Analysis
-
max time kernel
149s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
30/01/2021, 14:16
Static task
static1
Behavioral task
behavioral1
Sample
772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe
Resource
win7v20201028
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe
Resource
win10v20201028
0 signatures
0 seconds
General
-
Target
772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe
-
Size
31.3MB
-
MD5
fa9649ba7f76190701b2f1ffaaf4d0df
-
SHA1
dac66a285e89ee98cb84488df21f8c43c4acb5d3
-
SHA256
772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae
-
SHA512
9868a1cc7e9bf361c1d93bad871b88fae0f3c3fa1f15dce1d386f1e78fbda913d30ffd3d407706a34043357727e7db560924ffbd7e1ec4bc5dada7c9e74f6c11
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2456 VSQ4v5aFgqPyUD8B.exe 1764 VSQ4v5aFgqPyUD8B.tmp -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File created C:\Users\Admin\Pictures\BackupMeasure.tiff.vovalex 772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe File created C:\Users\Admin\Pictures\EnableWait.crw.vovalex 772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe File created C:\Users\Admin\Pictures\RequestTest.raw.vovalex 772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe File created C:\Users\Admin\Pictures\SubmitCopy.crw.vovalex 772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe File created C:\Users\Admin\Pictures\SwitchProtect.png.vovalex 772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4060 notepad.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 864 wrote to memory of 2456 864 772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe 73 PID 864 wrote to memory of 2456 864 772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe 73 PID 864 wrote to memory of 2456 864 772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe 73 PID 2456 wrote to memory of 1764 2456 VSQ4v5aFgqPyUD8B.exe 76 PID 2456 wrote to memory of 1764 2456 VSQ4v5aFgqPyUD8B.exe 76 PID 2456 wrote to memory of 1764 2456 VSQ4v5aFgqPyUD8B.exe 76 PID 864 wrote to memory of 4060 864 772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe 81 PID 864 wrote to memory of 4060 864 772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe"C:\Users\Admin\AppData\Local\Temp\772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe"1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Users\Admin\AppData\Local\Temp\VSQ4v5aFgqPyUD8B.exeC:\Users\Admin\AppData\Local\Temp\VSQ4v5aFgqPyUD8B.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\is-PC30D.tmp\VSQ4v5aFgqPyUD8B.tmp"C:\Users\Admin\AppData\Local\Temp\is-PC30D.tmp\VSQ4v5aFgqPyUD8B.tmp" /SL5="$60030,31402076,326656,C:\Users\Admin\AppData\Local\Temp\VSQ4v5aFgqPyUD8B.exe"3⤵
- Executes dropped EXE
PID:1764
-
-
-
C:\Windows\SYSTEM32\notepad.exenotepad C:\Users\Admin\Desktop\README.VOVALEX.txt2⤵
- Opens file in notepad (likely ransom note)
PID:4060
-