1e40bce6e476e4c0485b3f813cff5d493b1e07f52a89b56a31765529b809ea33

Resubmissions

28/08/2020, 12:47

200828-nd915gcv5n 8

28/08/2020, 12:45

200828-q7w77zyk92 8

28/08/2020, 12:39

200828-h3kmc18276 8

Analysis

max time kernel
144s
max time network
20s
platform
windows7_x64
resource
win7v200722
submitted
28/08/2020, 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

myfile.exe
Size

4.3MB
MD5

0a438448cebd370318b5294775e2405c
SHA1

60abd37bf94ee406653af60e5b72f1f69f646308
SHA256

1e40bce6e476e4c0485b3f813cff5d493b1e07f52a89b56a31765529b809ea33
SHA512

dc21a068d6aa3ce93a399d2b636a4dc17fd9b2f60c921eaadaef4eb0049c4ef5d1c09479c906660d0fa7bb7e688cdae54a36d9e73e35ac209e469a862c992976

Score

8^/10

ransomware

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1820	HexInformation.exe
1816	HexDecryptor.exe
708	HexLocker.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg"	HexLocker.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Control Panel\Desktop	HexLocker.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs

pid	Process
1820	HexInformation.exe
1816	HexDecryptor.exe
708	HexLocker.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1820	HexInformation.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 1788	1620	myfile.exe	25
PID 1620 wrote to memory of 1788	1620	myfile.exe	25
PID 1620 wrote to memory of 1788	1620	myfile.exe	25
PID 1620 wrote to memory of 1788	1620	myfile.exe	25
PID 1788 wrote to memory of 1192	1788	cmd.exe	27
PID 1788 wrote to memory of 1192	1788	cmd.exe	27
PID 1788 wrote to memory of 1192	1788	cmd.exe	27
PID 1788 wrote to memory of 1864	1788	cmd.exe	28
PID 1788 wrote to memory of 1864	1788	cmd.exe	28
PID 1788 wrote to memory of 1864	1788	cmd.exe	28
PID 1788 wrote to memory of 1876	1788	cmd.exe	29
PID 1788 wrote to memory of 1876	1788	cmd.exe	29
PID 1788 wrote to memory of 1876	1788	cmd.exe	29
PID 1788 wrote to memory of 1888	1788	cmd.exe	30
PID 1788 wrote to memory of 1888	1788	cmd.exe	30
PID 1788 wrote to memory of 1888	1788	cmd.exe	30
PID 1788 wrote to memory of 1900	1788	cmd.exe	31
PID 1788 wrote to memory of 1900	1788	cmd.exe	31
PID 1788 wrote to memory of 1900	1788	cmd.exe	31
PID 1788 wrote to memory of 1820	1788	cmd.exe	32
PID 1788 wrote to memory of 1820	1788	cmd.exe	32
PID 1788 wrote to memory of 1820	1788	cmd.exe	32
PID 1788 wrote to memory of 1820	1788	cmd.exe	32
PID 1788 wrote to memory of 1816	1788	cmd.exe	33
PID 1788 wrote to memory of 1816	1788	cmd.exe	33
PID 1788 wrote to memory of 1816	1788	cmd.exe	33
PID 1788 wrote to memory of 1816	1788	cmd.exe	33
PID 1788 wrote to memory of 708	1788	cmd.exe	35
PID 1788 wrote to memory of 708	1788	cmd.exe	35
PID 1788 wrote to memory of 708	1788	cmd.exe	35
PID 1788 wrote to memory of 708	1788	cmd.exe	35
PID 1816 wrote to memory of 1440	1816	HexDecryptor.exe	36
PID 1816 wrote to memory of 1440	1816	HexDecryptor.exe	36
PID 1816 wrote to memory of 1440	1816	HexDecryptor.exe	36
PID 1816 wrote to memory of 1440	1816	HexDecryptor.exe	36

C:\Users\Admin\AppData\Local\Temp\myfile.exe
"C:\Users\Admin\AppData\Local\Temp\myfile.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\B203.bat C:\Users\Admin\AppData\Local\Temp\myfile.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:1192
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:1864
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:1876
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:1888
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:1900
- - C:\Users\Admin\Desktop\HexInformation.exe
    HexInformation.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of FindShellTrayWindow
    PID:1820
- - C:\Users\Admin\Desktop\HexDecryptor.exe
    HexDecryptor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B8C4.tmp\B8C5.tmp\B8C6.bat C:\Users\Admin\Desktop\HexDecryptor.exe"
      4⤵
      PID:1440
- - C:\Users\Admin\Desktop\HexLocker.exe
    HexLocker.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - Modifies Control Panel
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact