Analysis
-
max time kernel
43s -
max time network
143s -
platform
windows10_x64 -
resource
win10 -
submitted
26-10-2020 07:05
General
-
Target
c756c7431558b4848bbd865af6aba43f.exe
-
Size
3.8MB
-
MD5
c756c7431558b4848bbd865af6aba43f
-
SHA1
e34592243c9a070c91bc4735ca9d9cc67066a40f
-
SHA256
2f8a1772bb051c6b730649fcbe00a51b20b0e4d6f71bd28e06d5d2cffd3e1621
-
SHA512
37ae8613a774708148c9fb5e59466f0fc361807dfde7c5ef9a892d4adc7e6648b6c8425bcfa40df98fea8d9846ddbf452504c14e12e320bf08af540b1a28e897
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Executes dropped EXE 8 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 47 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c756c7431558b4848bbd865af6aba43f.exe"C:\Users\Admin\AppData\Local\Temp\c756c7431558b4848bbd865af6aba43f.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\J3FhcbMvngDjk5XD.exe"C:\Users\Admin\AppData\Local\Temp\J3FhcbMvngDjk5XD.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\E5MjvJO3CxUVYC1P.exe"C:\Users\Admin\AppData\Local\Temp\E5MjvJO3CxUVYC1P.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\xysO8TKCqiwPBmc7.exe"C:\Users\Admin\AppData\Local\Temp\xysO8TKCqiwPBmc7.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\sSupaWYndxNaUYiT.exe"C:\Users\Admin\AppData\Local\Temp\sSupaWYndxNaUYiT.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\z2ct1fgwHccx6SWB.exe"C:\Users\Admin\AppData\Local\Temp\z2ct1fgwHccx6SWB.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\v1oAFvWdkov31AoF.exe"C:\Users\Admin\AppData\Local\Temp\v1oAFvWdkov31AoF.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\nU2stFav1FdMHeDf.exe"C:\Users\Admin\AppData\Local\Temp\nU2stFav1FdMHeDf.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BhtrWtsUt6BkW3Kp\wedqwe.exe"C:\Users\Admin\AppData\Local\Temp\BhtrWtsUt6BkW3Kp\wedqwe.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 16162⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\rhrtere.exe.log
-
C:\Users\Admin\AppData\Local\Temp\2OGL0v3iIILmZ4b7\rhrtere.exe
-
C:\Users\Admin\AppData\Local\Temp\2OGL0v3iIILmZ4b7\rhrtere.exe
-
C:\Users\Admin\AppData\Local\Temp\2OGL0v3iIILmZ4b7\rhrtere.exe
-
C:\Users\Admin\AppData\Local\Temp\2OGL0v3iIILmZ4b7\rhrtere.exe
-
C:\Users\Admin\AppData\Local\Temp\2OGL0v3iIILmZ4b7\rhrtere.exe
-
C:\Users\Admin\AppData\Local\Temp\2OGL0v3iIILmZ4b7\rhrtere.exe
-
C:\Users\Admin\AppData\Local\Temp\2OGL0v3iIILmZ4b7\rhrtere.exe
-
C:\Users\Admin\AppData\Local\Temp\4Y96qx462huUH7XD\svehost.exe
-
C:\Users\Admin\AppData\Local\Temp\4Y96qx462huUH7XD\svehost.exe
-
C:\Users\Admin\AppData\Local\Temp\4Y96qx462huUH7XD\svehost.exe
-
C:\Users\Admin\AppData\Local\Temp\4Y96qx462huUH7XD\svehost.exe
-
C:\Users\Admin\AppData\Local\Temp\BhtrWtsUt6BkW3Kp\wedqwe.exe
-
C:\Users\Admin\AppData\Local\Temp\BhtrWtsUt6BkW3Kp\wedqwe.exe
-
C:\Users\Admin\AppData\Local\Temp\E5MjvJO3CxUVYC1P.exe
-
C:\Users\Admin\AppData\Local\Temp\E5MjvJO3CxUVYC1P.exe
-
C:\Users\Admin\AppData\Local\Temp\IjHRk31sewJPv5Mi\efwewst.exe
-
C:\Users\Admin\AppData\Local\Temp\IjHRk31sewJPv5Mi\efwewst.exe
-
C:\Users\Admin\AppData\Local\Temp\J3FhcbMvngDjk5XD.exe
-
C:\Users\Admin\AppData\Local\Temp\J3FhcbMvngDjk5XD.exe
-
C:\Users\Admin\AppData\Local\Temp\feJ1UcvCgRx8UMf6\ewdqrr.exe
-
C:\Users\Admin\AppData\Local\Temp\feJ1UcvCgRx8UMf6\ewdqrr.exe
-
C:\Users\Admin\AppData\Local\Temp\feJ1UcvCgRx8UMf6\ewdqrr.exe
-
C:\Users\Admin\AppData\Local\Temp\nU2stFav1FdMHeDf.exe
-
C:\Users\Admin\AppData\Local\Temp\nU2stFav1FdMHeDf.exe
-
C:\Users\Admin\AppData\Local\Temp\sSupaWYndxNaUYiT.exe
