6577119386435584.zip

General
Target

008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe

Filesize

1MB

Completed

29-03-2021 09:47

Score
9 /10
MD5

d86f451bbff804e59a549f9fb33d6e3f

SHA1

3cb0cb07cc2542f1d98060adccda726ea865db98

SHA256

008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549

Malware Config
Signatures 5

Filter: none

Defense Evasion
  • CryptOne packer

    Description

    Detects CryptOne packer defined in NCC blogpost.

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x000400000001ab77-4.datcryptone
    behavioral2/files/0x000400000001ab77-5.datcryptone
  • Executes dropped EXE
    Alg

    Reported IOCs

    pidprocess
    2240Alg
  • Modifies extensions of user files
    Alg

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File renamedC:\Users\Admin\Pictures\EnterSwitch.tif => C:\Users\Admin\Pictures\EnterSwitch.tif.phoenixAlg
    File opened for modificationC:\Users\Admin\Pictures\EnterSwitch.tif.phoenixAlg
    File renamedC:\Users\Admin\Pictures\StopResolve.tiff => C:\Users\Admin\Pictures\StopResolve.tiff.phoenixAlg
    File opened for modificationC:\Users\Admin\Pictures\StopResolve.tiff.phoenixAlg
    File renamedC:\Users\Admin\Pictures\CheckpointOpen.tif => C:\Users\Admin\Pictures\CheckpointOpen.tif.phoenixAlg
    File renamedC:\Users\Admin\Pictures\CopyUnblock.tiff => C:\Users\Admin\Pictures\CopyUnblock.tiff.phoenixAlg
    File opened for modificationC:\Users\Admin\Pictures\CopyUnblock.tiff.phoenixAlg
    File opened for modificationC:\Users\Admin\Pictures\CheckpointOpen.tif.phoenixAlg
    File renamedC:\Users\Admin\Pictures\TraceDismount.raw => C:\Users\Admin\Pictures\TraceDismount.raw.phoenixAlg
    File opened for modificationC:\Users\Admin\Pictures\TraceDismount.raw.phoenixAlg
  • Suspicious use of WriteProcessMemory
    008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exeAlgcmd.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 636 wrote to memory of 2240636008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exeAlg
    PID 636 wrote to memory of 2240636008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exeAlg
    PID 2240 wrote to memory of 7562240Algcmd.exe
    PID 2240 wrote to memory of 7562240Algcmd.exe
    PID 636 wrote to memory of 1968636008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.execmd.exe
    PID 636 wrote to memory of 1968636008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.execmd.exe
    PID 756 wrote to memory of 2756756cmd.exewaitfor.exe
    PID 756 wrote to memory of 2756756cmd.exewaitfor.exe
    PID 1968 wrote to memory of 35081968cmd.exewaitfor.exe
    PID 1968 wrote to memory of 35081968cmd.exewaitfor.exe
    PID 756 wrote to memory of 1148756cmd.exeattrib.exe
    PID 756 wrote to memory of 1148756cmd.exeattrib.exe
    PID 1968 wrote to memory of 37041968cmd.exeattrib.exe
    PID 1968 wrote to memory of 37041968cmd.exeattrib.exe
  • Views/modifies file attributes
    attrib.exeattrib.exe

    Tags

    TTPs

    Hidden Files and Directories

    Reported IOCs

    pidprocess
    1148attrib.exe
    3704attrib.exe
Processes 8
  • C:\Users\Admin\AppData\Local\Temp\008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe
    "C:\Users\Admin\AppData\Local\Temp\008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe"
    Suspicious use of WriteProcessMemory
    PID:636
    • C:\Users\Admin\AppData\Roaming\SetupOem\Alg
      C:\Users\Admin\AppData\Roaming\SetupOem\Alg /go
      Executes dropped EXE
      Modifies extensions of user files
      Suspicious use of WriteProcessMemory
      PID:2240
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Roaming\SetupOem\Alg" & del "C:\Users\Admin\AppData\Roaming\SetupOem\Alg" & rd "C:\Users\Admin\AppData\Roaming\SetupOem\"
        Suspicious use of WriteProcessMemory
        PID:756
        • C:\Windows\system32\waitfor.exe
          waitfor /t 10 pause /d y
          PID:2756
        • C:\Windows\system32\attrib.exe
          attrib -h "C:\Users\Admin\AppData\Roaming\SetupOem\Alg"
          Views/modifies file attributes
          PID:1148
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe" & del "C:\Users\Admin\AppData\Local\Temp\008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe" & rd "C:\Users\Admin\AppData\Local\Temp\"
      Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Windows\system32\waitfor.exe
        waitfor /t 10 pause /d y
        PID:3508
      • C:\Windows\system32\attrib.exe
        attrib -h "C:\Users\Admin\AppData\Local\Temp\008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe"
        Views/modifies file attributes
        PID:3704
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Admin\AppData\Roaming\SetupOem\Alg

                          MD5

                          d86f451bbff804e59a549f9fb33d6e3f

                          SHA1

                          3cb0cb07cc2542f1d98060adccda726ea865db98

                          SHA256

                          008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549

                          SHA512

                          c86ad7e1d5c445d4de9866faab578b2eb04f72ffef4fac380b7164003471b4b48b09772e735ea15205e2ab4a1f4d194d188cdeb12c7199d0824ddaba393dcaa2

                        • C:\Users\Admin\AppData\Roaming\SetupOem\Alg

                          MD5

                          d86f451bbff804e59a549f9fb33d6e3f

                          SHA1

                          3cb0cb07cc2542f1d98060adccda726ea865db98

                          SHA256

                          008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549

                          SHA512

                          c86ad7e1d5c445d4de9866faab578b2eb04f72ffef4fac380b7164003471b4b48b09772e735ea15205e2ab4a1f4d194d188cdeb12c7199d0824ddaba393dcaa2

                        • memory/636-2-0x0000000002100000-0x00000000022C0000-memory.dmp

                        • memory/756-7-0x0000000000000000-mapping.dmp

                        • memory/1148-11-0x0000000000000000-mapping.dmp

                        • memory/1968-8-0x0000000000000000-mapping.dmp

                        • memory/2240-3-0x0000000000000000-mapping.dmp

                        • memory/2756-9-0x0000000000000000-mapping.dmp

                        • memory/3508-10-0x0000000000000000-mapping.dmp

                        • memory/3704-12-0x0000000000000000-mapping.dmp