Analysis
-
max time kernel
76s -
max time network
111s -
platform
windows10_x64 -
resource
win10 -
submitted
03-09-2020 14:52
Static task
static1
Behavioral task
behavioral1
Sample
software-launcher8.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
software-launcher8.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
software-launcher8.exe
-
Size
338KB
-
MD5
26cae6fdb074d2e30002351c40aa2b58
-
SHA1
315dfcb400f3fb36220a91fd9f8b9200366eca56
-
SHA256
53fd929034ec71904be8ef06d4c42f2467997f16364431cb3e46a24d82bdaf6f
-
SHA512
d00c0e9a3a5fb93f45b7ddf176fda720ccc6e23dbb0615c63222bdacce2c7f15cb8821488141bf5d4452c4a015f0b6704ce2beda4910a4e8509576fc04425b94
Score
10/10
Malware Config
Signatures
-
HiddenTear Ransomware
Open-Source ransomware available on Github since 2015, with many versions in the wild.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3892 software-launcher8.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 226ea04c0182d601 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3892 software-launcher8.exe 3892 software-launcher8.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeShutdownPrivilege 856 svchost.exe Token: SeCreatePagefilePrivilege 856 svchost.exe Token: SeDebugPrivilege 3892 software-launcher8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\software-launcher8.exe"C:\Users\Admin\AppData\Local\Temp\software-launcher8.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3892
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:856