6.9MB
-
memory/1820-12-0x0000000000000000-mapping.dmp
-
memory/1820-11-0x0000000000000000-mapping.dmp
-
memory/1864-3-0x0000000000000000-mapping.dmp
-
memory/1876-4-0x0000000000000000-mapping.dmp
-
memory/1888-5-0x0000000000000000-mapping.dmp
-
memory/1900-6-0x0000000000000000-mapping.dmp