5cd7eab6d1ff136e0f69ae76a45fa3f5e6f77e4c4185dc34205a5f2a6c054663

Analysis

max time kernel
10s
max time network
12s
platform
windows7_x64
resource
win7v20201028
submitted
24-11-2020 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1484	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp
1712	Docx2Rtf.exe

Loads dropped DLL 2 IoCs

pid	Process
1588	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe
1484	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1712	Docx2Rtf.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 1484	1588	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe	26
PID 1588 wrote to memory of 1484	1588	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe	26
PID 1588 wrote to memory of 1484	1588	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe	26
PID 1588 wrote to memory of 1484	1588	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe	26
PID 1588 wrote to memory of 1484	1588	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe	26
PID 1588 wrote to memory of 1484	1588	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe	26
PID 1588 wrote to memory of 1484	1588	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe	26
PID 1484 wrote to memory of 1712	1484	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	28
PID 1484 wrote to memory of 1712	1484	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	28
PID 1484 wrote to memory of 1712	1484	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	28
PID 1484 wrote to memory of 1712	1484	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	28

C:\Users\Admin\AppData\Local\Temp\3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe
"C:\Users\Admin\AppData\Local\Temp\3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Users\Admin\AppData\Local\Temp\is-FM4BA.tmp\3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-FM4BA.tmp\3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp" /SL5="$3011A,118835448,809472,C:\Users\Admin\AppData\Local\Temp\3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Users\Admin\AppData\Local\Temp\is-3N9TC.tmp\Docx2Rtf.exe
    "C:\Users\Admin\AppData\Local\Temp\is-3N9TC.tmp\Docx2Rtf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads