59a777daa0a5b26077c69c7cb26b7f72be6b38604b7caea7c6aef0e89991c748

Analysis

max time kernel
153s
max time network
157s
platform
windows10_x64
resource
win10v20201028
submitted
30-03-2021 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
Size

279KB
MD5

5df4ac6e94ae7e9f9eb28d8f7f464946
SHA1

79f222f94fa265896c5e4578b91ed4ebc100058d
SHA256

3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f
SHA512

18826a1cb94e73402c279607d1348ba532966fe3223cbeec9cfb534ab425966fadeb001bc80518411b2f8c8d884b2936779950fbc0c5f48dfc01d33e766f749a

Score

8^/10

dave

Malware Config

Signatures

Dave packer 1 IoCs

Detects executable packed with a packer named 'Dave' from the community, due to a string at the end of it.

dave

resource	yara_rule
behavioral18/memory/508-4-0x00000000005B0000-0x00000000005D6000-memory.dmp	dave

Executes dropped EXE 2 IoCs

pid	Process
3184	aeEDegdTcrep.exe
3460	hETzxzqcqlan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 508 wrote to memory of 3184	508	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	79
PID 508 wrote to memory of 3184	508	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	79
PID 508 wrote to memory of 3184	508	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	79
PID 508 wrote to memory of 3460	508	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	81
PID 508 wrote to memory of 3460	508	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	81
PID 508 wrote to memory of 3460	508	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	81

C:\Users\Admin\AppData\Local\Temp\3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
"C:\Users\Admin\AppData\Local\Temp\3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:508
- C:\Users\Admin\AppData\Local\Temp\aeEDegdTcrep.exe
  "C:\Users\Admin\AppData\Local\Temp\aeEDegdTcrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:3184
- C:\Users\Admin\AppData\Local\Temp\hETzxzqcqlan.exe
  "C:\Users\Admin\AppData\Local\Temp\hETzxzqcqlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:3460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/508-3-0x0000000035000000-0x000000003502D000-memory.dmp

Filesize
180KB

Download
memory/508-2-0x00000000005E0000-0x0000000000608000-memory.dmp

Filesize
160KB

Download
memory/508-4-0x00000000005B0000-0x00000000005D6000-memory.dmp

Filesize
152KB

Download
memory/3184-8-0x00000000006A0000-0x00000000006C8000-memory.dmp

Filesize
160KB

Download
memory/3460-14-0x0000000000590000-0x00000000005B8000-memory.dmp

Filesize
160KB

Download