Resubmissions

12/03/2021, 08:12

210312-pn455svld2 6

12/03/2021, 08:08

210312-qlkwxgey26 6

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    12/03/2021, 08:12

General

  • Target

    ransomw.exe

  • Size

    2.5MB

  • MD5

    8243dc32479532fcb82669da4b81a9d1

  • SHA1

    3580a4719ded43c0bbc40d2e26abc0868811a03f

  • SHA256

    4ad3332742b46d2a60a21ca009941fd85a3e58cd635df5a1c3ed0888061a1fda

  • SHA512

    8a88c38f4507e64b4cfe6d13c7e4e98ad86dc15df9051badc5fb283f1a24f4549c0c14055a3d42a59f31b8d5da074cc3f8356acce9683190dd4a95fe7ae0da4d

Score
6/10

Malware Config

Signatures

  • Drops desktop.ini file(s) 28 IoCs
  • Modifies Internet Explorer settings 1 TTPs 61 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ransomw.exe
    "C:\Users\Admin\AppData\Local\Temp\ransomw.exe"
    1⤵
    • Drops desktop.ini file(s)
    PID:1676
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\BAD_GOPHER.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:112
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\FILES_ENCRYPTED.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1360
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1360 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:308
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\READ_TO_DECRYPT.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1348
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1348 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:936
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1280
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x2f4
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:976

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/112-3-0x000007FEFBDE1000-0x000007FEFBDE3000-memory.dmp

      Filesize

      8KB

    • memory/848-4-0x000007FEF6460000-0x000007FEF66DA000-memory.dmp

      Filesize

      2.5MB

    • memory/936-8-0x0000000075F21000-0x0000000075F23000-memory.dmp

      Filesize

      8KB

    • memory/1676-2-0x0000000000400000-0x000000000069D000-memory.dmp

      Filesize

      2.6MB