Overview

overview

10

Static

static

software-l...r8.exe

windows7_x64

10

software-l...r8.exe

windows10_x64

10

Analysis

  • max time kernel
    76s
  • max time network
    111s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    03-09-2020 14:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    software-launcher8.exe

  • Size

    338KB

  • MD5

    26cae6fdb074d2e30002351c40aa2b58

  • SHA1

    315dfcb400f3fb36220a91fd9f8b9200366eca56

  • SHA256

    53fd929034ec71904be8ef06d4c42f2467997f16364431cb3e46a24d82bdaf6f

  • SHA512

    d00c0e9a3a5fb93f45b7ddf176fda720ccc6e23dbb0615c63222bdacce2c7f15cb8821488141bf5d4452c4a015f0b6704ce2beda4910a4e8509576fc04425b94

Score
10/10
ransomwarehiddentear

Malware Config

Signatures

  • HiddenTear Ransomware

    Open-Source ransomware available on Github since 2015, with many versions in the wild.

    ransomwarehiddentear
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\software-launcher8.exe
    "C:\Users\Admin\AppData\Local\Temp\software-launcher8.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3892
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3892-0-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

    Download

  • memory/3892-1-0x0000000002180000-0x0000000002181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3892-2-0x0000000073530000-0x0000000073C1E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3892-3-0x0000000000400000-0x0000000000401000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3892-5-0x00000000067A0000-0x00000000067A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3892-6-0x0000000006CC0000-0x0000000006CC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3892-7-0x0000000006DD0000-0x0000000006DD1000-memory.dmp

    Filesize

    4KB

    Download