Overview

overview

10

Static

static

1

FA0900009000.exe

windows7_x64

10

FA0900009000.exe

windows10_x64

7

Analysis

  • max time kernel
    15s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    22-04-2021 09:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FA0900009000.exe

  • Size

    415KB

  • MD5

    f5bbc275c2fe8892a7173cec02b48344

  • SHA1

    fb2bb2d7b845e442418f451dca20a1ca4fc45c5b

  • SHA256

    3bc2abc2f4f8e56df7dcc64602b053f62ade2953d76b6020a21c252cc86a41db

  • SHA512

    ce518ef7add1718ee63d0b7229f9a34a40a8060a21800de5191e5a0ecbbb1b88e6c35fcd795f42c54f9467b546873301470060c5a117bff10dd8fff7e664ff87

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FA0900009000.exe
    "C:\Users\Admin\AppData\Local\Temp\FA0900009000.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:668
    • C:\Users\Admin\AppData\Local\Temp\FA0900009000.exe
      "C:\Users\Admin\AppData\Local\Temp\FA0900009000.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:3048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsv9487.tmp\bnd3.dll
    MD5

    2b289ab120d95236da9f742ae16c77c1

    SHA1

    96807a2b3d9c4fd21cc446fbfef5b564b3a39938

    SHA256

    239e71634074d7e78af7dca14bbda6f80a67c48be2c6ac7fcdf4d4eba2d2fb8c

    SHA512

    f20f17b4ea35e6d837db3396bc42457e7f5f412db68bbf993a9e2d1dfc4b6c8908f19c71e4d8d6afea41f27d5f2e230e3ec7ff79ed4ba20947831c1455fa67d4

    Download Submit
  • memory/668-115-0x0000000002750000-0x0000000002773000-memory.dmp
    Filesize

    140KB

    Download
  • memory/668-116-0x0000000002750000-0x0000000002773000-memory.dmp
    Filesize

    140KB

    Download
  • memory/3048-117-0x00000000004172EC-mapping.dmp
    Download
  • memory/3048-118-0x0000000000400000-0x0000000000419000-memory.dmp
    Filesize

    100KB

    Download