-
C:\Users\Admin\AppData\Local\Temp\sSupaWYndxNaUYiT.exe
-
C:\Users\Admin\AppData\Local\Temp\v1oAFvWdkov31AoF.exe
-
C:\Users\Admin\AppData\Local\Temp\v1oAFvWdkov31AoF.exe
-
C:\Users\Admin\AppData\Local\Temp\xysO8TKCqiwPBmc7.exe
-
C:\Users\Admin\AppData\Local\Temp\xysO8TKCqiwPBmc7.exe
-
C:\Users\Admin\AppData\Local\Temp\z2ct1fgwHccx6SWB.exe
-
C:\Users\Admin\AppData\Local\Temp\z2ct1fgwHccx6SWB.exe
-
C:\Users\Admin\Documents\word64l.exe
-
C:\Users\Admin\Documents\word64l.exe
-
C:\Windows\rhrtere.exe
-
C:\Windows\rhrtere.exe
-
C:\Windows\rhrtere.exe
-
C:\Windows\rhrtere.exe
-
C:\Windows\rhrtere.exe
-
C:\Windows\rhrtere.exe
-
C:\Windows\rhrtere.exe
-
C:\Windows\svhostl.exe
-
C:\Windows\svhostl.exe
-
memory/192-289-0x000000000040CED2-mapping.dmp
-
memory/204-55-0x000000000048F888-mapping.dmp
-
memory/204-60-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/204-51-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/764-5-0x0000000000000000-mapping.dmp
-
memory/1068-74-0x0000000000000000-mapping.dmp
-
memory/1068-73-0x0000000002DD0000-0x0000000002DD1000-memory.dmpFilesize
4KB
-
memory/1068-71-0x0000000000000000-mapping.dmp
-
memory/1120-203-0x0000000000000000-mapping.dmp
-
memory/1632-80-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/1632-83-0x000000000040715C-mapping.dmp
-
memory/1632-88-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2060-146-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/2060-132-0x00000000041E0000-0x00000000041E1000-memory.dmpFilesize
4KB
-
memory/2080-161-0x0000000004730000-0x0000000004731000-memory.dmpFilesize
4KB
-
memory/2080-170-0x0000000005430000-0x0000000005431000-memory.dmpFilesize
4KB
-
memory/2080-160-0x0000000004730000-0x0000000004731000-memory.dmpFilesize
4KB
-
memory/2080-162-0x0000000004730000-0x0000000004731000-memory.dmpFilesize
4KB
-
memory/2336-48-0x0000000004330000-0x0000000004331000-memory.dmpFilesize
4KB
-
memory/2336-70-0x0000000004E70000-0x0000000004E71000-memory.dmpFilesize
4KB
-
memory/2340-139-0x0000000000000000-mapping.dmp
-
memory/2340-142-0x0000000000000000-mapping.dmp
-
memory/2340-150-0x0000000000000000-mapping.dmp
-
memory/2340-151-0x0000000000000000-mapping.dmp
-
memory/2340-135-0x0000000000000000-mapping.dmp
-
memory/2340-134-0x0000000000000000-mapping.dmp
-
memory/2340-141-0x0000000000000000-mapping.dmp
-
memory/2340-42-0x0000000000000000-mapping.dmp
-
memory/2340-152-0x0000000000000000-mapping.dmp
-
memory/2340-140-0x0000000000000000-mapping.dmp
-
memory/2340-148-0x0000000000000000-mapping.dmp
-
memory/2340-149-0x0000000000000000-mapping.dmp
-
memory/2384-97-0x0000000000000000-mapping.dmp
-
memory/2472-287-0x0000000000000000-mapping.dmp
-
memory/2516-194-0x0000000004C90000-0x0000000004C91000-memory.dmpFilesize
4KB
-
memory/2516-185-0x0000000004000000-0x0000000004001000-memory.dmpFilesize
4KB
-
memory/2524-205-0x000000000040CED2-mapping.dmp
-
memory/2528-72-0x0000000004BC0000-0x0000000004BC1000-memory.dmpFilesize
4KB
-
memory/2528-43-0x0000000004250000-0x0000000004251000-memory.dmpFilesize
4KB
-
memory/2708-115-0x0000000004ED0000-0x0000000004ED1000-memory.dmpFilesize
4KB
-
memory/2708-100-0x0000000004280000-0x0000000004281000-memory.dmpFilesize
4KB
-
memory/2708-101-0x0000000004280000-0x0000000004281000-memory.dmpFilesize
4KB
-
memory/3016-154-0x000000000040CED2-mapping.dmp
-
memory/3120-292-0x0000000000000000-mapping.dmp
-
memory/3216-30-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/3216-7-0x0000000000000000-mapping.dmp
-
