Analysis
-
max time kernel
8s -
max time network
9s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
29-03-2021 09:44
Behavioral task
behavioral1
Sample
008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe
Resource
win10v20201028
General
-
Target
008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe
-
Size
1.9MB
-
MD5
d86f451bbff804e59a549f9fb33d6e3f
-
SHA1
3cb0cb07cc2542f1d98060adccda726ea865db98
-
SHA256
008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549
-
SHA512
c86ad7e1d5c445d4de9866faab578b2eb04f72ffef4fac380b7164003471b4b48b09772e735ea15205e2ab4a1f4d194d188cdeb12c7199d0824ddaba393dcaa2
Malware Config
Signatures
-
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\CenterLibrary\Tip cryptone \Users\Admin\AppData\Roaming\CenterLibrary\Tip cryptone C:\Users\Admin\AppData\Roaming\CenterLibrary\Tip cryptone C:\Users\Admin\AppData\Roaming\CenterLibrary\Tip cryptone -
Executes dropped EXE 1 IoCs
Processes:
Tippid process 1768 Tip -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Tipdescription ioc process File opened for modification C:\Users\Admin\Pictures\MergeFormat.raw.phoenix Tip File renamed C:\Users\Admin\Pictures\UpdateGrant.crw => C:\Users\Admin\Pictures\UpdateGrant.crw.phoenix Tip File opened for modification C:\Users\Admin\Pictures\UpdateGrant.crw.phoenix Tip File renamed C:\Users\Admin\Pictures\MergeFormat.raw => C:\Users\Admin\Pictures\MergeFormat.raw.phoenix Tip -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1660 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exepid process 1740 008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe 1740 008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exeTipcmd.execmd.exedescription pid process target process PID 1740 wrote to memory of 1768 1740 008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe Tip PID 1740 wrote to memory of 1768 1740 008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe Tip PID 1740 wrote to memory of 1768 1740 008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe Tip PID 1768 wrote to memory of 1692 1768 Tip cmd.exe PID 1768 wrote to memory of 1692 1768 Tip cmd.exe PID 1768 wrote to memory of 1692 1768 Tip cmd.exe PID 1740 wrote to memory of 1660 1740 008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe cmd.exe PID 1740 wrote to memory of 1660 1740 008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe cmd.exe PID 1740 wrote to memory of 1660 1740 008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe cmd.exe PID 1692 wrote to memory of 1104 1692 cmd.exe waitfor.exe PID 1692 wrote to memory of 1104 1692 cmd.exe waitfor.exe PID 1692 wrote to memory of 1104 1692 cmd.exe waitfor.exe PID 1660 wrote to memory of 1092 1660 cmd.exe waitfor.exe PID 1660 wrote to memory of 1092 1660 cmd.exe waitfor.exe PID 1660 wrote to memory of 1092 1660 cmd.exe waitfor.exe PID 1692 wrote to memory of 268 1692 cmd.exe attrib.exe PID 1692 wrote to memory of 268 1692 cmd.exe attrib.exe PID 1692 wrote to memory of 268 1692 cmd.exe attrib.exe PID 1660 wrote to memory of 852 1660 cmd.exe attrib.exe PID 1660 wrote to memory of 852 1660 cmd.exe attrib.exe PID 1660 wrote to memory of 852 1660 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 268 attrib.exe 852 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe"C:\Users\Admin\AppData\Local\Temp\008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\CenterLibrary\TipC:\Users\Admin\AppData\Roaming\CenterLibrary\Tip /go2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Roaming\CenterLibrary\Tip" & del "C:\Users\Admin\AppData\Roaming\CenterLibrary\Tip" & rd "C:\Users\Admin\AppData\Roaming\CenterLibrary\"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y4⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\CenterLibrary\Tip"4⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe" & del "C:\Users\Admin\AppData\Local\Temp\008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe" & rd "C:\Users\Admin\AppData\Local\Temp\"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y3⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe"3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\CenterLibrary\TipMD5
d86f451bbff804e59a549f9fb33d6e3f
SHA13cb0cb07cc2542f1d98060adccda726ea865db98
SHA256008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549
SHA512c86ad7e1d5c445d4de9866faab578b2eb04f72ffef4fac380b7164003471b4b48b09772e735ea15205e2ab4a1f4d194d188cdeb12c7199d0824ddaba393dcaa2
-
C:\Users\Admin\AppData\Roaming\CenterLibrary\TipMD5
d86f451bbff804e59a549f9fb33d6e3f
SHA13cb0cb07cc2542f1d98060adccda726ea865db98
SHA256008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549
SHA512c86ad7e1d5c445d4de9866faab578b2eb04f72ffef4fac380b7164003471b4b48b09772e735ea15205e2ab4a1f4d194d188cdeb12c7199d0824ddaba393dcaa2
-
\Users\Admin\AppData\Roaming\CenterLibrary\TipMD5
d86f451bbff804e59a549f9fb33d6e3f
SHA13cb0cb07cc2542f1d98060adccda726ea865db98
SHA256008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549
SHA512c86ad7e1d5c445d4de9866faab578b2eb04f72ffef4fac380b7164003471b4b48b09772e735ea15205e2ab4a1f4d194d188cdeb12c7199d0824ddaba393dcaa2
-
\Users\Admin\AppData\Roaming\CenterLibrary\TipMD5
d86f451bbff804e59a549f9fb33d6e3f
SHA13cb0cb07cc2542f1d98060adccda726ea865db98
SHA256008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549
SHA512c86ad7e1d5c445d4de9866faab578b2eb04f72ffef4fac380b7164003471b4b48b09772e735ea15205e2ab4a1f4d194d188cdeb12c7199d0824ddaba393dcaa2
-
memory/268-12-0x0000000000000000-mapping.dmp
-
memory/852-14-0x0000000000000000-mapping.dmp
-
memory/1092-11-0x0000000000000000-mapping.dmp
-
memory/1104-10-0x0000000000000000-mapping.dmp
-
memory/1660-9-0x0000000000000000-mapping.dmp
-
memory/1692-8-0x0000000000000000-mapping.dmp
-
memory/1740-6-0x0000000001CA0000-0x0000000001E60000-memory.dmpFilesize
1.8MB
-
memory/1768-4-0x0000000000000000-mapping.dmp