2b873b527a7c4095247febb6ccbe32eca19a5adbe563c76606ab16814dd3975b | Triage

Analysis

max time kernel
123s
max time network
122s
platform
windows7_x64
resource
win7v20201028
submitted
05-02-2021 12:35

Sharing

Report Analysis Logs

General

Target

sample.exe
Size

123KB
MD5

fb603212ae67789de5ce5f41a6d0705e
SHA1

1ff8e880a61c4b932b8f52e8353a5310152ba160
SHA256

3ccc016464e41de7be959c3b00bda1296eee1c50a2897e05c1abbc9034b23027
SHA512

45ebd60fe2801b60e061a2eaf58e016f1f966a688b2fc205e097cc67824e3c259d3271e78f644ab81671ff381ed8aec125499bc071ab3657b08ef36e55b849eb

Score

8^/10

ransomware

Malware Config

Signatures

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

Processes:

sample.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\DismountDebug.raw.locked	sample.exe
File created	C:\Users\Admin\Pictures\HideEdit.tif.locked	sample.exe
File created	C:\Users\Admin\Pictures\RepairStep.crw.locked	sample.exe
File created	C:\Users\Admin\Pictures\SendRedo.tiff.locked	sample.exe
File created	C:\Users\Admin\Pictures\SetSearch.tif.locked	sample.exe
File created	C:\Users\Admin\Pictures\UnblockWrite.crw.locked	sample.exe
File created	C:\Users\Admin\Pictures\UnpublishUnregister.tiff.locked	sample.exe
File opened for modification	C:\Users\Admin\Pictures\UnpublishUnregister.tiff	sample.exe
File created	C:\Users\Admin\Pictures\PublishWrite.tif.locked	sample.exe
File created	C:\Users\Admin\Pictures\SearchInitialize.crw.locked	sample.exe
File opened for modification	C:\Users\Admin\Pictures\SendRedo.tiff	sample.exe
File created	C:\Users\Admin\Pictures\StepPush.tiff.locked	sample.exe
File opened for modification	C:\Users\Admin\Pictures\StepPush.tiff	sample.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

sample.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	sample.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	sample.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
PID:1152

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1152-2-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/1152-3-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/1152-5-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/1152-6-0x0000000004CD5000-0x0000000004CE6000-memory.dmp

Filesize
68KB

Download