Analysis
-
max time kernel
77s -
max time network
66s -
platform
windows10_x64 -
resource
win10 -
submitted
03-09-2020 14:53
Static task
static1
Behavioral task
behavioral1
Sample
software-launcher.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
software-launcher.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
software-launcher.exe
-
Size
207KB
-
MD5
900c456cbcd61ed2bf91378112e93eb0
-
SHA1
c227ca088a4f80729b83396cafa0152d9778254e
-
SHA256
fd945e2cc6d1b3a453135d5df04eeccbfd16f76e0744dd27b99e0eccaa9053bd
-
SHA512
e9e71efbe7e70ece0d5022c401d6cb8c808237946b6a30fcfe18d8d43ea93460c04977015daf05a7baa5a9f1467c5ffdcf499a52706c27a0055529a3f38f0ba7
Score
10/10
Malware Config
Signatures
-
HiddenTear Ransomware
Open-Source ransomware available on Github since 2015, with many versions in the wild.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\SwitchReset.png => C:\Users\Admin\Pictures\SwitchReset.png.klavins software-launcher.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = bdfd26760182d601 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeShutdownPrivilege 744 svchost.exe Token: SeCreatePagefilePrivilege 744 svchost.exe Token: SeDebugPrivilege 3104 software-launcher.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\software-launcher.exe"C:\Users\Admin\AppData\Local\Temp\software-launcher.exe"1⤵
- Modifies extensions of user files
- Suspicious use of AdjustPrivilegeToken
PID:3104
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:744