memory/3216-23-0x0000000000670000-0x0000000000671000-memory.dmpFilesize
4KB
-
memory/3216-28-0x00000000056C0000-0x00000000056C1000-memory.dmpFilesize
4KB
-
memory/3216-32-0x0000000004F80000-0x0000000004F81000-memory.dmpFilesize
4KB
-
memory/3216-175-0x0000000004950000-0x000000000496C000-memory.dmpFilesize
112KB
-
memory/3216-36-0x00000000055C0000-0x00000000055E5000-memory.dmpFilesize
148KB
-
memory/3216-14-0x00000000706E0000-0x0000000070DCE000-memory.dmpFilesize
6.9MB
-
memory/3588-17-0x0000000000000000-mapping.dmp
-
memory/3864-103-0x0000000000000000-mapping.dmp
-
memory/3864-108-0x0000000000000000-mapping.dmp
-
memory/3864-10-0x0000000000000000-mapping.dmp
-
memory/3864-104-0x0000000000000000-mapping.dmp
-
memory/3864-120-0x0000000000000000-mapping.dmp
-
memory/3864-106-0x0000000000000000-mapping.dmp
-
memory/3864-107-0x0000000000000000-mapping.dmp
-
memory/3864-105-0x0000000000000000-mapping.dmp
-
memory/3864-109-0x0000000000000000-mapping.dmp
-
memory/3864-125-0x0000000000000000-mapping.dmp
-
memory/3864-110-0x0000000000000000-mapping.dmp
-
memory/3864-111-0x0000000000000000-mapping.dmp
-
memory/3864-124-0x0000000000000000-mapping.dmp
-
memory/3864-123-0x0000000000000000-mapping.dmp
-
memory/3864-122-0x0000000000000000-mapping.dmp
-
memory/3864-121-0x0000000000000000-mapping.dmp
-
memory/3864-118-0x0000000000000000-mapping.dmp
-
memory/3864-119-0x0000000000000000-mapping.dmp
-
memory/3968-167-0x0000000000000000-mapping.dmp
-
memory/3968-130-0x0000000000000000-mapping.dmp
-
memory/3968-168-0x0000000000000000-mapping.dmp
-
memory/3968-165-0x0000000000000000-mapping.dmp
-
memory/3968-166-0x0000000000000000-mapping.dmp
-
memory/3968-173-0x0000000000000000-mapping.dmp
-
memory/3968-164-0x0000000000000000-mapping.dmp
-
memory/3968-169-0x0000000000000000-mapping.dmp
-
memory/3968-178-0x0000000000000000-mapping.dmp
-
memory/3968-177-0x0000000000000000-mapping.dmp
-
memory/3968-176-0x0000000000000000-mapping.dmp
-
memory/3968-174-0x0000000000000000-mapping.dmp
-
memory/4028-13-0x0000000000000000-mapping.dmp
-
memory/4040-180-0x000000000040CED2-mapping.dmp
-
memory/4160-305-0x0000000000000000-mapping.dmp
-
memory/4160-295-0x0000000000000000-mapping.dmp
-
memory/4160-300-0x0000000000000000-mapping.dmp
-
memory/4160-307-0x0000000000000000-mapping.dmp
-
memory/4160-304-0x0000000000000000-mapping.dmp
-
memory/4160-303-0x0000000000000000-mapping.dmp
-
memory/4160-301-0x0000000000000000-mapping.dmp
-
memory/4160-306-0x0000000000000000-mapping.dmp
-
memory/4160-208-0x0000000000000000-mapping.dmp
-
memory/4160-296-0x0000000000000000-mapping.dmp
-
memory/4160-297-0x0000000000000000-mapping.dmp
-
memory/4160-299-0x0000000000000000-mapping.dmp
-
memory/4168-82-0x0000000000000000-mapping.dmp
-
memory/4168-62-0x0000000000000000-mapping.dmp
-
memory/4168-0-0x0000000000000000-mapping.dmp
-
memory/4168-77-0x0000000000000000-mapping.dmp
-
memory/4168-76-0x0000000000000000-mapping.dmp
-
memory/4168-75-0x0000000000000000-mapping.dmp
-
memory/4168-54-0x0000000000000000-mapping.dmp
-
memory/4168-64-0x0000000000000000-mapping.dmp
-
memory/4168-66-0x0000000000000000-mapping.dmp
-
memory/4168-68-0x0000000000000000-mapping.dmp
-
memory/4168-78-0x0000000000000000-mapping.dmp
-
memory/4168-57-0x0000000000000000-mapping.dmp
-
memory/4172-56-0x0000000000000000-mapping.dmp
-
memory/4172-3-0x0000000000000000-mapping.dmp
-
memory/4172-65-0x0000000000000000-mapping.dmp
-
memory/4172-63-0x0000000000000000-mapping.dmp
-
memory/4172-67-0x0000000000000000-mapping.dmp
-
memory/4172-61-0x0000000000000000-mapping.dmp
