Analysis
-
max time kernel
106s -
max time network
131s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15-04-2021 05:48
Static task
static1
Behavioral task
behavioral1
Sample
0900900.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
0900900.exe
Resource
win10v20210408
General
-
Target
0900900.exe
-
Size
189KB
-
MD5
82720319030a519bddb77537babc8393
-
SHA1
e42d6c950690189fb24235336f31d7cbcfc65408
-
SHA256
1048c4ebb7be3641037e402bfcc4e8aa667fc49dc82b9690b96b5ea69dd11e50
-
SHA512
bbb334f7bd378e18b6091b7c17899792c10ff969eab0eddde190b3c02e72fa89b17ab81d020abee6ffbfcca9eedcd1773e776e2c08f9744aad65139921326793
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
0900900.exepid process 808 0900900.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0900900.exedescription pid process target process PID 808 set thread context of 68 808 0900900.exe 0900900.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
0900900.exepid process 808 0900900.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
0900900.exepid process 68 0900900.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
0900900.exedescription pid process target process PID 808 wrote to memory of 68 808 0900900.exe 0900900.exe PID 808 wrote to memory of 68 808 0900900.exe 0900900.exe PID 808 wrote to memory of 68 808 0900900.exe 0900900.exe PID 808 wrote to memory of 68 808 0900900.exe 0900900.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0900900.exe"C:\Users\Admin\AppData\Local\Temp\0900900.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0900900.exe"C:\Users\Admin\AppData\Local\Temp\0900900.exe"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsi73E0.tmp\an1r6lh9q.dllMD5
875e8216f1a1730eddd41d96d7552c9e
SHA1f696d42e8f5a06c8ab6faa4fdabd9941ce90f14c
SHA2561cd1be5bc0ff2da276b8da77dccdf07308771ba66cda97b05d062d8da0e72cf1
SHA512afa9a2a4b3c0951f02ce14ac93821e642e0e243f64a59d82ffbabe758a1974a9b901925f2d9db65a0fe132eef2e5974cf21eac7da17a0f1261c00857bc8800ec
-
memory/68-117-0x00000000004172EC-mapping.dmp
-
memory/68-118-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/808-115-0x0000000002AF0000-0x0000000002AF1000-memory.dmpFilesize
4KB
-
memory/808-116-0x0000000002AF1000-0x0000000002AF6000-memory.dmpFilesize
20KB