c678c05b05790006e56a25659eaa97520f426c6b2bbd7ccfb3ea30cc46d672f9

Resubmissions

14-04-2021 18:40

01-04-2021 07:51

06-03-2021 08:02

Target

hg_ransomware.exe.dll
Size

164KB
MD5

6a85fe97ccaa29d09e5df824d4eaad59
SHA1

1a21c93de1af252f9c293e4a39e63bc2775d2b02
SHA256

c678c05b05790006e56a25659eaa97520f426c6b2bbd7ccfb3ea30cc46d672f9
SHA512

a0c2749249ecdd4dd42389df8c89110ad1d0473a2b69f8aaf142a9b9faf5f6797231c49a060f534834fa69fe66a7aef85c7c02e5c4c121fbe118d0a93d8b9fff

Score

1^/10

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 548 wrote to memory of 1760	548	rundll32.exe	rundll32.exe
PID 548 wrote to memory of 1760	548	rundll32.exe	rundll32.exe
PID 548 wrote to memory of 1760	548	rundll32.exe	rundll32.exe
PID 548 wrote to memory of 1760	548	rundll32.exe	rundll32.exe
PID 548 wrote to memory of 1760	548	rundll32.exe	rundll32.exe
PID 548 wrote to memory of 1760	548	rundll32.exe	rundll32.exe
PID 548 wrote to memory of 1760	548	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\hg_ransomware.exe.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\hg_ransomware.exe.dll,#1
2⤵
PID:1760

memory/1760-2-0x0000000000000000-mapping.dmp

Download
memory/1760-3-0x0000000076451000-0x0000000076453000-memory.dmp

Filesize
8KB

Download
memory/1760-7-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1760-6-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1760-5-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1760-8-0x00000000001E0000-0x00000000001E6000-memory.dmp

Filesize
24KB

Download
memory/1760-4-0x00000000001A0000-0x00000000001AA000-memory.dmp

Filesize
40KB

Download