Analysis
-
max time kernel
10s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-03-2021 16:25
Behavioral task
behavioral1
Sample
mod_c.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
mod_c.exe
Resource
win10v20201028
General
-
Target
mod_c.exe
-
Size
1.8MB
-
MD5
be4c5e4713009e5446ee042ba7c33fe0
-
SHA1
f8e52380b6f3668d4de6df416c8da389c0d98fe8
-
SHA256
7272457bac023e7ab635fc3d82212a89918de36d5433dd389e6151805e47b0cd
-
SHA512
96612ab271e5adbfc911d65abc5ed56973d3539ff98c10e13daac782dcbfa43606ed89fa8efa0b203fd000cbbf76fea04d3844723c9dc075ba9a4fe55cb78e4d
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW-TO-DECRYPT-dvxr9.txt
http://o76s3m7l5ogig4u5.onion
Signatures
-
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\MediaDial\Draw cryptone C:\Users\Admin\AppData\Roaming\MediaDial\Draw cryptone \Users\Admin\AppData\Roaming\MediaDial\Draw cryptone C:\Users\Admin\AppData\Roaming\MediaDial\Draw cryptone -
Executes dropped EXE 1 IoCs
Processes:
Drawpid process 1992 Draw -
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Drawdescription ioc process File renamed C:\Users\Admin\Pictures\ExpandJoin.raw => C:\Users\Admin\Pictures\ExpandJoin.raw.dvxr9 Draw File renamed C:\Users\Admin\Pictures\AddRegister.crw => C:\Users\Admin\Pictures\AddRegister.crw.dvxr9 Draw File renamed C:\Users\Admin\Pictures\ApproveEnable.tif => C:\Users\Admin\Pictures\ApproveEnable.tif.dvxr9 Draw File opened for modification C:\Users\Admin\Pictures\ApproveEnable.tif.dvxr9 Draw File opened for modification C:\Users\Admin\Pictures\GrantCompress.tiff.dvxr9 Draw File renamed C:\Users\Admin\Pictures\LimitUpdate.tif => C:\Users\Admin\Pictures\LimitUpdate.tif.dvxr9 Draw File opened for modification C:\Users\Admin\Pictures\LimitUpdate.tif.dvxr9 Draw File renamed C:\Users\Admin\Pictures\RegisterLimit.tiff => C:\Users\Admin\Pictures\RegisterLimit.tiff.dvxr9 Draw File opened for modification C:\Users\Admin\Pictures\RegisterLimit.tiff.dvxr9 Draw File opened for modification C:\Users\Admin\Pictures\AddRegister.crw.dvxr9 Draw File opened for modification C:\Users\Admin\Pictures\ExpandJoin.raw.dvxr9 Draw File renamed C:\Users\Admin\Pictures\GrantCompress.tiff => C:\Users\Admin\Pictures\GrantCompress.tiff.dvxr9 Draw -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 608 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
mod_c.exepid process 1832 mod_c.exe 1832 mod_c.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
mod_c.exeDrawcmd.execmd.exedescription pid process target process PID 1832 wrote to memory of 1992 1832 mod_c.exe Draw PID 1832 wrote to memory of 1992 1832 mod_c.exe Draw PID 1832 wrote to memory of 1992 1832 mod_c.exe Draw PID 1992 wrote to memory of 1660 1992 Draw cmd.exe PID 1992 wrote to memory of 1660 1992 Draw cmd.exe PID 1992 wrote to memory of 1660 1992 Draw cmd.exe PID 1832 wrote to memory of 608 1832 mod_c.exe cmd.exe PID 1832 wrote to memory of 608 1832 mod_c.exe cmd.exe PID 1832 wrote to memory of 608 1832 mod_c.exe cmd.exe PID 1660 wrote to memory of 996 1660 cmd.exe waitfor.exe PID 1660 wrote to memory of 996 1660 cmd.exe waitfor.exe PID 1660 wrote to memory of 996 1660 cmd.exe waitfor.exe PID 608 wrote to memory of 1724 608 cmd.exe waitfor.exe PID 608 wrote to memory of 1724 608 cmd.exe waitfor.exe PID 608 wrote to memory of 1724 608 cmd.exe waitfor.exe PID 608 wrote to memory of 1708 608 cmd.exe attrib.exe PID 608 wrote to memory of 1708 608 cmd.exe attrib.exe PID 608 wrote to memory of 1708 608 cmd.exe attrib.exe PID 1660 wrote to memory of 1544 1660 cmd.exe attrib.exe PID 1660 wrote to memory of 1544 1660 cmd.exe attrib.exe PID 1660 wrote to memory of 1544 1660 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1708 attrib.exe 1544 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mod_c.exe"C:\Users\Admin\AppData\Local\Temp\mod_c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\MediaDial\DrawC:\Users\Admin\AppData\Roaming\MediaDial\Draw /go2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Roaming\MediaDial\Draw" & del "C:\Users\Admin\AppData\Roaming\MediaDial\Draw" & rd "C:\Users\Admin\AppData\Roaming\MediaDial\"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y4⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\MediaDial\Draw"4⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\mod_c.exe" & del "C:\Users\Admin\AppData\Local\Temp\mod_c.exe" & rd "C:\Users\Admin\AppData\Local\Temp\"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y3⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\mod_c.exe"3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\MediaDial\DrawMD5
be4c5e4713009e5446ee042ba7c33fe0
SHA1f8e52380b6f3668d4de6df416c8da389c0d98fe8
SHA2567272457bac023e7ab635fc3d82212a89918de36d5433dd389e6151805e47b0cd
SHA51296612ab271e5adbfc911d65abc5ed56973d3539ff98c10e13daac782dcbfa43606ed89fa8efa0b203fd000cbbf76fea04d3844723c9dc075ba9a4fe55cb78e4d
-
C:\Users\Admin\AppData\Roaming\MediaDial\DrawMD5
be4c5e4713009e5446ee042ba7c33fe0
SHA1f8e52380b6f3668d4de6df416c8da389c0d98fe8
SHA2567272457bac023e7ab635fc3d82212a89918de36d5433dd389e6151805e47b0cd
SHA51296612ab271e5adbfc911d65abc5ed56973d3539ff98c10e13daac782dcbfa43606ed89fa8efa0b203fd000cbbf76fea04d3844723c9dc075ba9a4fe55cb78e4d
-
\Users\Admin\AppData\Roaming\MediaDial\DrawMD5
be4c5e4713009e5446ee042ba7c33fe0
SHA1f8e52380b6f3668d4de6df416c8da389c0d98fe8
SHA2567272457bac023e7ab635fc3d82212a89918de36d5433dd389e6151805e47b0cd
SHA51296612ab271e5adbfc911d65abc5ed56973d3539ff98c10e13daac782dcbfa43606ed89fa8efa0b203fd000cbbf76fea04d3844723c9dc075ba9a4fe55cb78e4d
-
\Users\Admin\AppData\Roaming\MediaDial\DrawMD5
be4c5e4713009e5446ee042ba7c33fe0
SHA1f8e52380b6f3668d4de6df416c8da389c0d98fe8
SHA2567272457bac023e7ab635fc3d82212a89918de36d5433dd389e6151805e47b0cd
SHA51296612ab271e5adbfc911d65abc5ed56973d3539ff98c10e13daac782dcbfa43606ed89fa8efa0b203fd000cbbf76fea04d3844723c9dc075ba9a4fe55cb78e4d
-
memory/608-9-0x0000000000000000-mapping.dmp
-
memory/996-10-0x0000000000000000-mapping.dmp
-
memory/1544-13-0x0000000000000000-mapping.dmp
-
memory/1660-8-0x0000000000000000-mapping.dmp
-
memory/1708-12-0x0000000000000000-mapping.dmp
-
memory/1724-11-0x0000000000000000-mapping.dmp
-
memory/1832-6-0x0000000001D50000-0x0000000001F14000-memory.dmpFilesize
1.8MB
-
memory/1992-4-0x0000000000000000-mapping.dmp