Overview

overview

8

Static

static

Mortgage D...on.exe

windows7_x64

8

Mortgage D...on.exe

windows10_x64

8

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    11-02-2021 07:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Mortgage Description.exe

  • Size

    864KB

  • MD5

    82ff2d4182e8d49b1553cfec4739011c

  • SHA1

    f1605f87331b2c980db3757adcfafb065e318f67

  • SHA256

    b57d694b6d1f9e0634953e8f5c1e4faf84fb50be806a8887dd5b31bfd58a167f

  • SHA512

    85e5e7fab18b096d334d3bf7625e071690f89cd4dffb6c46d30d15f1ec190bfc11c08b8f261d7f59db93fd90e56b4fb84e9efbf99cb779fb6844d4a80772a188

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Mortgage Description.exe
    "C:\Users\Admin\AppData\Local\Temp\Mortgage Description.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:580
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Sheet Proffesional Reader" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Spread Sheet Reader.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Sheet Proffesional Reader" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Spread Sheet Reader.exe"
        3⤵
        • Adds Run key to start application
        PID:3468
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Spread Sheet Reader.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Spread Sheet Reader.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
        "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3732
      • C:\Users\Admin\AppData\Local\Temp\Reader Runtime Processes.exe
        "C:\Users\Admin\AppData\Local\Temp\Reader Runtime Processes.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4084
        • C:\Users\Admin\AppData\Local\Temp\Reader Runtime Processes.exe
          "C:\Users\Admin\AppData\Local\Temp\Reader Runtime Processes.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:588

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/580-11-0x0000000008FE0000-0x0000000008FE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/580-8-0x0000000005710000-0x0000000005711000-memory.dmp

    Filesize

    4KB

    Download

  • memory/580-14-0x0000000005711000-0x0000000005712000-memory.dmp

    Filesize

    4KB

    Download

  • memory/580-2-0x0000000073F80000-0x000000007466E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/580-3-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/580-5-0x0000000005BA0000-0x0000000005BA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/580-6-0x0000000005740000-0x0000000005741000-memory.dmp

    Filesize

    4KB

    Download

  • memory/580-7-0x00000000057E0000-0x00000000057E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/580-10-0x0000000006A90000-0x0000000006AAE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/588-49-0x0000000073F80000-0x000000007466E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1616-24-0x0000000005010000-0x0000000005011000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1616-30-0x0000000006140000-0x0000000006141000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1616-29-0x0000000006130000-0x000000000613B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1616-28-0x0000000005011000-0x0000000005012000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1616-18-0x0000000073F80000-0x000000007466E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3732-35-0x0000000073F80000-0x000000007466E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3732-50-0x00000000057D0000-0x00000000057D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3732-31-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3732-56-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4084-43-0x00000000005E0000-0x00000000005E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4084-42-0x0000000073F80000-0x000000007466E000-memory.dmp

    Filesize

    6.9MB

    Download