a9a5c61d486003487af5df9d83234b1efecd7a6a091b708208fe834ce8c504e9

Analysis

max time kernel
5s
max time network
113s
platform
windows10_x64
resource
win10
submitted
16/09/2020, 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

_-__----_-.exe
Size

14KB
MD5

65e18bae9b8c42b63bf3b969d3cdb6ca
SHA1

de1e804c81536890bccc963920095ade140b5173
SHA256

66ec6a7bb5cec8d1205685833524b4f577af75570896e0b368f16e5ee0d2a955
SHA512

32e45907c8ec7edeafbb699a3975ec52ae8255d692ebcfaf81ac87cbf118e069355e9c802574b707ce28a8e91aacfcda9ce185fd55910df9bcae9465c27aea15

Score

8^/10

ransomware

Malware Config

Signatures

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\SuspendUnprotect.png => C:\Users\Admin\Pictures\SuspendUnprotect.png.paradox	_-__----_-.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Desktop\Wallpaper = "C:\\Admin\\wallpaper.jpg"	_-__----_-.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2728	_-__----_-.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2728	_-__----_-.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	_-__----_-.exe

C:\Users\Admin\AppData\Local\Temp\_-__----_-.exe
"C:\Users\Admin\AppData\Local\Temp\_-__----_-.exe"
1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:2728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2728-0-0x0000000073B10000-0x00000000741FE000-memory.dmp

Filesize
6.9MB

Download
memory/2728-1-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/2728-3-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/2728-4-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/2728-5-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download