Overview

overview

10

Static

static

atikmdag-p....8.exe

windows7_x64

10

atikmdag-p....8.exe

windows10_x64

8

Analysis

  • max time kernel
    3s
  • max time network
    3s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    07-01-2021 19:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    atikmdag-patcher 1.4.8.exe

  • Size

    3.3MB

  • MD5

    e0b3da406726f5b5636600fd5dad46e1

  • SHA1

    b31d2916c200e2b1672ce2d0080a23d4e77e5092

  • SHA256

    16bbaa4003bd7b0ee00634113bd4da02b153f09817263dda98bb06d012c18d74

  • SHA512

    98920dcc4fa7d2b111f408ed27ccafd1aaa19ebf0ef57f8b0a36bd7c305339101c22d5d2d7689417f70aafbf6e878d2c660736c3b7905622962d33ca4d5ee48c

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\atikmdag-patcher 1.4.8.exe
    "C:\Users\Admin\AppData\Local\Temp\atikmdag-patcher 1.4.8.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:8
    • C:\Users\Admin\AppData\Local\Temp\is-2LC32.tmp\atikmdag-patcher 1.4.8.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-2LC32.tmp\atikmdag-patcher 1.4.8.tmp" /SL5="$20112,2708435,780800,C:\Users\Admin\AppData\Local\Temp\atikmdag-patcher 1.4.8.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4008
      • C:\Users\Admin\AppData\Local\Temp\atikmdag-patcher 1.4.8.exe
        "C:\Users\Admin\AppData\Local\Temp\atikmdag-patcher 1.4.8.exe" /VERYSILENT
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3240
        • C:\Users\Admin\AppData\Local\Temp\is-STJJ1.tmp\atikmdag-patcher 1.4.8.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-STJJ1.tmp\atikmdag-patcher 1.4.8.tmp" /SL5="$30112,2708435,780800,C:\Users\Admin\AppData\Local\Temp\atikmdag-patcher 1.4.8.exe" /VERYSILENT
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:3052
          • C:\Program Files (x86)\My Program\atikmdag-patcher 1.4.8.exe
            "C:\Program Files (x86)\My Program\atikmdag-patcher 1.4.8.exe" C:\Program Files (x86)\My Program\atikmdag-patcher 1.4.8.exe
            5⤵
            • Executes dropped EXE
            PID:2824
          • C:\Program Files (x86)\My Program\halving.exe
            "C:\Program Files (x86)\My Program\halving.exe" C:\Program Files (x86)\My Program\halving.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:816

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\My Program\atikmdag-patcher 1.4.8.exe
    MD5

    5616e95156f37d4445947144eb72d84b

    SHA1

    2ce32920b08f8b6a0959905010b3699fa9111f28

    SHA256

    f3b0e3ba3beb72ad455f478bca6347fbcabbce4ddfa2a6e34f72f11412502434

    SHA512

    27f5a5bbb8dd752b575a74a38ab2aa66c9e714fc9c3e7351005be86c856c6f3cc5bb39835ceb5bd3f7b0f08e4bceb5157970cbf8bd0b927d89b35e042b85552e

    Download Submit

  • C:\Program Files (x86)\My Program\atikmdag-patcher 1.4.8.exe
    MD5

    5616e95156f37d4445947144eb72d84b

    SHA1

    2ce32920b08f8b6a0959905010b3699fa9111f28

    SHA256

    f3b0e3ba3beb72ad455f478bca6347fbcabbce4ddfa2a6e34f72f11412502434

    SHA512

    27f5a5bbb8dd752b575a74a38ab2aa66c9e714fc9c3e7351005be86c856c6f3cc5bb39835ceb5bd3f7b0f08e4bceb5157970cbf8bd0b927d89b35e042b85552e

