Analysis
-
max time kernel
149s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
30-01-2021 14:16
Static task
static1
Behavioral task
behavioral1
Sample
772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe
Resource
win10v20201028
General
-
Target
772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe
-
Size
31.3MB
-
MD5
fa9649ba7f76190701b2f1ffaaf4d0df
-
SHA1
dac66a285e89ee98cb84488df21f8c43c4acb5d3
-
SHA256
772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae
-
SHA512
9868a1cc7e9bf361c1d93bad871b88fae0f3c3fa1f15dce1d386f1e78fbda913d30ffd3d407706a34043357727e7db560924ffbd7e1ec4bc5dada7c9e74f6c11
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
VSQ4v5aFgqPyUD8B.exeVSQ4v5aFgqPyUD8B.tmppid process 2456 VSQ4v5aFgqPyUD8B.exe 1764 VSQ4v5aFgqPyUD8B.tmp -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exedescription ioc process File created C:\Users\Admin\Pictures\BackupMeasure.tiff.vovalex 772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe File created C:\Users\Admin\Pictures\EnableWait.crw.vovalex 772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe File created C:\Users\Admin\Pictures\RequestTest.raw.vovalex 772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe File created C:\Users\Admin\Pictures\SubmitCopy.crw.vovalex 772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe File created C:\Users\Admin\Pictures\SwitchProtect.png.vovalex 772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 4060 notepad.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exeVSQ4v5aFgqPyUD8B.exedescription pid process target process PID 864 wrote to memory of 2456 864 772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe VSQ4v5aFgqPyUD8B.exe PID 864 wrote to memory of 2456 864 772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe VSQ4v5aFgqPyUD8B.exe PID 864 wrote to memory of 2456 864 772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe VSQ4v5aFgqPyUD8B.exe PID 2456 wrote to memory of 1764 2456 VSQ4v5aFgqPyUD8B.exe VSQ4v5aFgqPyUD8B.tmp PID 2456 wrote to memory of 1764 2456 VSQ4v5aFgqPyUD8B.exe VSQ4v5aFgqPyUD8B.tmp PID 2456 wrote to memory of 1764 2456 VSQ4v5aFgqPyUD8B.exe VSQ4v5aFgqPyUD8B.tmp PID 864 wrote to memory of 4060 864 772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe notepad.exe PID 864 wrote to memory of 4060 864 772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe"C:\Users\Admin\AppData\Local\Temp\772c627fc0b70e0454ff2e5464b9ee713a44a35298deba43f420e4fd21a0aeae.bin.exe"1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VSQ4v5aFgqPyUD8B.exeC:\Users\Admin\AppData\Local\Temp\VSQ4v5aFgqPyUD8B.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-PC30D.tmp\VSQ4v5aFgqPyUD8B.tmp"C:\Users\Admin\AppData\Local\Temp\is-PC30D.tmp\VSQ4v5aFgqPyUD8B.tmp" /SL5="$60030,31402076,326656,C:\Users\Admin\AppData\Local\Temp\VSQ4v5aFgqPyUD8B.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\notepad.exenotepad C:\Users\Admin\Desktop\README.VOVALEX.txt2⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\VSQ4v5aFgqPyUD8B.exeMD5
70ed5e8a31519ec2fd1131020fe8421b
SHA11fb74d8d39e7c8a36113ab51f14422930c3b9128
SHA2567f329d5a3d12b3b9584c98a4d0e40e6ccff21a12bf57cade16820557c45aba13
SHA51259650f55738281d6421723e1c04976f6602f6431fa7e804992bd6ed485bf8415518c8b3d01c0aec186325ef1fb6ff6a0fb82e1d2ec31506f4529a17f940e277b
-
C:\Users\Admin\AppData\Local\Temp\VSQ4v5aFgqPyUD8B.exeMD5
70ed5e8a31519ec2fd1131020fe8421b
SHA11fb74d8d39e7c8a36113ab51f14422930c3b9128
SHA2567f329d5a3d12b3b9584c98a4d0e40e6ccff21a12bf57cade16820557c45aba13
SHA51259650f55738281d6421723e1c04976f6602f6431fa7e804992bd6ed485bf8415518c8b3d01c0aec186325ef1fb6ff6a0fb82e1d2ec31506f4529a17f940e277b
-
C:\Users\Admin\AppData\Local\Temp\is-PC30D.tmp\VSQ4v5aFgqPyUD8B.tmpMD5
3a7636d874b391801839c0bee90bed21
SHA17a5fedd3653e8240739b4ae4490a9872b813ee6c
SHA2562f7bba5e7d5c127d9372d7e7f1dabb83c077f547fe15ad15431b7a686a079fe8
SHA512ed993f0a19d11afa0a821659462ed205bc990c3637a0e4d2292f0fb85c0c1491006966bdd32aefd2567ec8f86e8e579c3b8c40721e87d5ea62fdb16e0f6f0314
-
C:\Users\Admin\Desktop\README.VOVALEX.txtMD5
5de7a461e4e950b78e7b1eaefd878586
SHA1d18e133da877744b4d5840cfd18463e38cc10da8
SHA256bfb864e40e17252fe05010f7ff3f2c22d23dd0206bf1ac6b287831a0c9fd9406
SHA512efd296b54852df2cd65bf08072787cc1a30c25ba954cf2f48cb91d68fadfff846ac071a788dfae46f7e7fb193d3f9bf7159bd37dd0bdf1ca31a819f4c62eae91
-
memory/864-2-0x0000000000920000-0x0000000000921000-memory.dmpFilesize
4KB
-
memory/1764-6-0x0000000000000000-mapping.dmp
-
memory/1764-9-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/2456-3-0x0000000000000000-mapping.dmp
-
memory/2456-8-0x0000000000401000-0x0000000000412000-memory.dmpFilesize
68KB
-
memory/4060-10-0x0000000000000000-mapping.dmp