Analysis
-
max time kernel
61s -
max time network
123s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-02-2021 16:43
Static task
static1
Behavioral task
behavioral1
Sample
e561ae3cedb6f9fc0ecff559c62788b0.exe
Resource
win7v20201028
General
-
Target
e561ae3cedb6f9fc0ecff559c62788b0.exe
-
Size
293KB
-
MD5
e561ae3cedb6f9fc0ecff559c62788b0
-
SHA1
de34eb34e2c489386fb32dd96469e7fdcef617d9
-
SHA256
38933984f5ff8b71c054d1c1155e308ac02377b89315ef17cea859178a30dbab
-
SHA512
c3abd85394b75b05b2bb7c53c28e3d1309226294c16594e6704e009f49353c45de4fcf632222f55529916181ce545485d6fd26d14eecb3db91b625ba9730d757
Malware Config
Extracted
gootkit
8888
sslsecurehost.com
securessl256.com
-
vendor_id
8888
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
e561ae3cedb6f9fc0ecff559c62788b0.exedescription pid process target process PID 4172 set thread context of 3284 4172 e561ae3cedb6f9fc0ecff559c62788b0.exe e561ae3cedb6f9fc0ecff559c62788b0.exe -
Suspicious behavior: EnumeratesProcesses 90 IoCs
Processes:
mstsc.exepid process 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe 3836 mstsc.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
e561ae3cedb6f9fc0ecff559c62788b0.exepid process 3284 e561ae3cedb6f9fc0ecff559c62788b0.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
e561ae3cedb6f9fc0ecff559c62788b0.exee561ae3cedb6f9fc0ecff559c62788b0.exee561ae3cedb6f9fc0ecff559c62788b0.exemstsc.execmd.exedescription pid process target process PID 4684 wrote to memory of 4172 4684 e561ae3cedb6f9fc0ecff559c62788b0.exe e561ae3cedb6f9fc0ecff559c62788b0.exe PID 4684 wrote to memory of 4172 4684 e561ae3cedb6f9fc0ecff559c62788b0.exe e561ae3cedb6f9fc0ecff559c62788b0.exe PID 4684 wrote to memory of 4172 4684 e561ae3cedb6f9fc0ecff559c62788b0.exe e561ae3cedb6f9fc0ecff559c62788b0.exe PID 4172 wrote to memory of 3284 4172 e561ae3cedb6f9fc0ecff559c62788b0.exe e561ae3cedb6f9fc0ecff559c62788b0.exe PID 4172 wrote to memory of 3284 4172 e561ae3cedb6f9fc0ecff559c62788b0.exe e561ae3cedb6f9fc0ecff559c62788b0.exe PID 4172 wrote to memory of 3284 4172 e561ae3cedb6f9fc0ecff559c62788b0.exe e561ae3cedb6f9fc0ecff559c62788b0.exe PID 4172 wrote to memory of 3284 4172 e561ae3cedb6f9fc0ecff559c62788b0.exe e561ae3cedb6f9fc0ecff559c62788b0.exe PID 4172 wrote to memory of 3284 4172 e561ae3cedb6f9fc0ecff559c62788b0.exe e561ae3cedb6f9fc0ecff559c62788b0.exe PID 4172 wrote to memory of 3284 4172 e561ae3cedb6f9fc0ecff559c62788b0.exe e561ae3cedb6f9fc0ecff559c62788b0.exe PID 4172 wrote to memory of 3284 4172 e561ae3cedb6f9fc0ecff559c62788b0.exe e561ae3cedb6f9fc0ecff559c62788b0.exe PID 4172 wrote to memory of 3284 4172 e561ae3cedb6f9fc0ecff559c62788b0.exe e561ae3cedb6f9fc0ecff559c62788b0.exe PID 4172 wrote to memory of 3284 4172 e561ae3cedb6f9fc0ecff559c62788b0.exe e561ae3cedb6f9fc0ecff559c62788b0.exe PID 3284 wrote to memory of 3836 3284 e561ae3cedb6f9fc0ecff559c62788b0.exe mstsc.exe PID 3284 wrote to memory of 3836 3284 e561ae3cedb6f9fc0ecff559c62788b0.exe mstsc.exe PID 3284 wrote to memory of 3836 3284 e561ae3cedb6f9fc0ecff559c62788b0.exe mstsc.exe PID 3284 wrote to memory of 3836 3284 e561ae3cedb6f9fc0ecff559c62788b0.exe mstsc.exe PID 3284 wrote to memory of 3836 3284 e561ae3cedb6f9fc0ecff559c62788b0.exe mstsc.exe PID 3284 wrote to memory of 3836 3284 e561ae3cedb6f9fc0ecff559c62788b0.exe mstsc.exe PID 3284 wrote to memory of 3836 3284 e561ae3cedb6f9fc0ecff559c62788b0.exe mstsc.exe PID 3284 wrote to memory of 3836 3284 e561ae3cedb6f9fc0ecff559c62788b0.exe mstsc.exe PID 3836 wrote to memory of 3568 3836 mstsc.exe cmd.exe PID 3836 wrote to memory of 3568 3836 mstsc.exe cmd.exe PID 3836 wrote to memory of 3568 3836 mstsc.exe cmd.exe PID 3568 wrote to memory of 4056 3568 cmd.exe attrib.exe PID 3568 wrote to memory of 4056 3568 cmd.exe attrib.exe PID 3568 wrote to memory of 4056 3568 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe"C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe"C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe" -l2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exeC:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mstsc.exeC:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\259276781.bat" "C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe""5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\e561ae3cedb6f9fc0ecff559c62788b0.exe"6⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\259276781.batMD5
7b569f3b7cebae84513d4385c4336185
SHA17e0eb7c0e5120685bde25741e139adbb871c92cf
SHA256ea8ca59e1ff3564ab382604ae12d09a6975baefe26bbdbbbb69c53480329f309
SHA512a1fd7ff62aae4552e40ff122a77b3da07b46defcde581ea13436fb07df35a0cf931cc8a15b33205713a7d8d7ad58c392f7930f4e9ecc548df0441726fa2f644f
-
memory/3284-3-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3284-4-0x000000000040EA92-mapping.dmp
-
memory/3284-6-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3568-8-0x0000000000000000-mapping.dmp
-
memory/3836-5-0x0000000000000000-mapping.dmp
-
memory/3836-7-0x0000000002E70000-0x0000000002E90000-memory.dmpFilesize
128KB
-
memory/4056-10-0x0000000000000000-mapping.dmp
-
memory/4172-2-0x0000000000000000-mapping.dmp