    Download Submit

  • C:\Program Files (x86)\My Program\doks.dll
    MD5

    f6b71aea229a68e2441b2a27996c2cf4

    SHA1

    8d088dc36ff403293b3b7da867a7d9952912f553

    SHA256

    72066a937a4c71230759f6e121c7b64c98c08abd649856aa4324e290662f1e5c

    SHA512

    606a1375bc7d6895b9b952cc12a8dec0efb36137c6efe62c03d7f24b2ab6f6b859bcd58199df6640be34fdc601286dcfd66971863c2a384f12405ce7ad3d5f21

    Download Submit

  • C:\Program Files (x86)\My Program\halving.exe
    MD5

    16f94b9ee6a8865ebd06f2722d63c5ab

    SHA1

    aced4aa11c89413ffedef1fb72692303b1c9ea5d

    SHA256

    a3a111a7fc2b6f2d056a760e4dffd73116f47aca543516de8a1c05f79fd1aef5

    SHA512

    1b9609b0d4e721158a284fe619620b9e276abeae54202d2339642684ebcbe2eaa4fe588b0271634b81ba58c2d67c46f8d1756b84bda34f6611c6ba84b99d7211

    Download Submit

  • C:\Program Files (x86)\My Program\halving.exe
    MD5

    ee5e8a644bb93e5f8be489bb5a967c8b

    SHA1

    d73e389526458acfeb365f3ad44c90444a649c28

    SHA256

    e03acef462cb3ee735b59e18e3774155402503be96875ee7eb16824384b36aee

    SHA512

    a2bc0bb9247d88cd3540e03e4665b5eda98d1123d825d41654ff9e10c0eac50c37fc17a3f0093b86c872fbdbfcda9b72c6ca813eb0ffcf8d904ee56cdc3d7887

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-2LC32.tmp\atikmdag-patcher 1.4.8.tmp
    MD5

    db27920346f23c1d742ec0722426417e

    SHA1

    adf18d452653e13ab5518706ea9c4c492a46f4f7

    SHA256

    a43522b8be197d4097bc7a04ac42e7bfb7e085e39969b58d0e4f2e7ff4cbc0f5

    SHA512

    43f57a95c574c92d8d73f9767844681e1a45c7def5dc79848d357a1cf437b7874325af12b72c226fcdd109a9f8824c4e735d515d04b7fa65186604309dad10e5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-STJJ1.tmp\atikmdag-patcher 1.4.8.tmp
    MD5

    db27920346f23c1d742ec0722426417e

    SHA1

    adf18d452653e13ab5518706ea9c4c492a46f4f7

    SHA256

    a43522b8be197d4097bc7a04ac42e7bfb7e085e39969b58d0e4f2e7ff4cbc0f5

    SHA512

    43f57a95c574c92d8d73f9767844681e1a45c7def5dc79848d357a1cf437b7874325af12b72c226fcdd109a9f8824c4e735d515d04b7fa65186604309dad10e5

    Download Submit

  • \Program Files (x86)\My Program\doks.dll
    MD5

    c6702334a6112ad712f069db24d4a189

    SHA1

    f033f867483e775d78890f3756f74d3ea8ae06f7

    SHA256

    20e4004423a22a01ffcbb682d3aaf5a64f141359ae5054fdaeaddd57763c4463

    SHA512

    fc5683ef35f7a50a8cd4d71ef5b58ab96ea5b49dfeda7d1bdeb639e43ccfbb140367eaccaa4d5c216763baf7b0e1f5fd34cf70058c244256a88b094dcd95e21f

    Download Submit

  • memory/816-10-0x0000000000000000-mapping.dmp

    Download

  • memory/816-15-0x000000006EB80000-0x000000006EC70000-memory.dmp

    Filesize

    960KB

    Download

  • memory/816-16-0x0000000000400000-0x00000000006EA000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2824-7-0x0000000000000000-mapping.dmp

    Download

  • memory/3052-5-0x0000000000000000-mapping.dmp

    Download

  • memory/3240-4-0x0000000000000000-mapping.dmp

    Download

  • memory/4008-2-0x0000000000000000-mapping.dmp

    Download