Resubmissions
14-04-2021 18:40
210414-wwxl5k1rpe 1001-04-2021 07:51
210401-cy3ltwwlc2 1006-03-2021 08:02
210306-p7443jak2n 10Analysis
-
max time kernel
11s -
max time network
69s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-03-2021 08:02
Static task
static1
Behavioral task
behavioral1
Sample
hg_ransomware.exe.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
hg_ransomware.exe.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
hg_ransomware.exe.dll
-
Size
164KB
-
MD5
6a85fe97ccaa29d09e5df824d4eaad59
-
SHA1
1a21c93de1af252f9c293e4a39e63bc2775d2b02
-
SHA256
c678c05b05790006e56a25659eaa97520f426c6b2bbd7ccfb3ea30cc46d672f9
-
SHA512
a0c2749249ecdd4dd42389df8c89110ad1d0473a2b69f8aaf142a9b9faf5f6797231c49a060f534834fa69fe66a7aef85c7c02e5c4c121fbe118d0a93d8b9fff
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2076 created 1268 2076 WerFault.exe rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2076 1268 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2076 WerFault.exe 2076 WerFault.exe 2076 WerFault.exe 2076 WerFault.exe 2076 WerFault.exe 2076 WerFault.exe 2076 WerFault.exe 2076 WerFault.exe 2076 WerFault.exe 2076 WerFault.exe 2076 WerFault.exe 2076 WerFault.exe 2076 WerFault.exe 2076 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2076 WerFault.exe Token: SeBackupPrivilege 2076 WerFault.exe Token: SeDebugPrivilege 2076 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1144 wrote to memory of 1268 1144 rundll32.exe rundll32.exe PID 1144 wrote to memory of 1268 1144 rundll32.exe rundll32.exe PID 1144 wrote to memory of 1268 1144 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\hg_ransomware.exe.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\hg_ransomware.exe.dll,#12⤵PID:1268
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 7443⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1268-2-0x0000000000000000-mapping.dmp
-
memory/1268-4-0x0000000005910000-0x0000000005911000-memory.dmpFilesize
4KB
-
memory/1268-3-0x0000000000A20000-0x0000000000A2A000-memory.dmpFilesize
40KB
-
memory/1268-5-0x0000000005920000-0x0000000005921000-memory.dmpFilesize
4KB
-
memory/1268-7-0x00000000059C0000-0x00000000059C6000-memory.dmpFilesize
24KB
-
memory/1268-6-0x00000000059B0000-0x00000000059B1000-memory.dmpFilesize
4KB
-
memory/2076-8-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB