Analysis
-
max time kernel
135s -
max time network
146s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
22-04-2021 00:29
Static task
static1
Behavioral task
behavioral1
Sample
CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exe
Resource
win7v20210408
General
-
Target
CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exe
-
Size
174KB
-
MD5
72060693e5ebcbab80d41cf905ba4025
-
SHA1
84e128e1af6b133a8ba837f65cf4682ee4ca6066
-
SHA256
abd47e708b483c496d4485e6b05d542932d01953b8d0177712c33fb9f8d20bd2
-
SHA512
fda3208ff67f66b0495faa3054addcc10e5398fa75670171ffacae86797a4463e4b0aef05990578798c63fca97c9545f1225d854ace96606838a28ebbd424741
Malware Config
Extracted
amadey
2.11
176.111.174.67/7Ndd3SnW/index.php
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rween.exepid process 1740 rween.exe -
Loads dropped DLL 2 IoCs
Processes:
CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exepid process 340 CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exe 340 CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exerween.execmd.exedescription pid process target process PID 340 wrote to memory of 1740 340 CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exe rween.exe PID 340 wrote to memory of 1740 340 CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exe rween.exe PID 340 wrote to memory of 1740 340 CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exe rween.exe PID 340 wrote to memory of 1740 340 CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exe rween.exe PID 1740 wrote to memory of 1200 1740 rween.exe cmd.exe PID 1740 wrote to memory of 1200 1740 rween.exe cmd.exe PID 1740 wrote to memory of 1200 1740 rween.exe cmd.exe PID 1740 wrote to memory of 1200 1740 rween.exe cmd.exe PID 1200 wrote to memory of 1428 1200 cmd.exe reg.exe PID 1200 wrote to memory of 1428 1200 cmd.exe reg.exe PID 1200 wrote to memory of 1428 1200 cmd.exe reg.exe PID 1200 wrote to memory of 1428 1200 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exe"C:\Users\Admin\AppData\Local\Temp\CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\011ab573a3\rween.exe"C:\ProgramData\011ab573a3\rween.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\011ab573a3\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\011ab573a3\4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\011ab573a3\rween.exeMD5
72060693e5ebcbab80d41cf905ba4025
SHA184e128e1af6b133a8ba837f65cf4682ee4ca6066
SHA256abd47e708b483c496d4485e6b05d542932d01953b8d0177712c33fb9f8d20bd2
SHA512fda3208ff67f66b0495faa3054addcc10e5398fa75670171ffacae86797a4463e4b0aef05990578798c63fca97c9545f1225d854ace96606838a28ebbd424741
-
C:\ProgramData\152124553523681077083310MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\ProgramData\011ab573a3\rween.exeMD5
72060693e5ebcbab80d41cf905ba4025
SHA184e128e1af6b133a8ba837f65cf4682ee4ca6066
SHA256abd47e708b483c496d4485e6b05d542932d01953b8d0177712c33fb9f8d20bd2
SHA512fda3208ff67f66b0495faa3054addcc10e5398fa75670171ffacae86797a4463e4b0aef05990578798c63fca97c9545f1225d854ace96606838a28ebbd424741
-
\ProgramData\011ab573a3\rween.exeMD5
72060693e5ebcbab80d41cf905ba4025
SHA184e128e1af6b133a8ba837f65cf4682ee4ca6066
SHA256abd47e708b483c496d4485e6b05d542932d01953b8d0177712c33fb9f8d20bd2
SHA512fda3208ff67f66b0495faa3054addcc10e5398fa75670171ffacae86797a4463e4b0aef05990578798c63fca97c9545f1225d854ace96606838a28ebbd424741
-
memory/340-59-0x00000000750C1000-0x00000000750C3000-memory.dmpFilesize
8KB
-
memory/340-64-0x0000000000220000-0x000000000024C000-memory.dmpFilesize
176KB
-
memory/340-65-0x0000000000400000-0x0000000002B9B000-memory.dmpFilesize
39.6MB
-
memory/1200-70-0x0000000000000000-mapping.dmp
-
memory/1428-71-0x0000000000000000-mapping.dmp
-
memory/1740-62-0x0000000000000000-mapping.dmp
-
memory/1740-69-0x0000000000400000-0x0000000002B9B000-memory.dmpFilesize
39.6MB