-
memory/4172-69-0x0000000000000000-mapping.dmp
-
memory/4172-50-0x0000000000000000-mapping.dmp
-
memory/4172-46-0x0000000000000000-mapping.dmp
-
memory/4172-53-0x0000000000000000-mapping.dmp
-
memory/4172-96-0x0000000000000000-mapping.dmp
-
memory/4172-84-0x0000000000000000-mapping.dmp
-
memory/4172-79-0x0000000000000000-mapping.dmp
-
memory/4172-89-0x0000000000000000-mapping.dmp
-
memory/4172-86-0x0000000000000000-mapping.dmp
-
memory/4172-90-0x0000000000000000-mapping.dmp
-
memory/4172-91-0x0000000000000000-mapping.dmp
-
memory/4172-81-0x0000000000000000-mapping.dmp
-
memory/4172-52-0x0000000000000000-mapping.dmp
-
memory/4172-92-0x0000000000000000-mapping.dmp
-
memory/4172-93-0x0000000000000000-mapping.dmp
-
memory/4172-47-0x0000000000000000-mapping.dmp
-
memory/4172-94-0x0000000000000000-mapping.dmp
-
memory/4172-49-0x0000000000000000-mapping.dmp
-
memory/4172-95-0x0000000000000000-mapping.dmp
-
memory/4224-189-0x0000000000000000-mapping.dmp
-
memory/4224-192-0x0000000000000000-mapping.dmp
-
memory/4224-199-0x0000000000000000-mapping.dmp
-
memory/4224-201-0x0000000000000000-mapping.dmp
-
memory/4224-198-0x0000000000000000-mapping.dmp
-
memory/4224-197-0x0000000000000000-mapping.dmp
-
memory/4224-193-0x0000000000000000-mapping.dmp
-
memory/4224-200-0x0000000000000000-mapping.dmp
-
memory/4224-188-0x0000000000000000-mapping.dmp
-
memory/4224-157-0x0000000000000000-mapping.dmp
-
memory/4224-190-0x0000000000000000-mapping.dmp
-
memory/4224-191-0x0000000000000000-mapping.dmp
-
memory/4312-112-0x0000000000000000-mapping.dmp
-
memory/4452-24-0x000000000048F888-mapping.dmp
-
memory/4452-22-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/4452-29-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/4560-302-0x0000000005B00000-0x0000000005B01000-memory.dmpFilesize
4KB
-
memory/4560-293-0x0000000004FA0000-0x0000000004FA1000-memory.dmpFilesize
4KB
-
memory/4608-35-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB
-
memory/4608-33-0x00000000047D0000-0x00000000047D1000-memory.dmpFilesize
4KB
-
memory/4608-31-0x00000000047D0000-0x00000000047D1000-memory.dmpFilesize
4KB
-
memory/4660-127-0x000000000040CED2-mapping.dmp
-
memory/4664-218-0x00000000052E0000-0x00000000052E1000-memory.dmpFilesize
4KB
-
memory/4664-210-0x00000000047F0000-0x00000000047F1000-memory.dmpFilesize
4KB
-
memory/4744-37-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/4744-38-0x000000000040CED2-mapping.dmp
-
memory/4744-41-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/4912-136-0x000000000048F888-mapping.dmp
-
memory/4984-282-0x000000000046A08C-mapping.dmp
-
memory/4984-281-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/4984-285-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/4992-147-0x0000000000000000-mapping.dmp
-
memory/4992-144-0x0000000000000000-mapping.dmp
-
memory/4992-145-0x0000000002F80000-0x0000000002F81000-memory.dmpFilesize
4KB
-
memory/5016-183-0x0000000000000000-mapping.dmp
-
memory/5016-276-0x0000000000000000-mapping.dmp
-
memory/5016-275-0x0000000000000000-mapping.dmp
-
memory/5016-215-0x0000000000000000-mapping.dmp
-
memory/5016-216-0x0000000000000000-mapping.dmp
-
memory/5016-277-0x0000000000000000-mapping.dmp
-
memory/5016-214-0x0000000000000000-mapping.dmp
-
memory/5016-278-0x0000000000000000-mapping.dmp
-
memory/5016-279-0x0000000000000000-mapping.dmp
-
memory/5016-213-0x0000000000000000-mapping.dmp
-
memory/5016-212-0x0000000000000000-mapping.dmp
-
memory/5016-211-0x0000000000000000-mapping.dmp