59a777daa0a5b26077c69c7cb26b7f72be6b38604b7caea7c6aef0e89991c748

Analysis

max time kernel
138s
max time network
119s
platform
windows7_x64
resource
win7v20201028
submitted
30/03/2021, 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
Size

279KB
MD5

5df4ac6e94ae7e9f9eb28d8f7f464946
SHA1

79f222f94fa265896c5e4578b91ed4ebc100058d
SHA256

3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f
SHA512

18826a1cb94e73402c279607d1348ba532966fe3223cbeec9cfb534ab425966fadeb001bc80518411b2f8c8d884b2936779950fbc0c5f48dfc01d33e766f749a

Score

8^/10

dave

Malware Config

Signatures

Dave packer 1 IoCs

Detects executable packed with a packer named 'Dave' from the community, due to a string at the end of it.

dave

resource	yara_rule
behavioral17/memory/792-4-0x0000000000240000-0x0000000000266000-memory.dmp	dave

Executes dropped EXE 1 IoCs

pid	Process
272	jLgfwLWvWrep.exe

Loads dropped DLL 2 IoCs

pid	Process
792	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
792	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 272	792	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	30
PID 792 wrote to memory of 272	792	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	30
PID 792 wrote to memory of 272	792	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	30
PID 792 wrote to memory of 272	792	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	30
PID 792 wrote to memory of 436	792	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	32
PID 792 wrote to memory of 436	792	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	32
PID 792 wrote to memory of 436	792	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	32
PID 792 wrote to memory of 436	792	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	32

C:\Users\Admin\AppData\Local\Temp\3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
"C:\Users\Admin\AppData\Local\Temp\3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:792
- C:\Users\Admin\AppData\Local\Temp\jLgfwLWvWrep.exe
  "C:\Users\Admin\AppData\Local\Temp\jLgfwLWvWrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:272
- C:\Users\Admin\AppData\Local\Temp\XaPrZXNailan.exe
  "C:\Users\Admin\AppData\Local\Temp\XaPrZXNailan.exe" 8 LAN
  2⤵
  PID:436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/272-9-0x0000000000280000-0x00000000002A8000-memory.dmp

Filesize
160KB

Download
memory/436-15-0x00000000002F0000-0x0000000000318000-memory.dmp

Filesize
160KB

Download
memory/792-2-0x0000000000270000-0x0000000000298000-memory.dmp

Filesize
160KB

Download
memory/792-3-0x0000000035000000-0x000000003502D000-memory.dmp

Filesize
180KB

Download
memory/792-4-0x0000000000240000-0x0000000000266000-memory.dmp

Filesize
152KB

Download
memory/792-5-0x0000000076861000-0x0000000076863000-memory.dmp

Filesize
8KB

Download