Analysis
-
max time kernel
42s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-03-2021 16:25
Behavioral task
behavioral1
Sample
mod_c.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
mod_c.exe
Resource
win10v20201028
General
-
Target
mod_c.exe
-
Size
1.8MB
-
MD5
be4c5e4713009e5446ee042ba7c33fe0
-
SHA1
f8e52380b6f3668d4de6df416c8da389c0d98fe8
-
SHA256
7272457bac023e7ab635fc3d82212a89918de36d5433dd389e6151805e47b0cd
-
SHA512
96612ab271e5adbfc911d65abc5ed56973d3539ff98c10e13daac782dcbfa43606ed89fa8efa0b203fd000cbbf76fea04d3844723c9dc075ba9a4fe55cb78e4d
Malware Config
Extracted
C:\HOW-TO-DECRYPT-dvxr9.txt
http://o76s3m7l5ogig4u5.onion
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\MsimeReceiver\Method cryptone C:\Users\Admin\AppData\Roaming\MsimeReceiver\Method cryptone -
Executes dropped EXE 1 IoCs
Processes:
Methodpid process 4148 Method -
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Methoddescription ioc process File opened for modification C:\Users\Admin\Pictures\CloseComplete.crw.dvxr9 Method File opened for modification C:\Users\Admin\Pictures\DisconnectCompress.tif.dvxr9 Method File renamed C:\Users\Admin\Pictures\ExitEnable.raw => C:\Users\Admin\Pictures\ExitEnable.raw.dvxr9 Method File opened for modification C:\Users\Admin\Pictures\ExitEnable.raw.dvxr9 Method File renamed C:\Users\Admin\Pictures\AssertShow.tif => C:\Users\Admin\Pictures\AssertShow.tif.dvxr9 Method File opened for modification C:\Users\Admin\Pictures\AddProtect.raw.dvxr9 Method File opened for modification C:\Users\Admin\Pictures\AssertShow.tif.dvxr9 Method File renamed C:\Users\Admin\Pictures\CloseComplete.crw => C:\Users\Admin\Pictures\CloseComplete.crw.dvxr9 Method File renamed C:\Users\Admin\Pictures\DisconnectCompress.tif => C:\Users\Admin\Pictures\DisconnectCompress.tif.dvxr9 Method File renamed C:\Users\Admin\Pictures\RevokeMove.png => C:\Users\Admin\Pictures\RevokeMove.png.dvxr9 Method File opened for modification C:\Users\Admin\Pictures\RevokeMove.png.dvxr9 Method File renamed C:\Users\Admin\Pictures\AddProtect.raw => C:\Users\Admin\Pictures\AddProtect.raw.dvxr9 Method -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
mod_c.exeMethodcmd.execmd.exedescription pid process target process PID 4768 wrote to memory of 4148 4768 mod_c.exe Method PID 4768 wrote to memory of 4148 4768 mod_c.exe Method PID 4148 wrote to memory of 556 4148 Method cmd.exe PID 4148 wrote to memory of 556 4148 Method cmd.exe PID 4768 wrote to memory of 980 4768 mod_c.exe cmd.exe PID 4768 wrote to memory of 980 4768 mod_c.exe cmd.exe PID 556 wrote to memory of 944 556 cmd.exe waitfor.exe PID 556 wrote to memory of 944 556 cmd.exe waitfor.exe PID 556 wrote to memory of 1156 556 cmd.exe attrib.exe PID 556 wrote to memory of 1156 556 cmd.exe attrib.exe PID 980 wrote to memory of 1304 980 cmd.exe waitfor.exe PID 980 wrote to memory of 1304 980 cmd.exe waitfor.exe PID 980 wrote to memory of 1396 980 cmd.exe attrib.exe PID 980 wrote to memory of 1396 980 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1156 attrib.exe 1396 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mod_c.exe"C:\Users\Admin\AppData\Local\Temp\mod_c.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\MsimeReceiver\MethodC:\Users\Admin\AppData\Roaming\MsimeReceiver\Method /go2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Roaming\MsimeReceiver\Method" & del "C:\Users\Admin\AppData\Roaming\MsimeReceiver\Method" & rd "C:\Users\Admin\AppData\Roaming\MsimeReceiver\"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y4⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\MsimeReceiver\Method"4⤵
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\mod_c.exe" & del "C:\Users\Admin\AppData\Local\Temp\mod_c.exe" & rd "C:\Users\Admin\AppData\Local\Temp\"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y3⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\mod_c.exe"3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\MsimeReceiver\MethodMD5
be4c5e4713009e5446ee042ba7c33fe0
SHA1f8e52380b6f3668d4de6df416c8da389c0d98fe8
SHA2567272457bac023e7ab635fc3d82212a89918de36d5433dd389e6151805e47b0cd
SHA51296612ab271e5adbfc911d65abc5ed56973d3539ff98c10e13daac782dcbfa43606ed89fa8efa0b203fd000cbbf76fea04d3844723c9dc075ba9a4fe55cb78e4d
-
C:\Users\Admin\AppData\Roaming\MsimeReceiver\MethodMD5
be4c5e4713009e5446ee042ba7c33fe0
SHA1f8e52380b6f3668d4de6df416c8da389c0d98fe8
SHA2567272457bac023e7ab635fc3d82212a89918de36d5433dd389e6151805e47b0cd
SHA51296612ab271e5adbfc911d65abc5ed56973d3539ff98c10e13daac782dcbfa43606ed89fa8efa0b203fd000cbbf76fea04d3844723c9dc075ba9a4fe55cb78e4d
-
memory/556-7-0x0000000000000000-mapping.dmp
-
memory/944-9-0x0000000000000000-mapping.dmp
-
memory/980-8-0x0000000000000000-mapping.dmp
-
memory/1156-10-0x0000000000000000-mapping.dmp
-
memory/1304-11-0x0000000000000000-mapping.dmp
-
memory/1396-12-0x0000000000000000-mapping.dmp
-
memory/4148-3-0x0000000000000000-mapping.dmp
-
memory/4768-2-0x0000000002050000-0x0000000002214000-memory.dmpFilesize
1.8MB