Analysis
-
max time kernel
61s -
max time network
66s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
29-03-2021 09:44
Behavioral task
behavioral1
Sample
008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe
Resource
win10v20201028
General
-
Target
008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe
-
Size
1.9MB
-
MD5
d86f451bbff804e59a549f9fb33d6e3f
-
SHA1
3cb0cb07cc2542f1d98060adccda726ea865db98
-
SHA256
008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549
-
SHA512
c86ad7e1d5c445d4de9866faab578b2eb04f72ffef4fac380b7164003471b4b48b09772e735ea15205e2ab4a1f4d194d188cdeb12c7199d0824ddaba393dcaa2
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\SetupOem\Alg cryptone C:\Users\Admin\AppData\Roaming\SetupOem\Alg cryptone -
Executes dropped EXE 1 IoCs
Processes:
Algpid process 2240 Alg -
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Algdescription ioc process File renamed C:\Users\Admin\Pictures\EnterSwitch.tif => C:\Users\Admin\Pictures\EnterSwitch.tif.phoenix Alg File opened for modification C:\Users\Admin\Pictures\EnterSwitch.tif.phoenix Alg File renamed C:\Users\Admin\Pictures\StopResolve.tiff => C:\Users\Admin\Pictures\StopResolve.tiff.phoenix Alg File opened for modification C:\Users\Admin\Pictures\StopResolve.tiff.phoenix Alg File renamed C:\Users\Admin\Pictures\CheckpointOpen.tif => C:\Users\Admin\Pictures\CheckpointOpen.tif.phoenix Alg File renamed C:\Users\Admin\Pictures\CopyUnblock.tiff => C:\Users\Admin\Pictures\CopyUnblock.tiff.phoenix Alg File opened for modification C:\Users\Admin\Pictures\CopyUnblock.tiff.phoenix Alg File opened for modification C:\Users\Admin\Pictures\CheckpointOpen.tif.phoenix Alg File renamed C:\Users\Admin\Pictures\TraceDismount.raw => C:\Users\Admin\Pictures\TraceDismount.raw.phoenix Alg File opened for modification C:\Users\Admin\Pictures\TraceDismount.raw.phoenix Alg -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exeAlgcmd.execmd.exedescription pid process target process PID 636 wrote to memory of 2240 636 008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe Alg PID 636 wrote to memory of 2240 636 008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe Alg PID 2240 wrote to memory of 756 2240 Alg cmd.exe PID 2240 wrote to memory of 756 2240 Alg cmd.exe PID 636 wrote to memory of 1968 636 008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe cmd.exe PID 636 wrote to memory of 1968 636 008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe cmd.exe PID 756 wrote to memory of 2756 756 cmd.exe waitfor.exe PID 756 wrote to memory of 2756 756 cmd.exe waitfor.exe PID 1968 wrote to memory of 3508 1968 cmd.exe waitfor.exe PID 1968 wrote to memory of 3508 1968 cmd.exe waitfor.exe PID 756 wrote to memory of 1148 756 cmd.exe attrib.exe PID 756 wrote to memory of 1148 756 cmd.exe attrib.exe PID 1968 wrote to memory of 3704 1968 cmd.exe attrib.exe PID 1968 wrote to memory of 3704 1968 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1148 attrib.exe 3704 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe"C:\Users\Admin\AppData\Local\Temp\008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SetupOem\AlgC:\Users\Admin\AppData\Roaming\SetupOem\Alg /go2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Roaming\SetupOem\Alg" & del "C:\Users\Admin\AppData\Roaming\SetupOem\Alg" & rd "C:\Users\Admin\AppData\Roaming\SetupOem\"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y4⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\SetupOem\Alg"4⤵
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe" & del "C:\Users\Admin\AppData\Local\Temp\008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe" & rd "C:\Users\Admin\AppData\Local\Temp\"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y3⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549.exe"3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\SetupOem\AlgMD5
d86f451bbff804e59a549f9fb33d6e3f
SHA13cb0cb07cc2542f1d98060adccda726ea865db98
SHA256008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549
SHA512c86ad7e1d5c445d4de9866faab578b2eb04f72ffef4fac380b7164003471b4b48b09772e735ea15205e2ab4a1f4d194d188cdeb12c7199d0824ddaba393dcaa2
-
C:\Users\Admin\AppData\Roaming\SetupOem\AlgMD5
d86f451bbff804e59a549f9fb33d6e3f
SHA13cb0cb07cc2542f1d98060adccda726ea865db98
SHA256008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549
SHA512c86ad7e1d5c445d4de9866faab578b2eb04f72ffef4fac380b7164003471b4b48b09772e735ea15205e2ab4a1f4d194d188cdeb12c7199d0824ddaba393dcaa2
-
memory/636-2-0x0000000002100000-0x00000000022C0000-memory.dmpFilesize
1.8MB
-
memory/756-7-0x0000000000000000-mapping.dmp
-
memory/1148-11-0x0000000000000000-mapping.dmp
-
memory/1968-8-0x0000000000000000-mapping.dmp
-
memory/2240-3-0x0000000000000000-mapping.dmp
-
memory/2756-9-0x0000000000000000-mapping.dmp
-
memory/3508-10-0x0000000000000000-mapping.dmp
-
memory/3704-12-0x0000000000000000-mapping.dmp