Analysis
-
max time kernel
123s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-04-2021 00:29
Static task
static1
Behavioral task
behavioral1
Sample
CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exe
Resource
win7v20210408
General
-
Target
CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exe
-
Size
174KB
-
MD5
72060693e5ebcbab80d41cf905ba4025
-
SHA1
84e128e1af6b133a8ba837f65cf4682ee4ca6066
-
SHA256
abd47e708b483c496d4485e6b05d542932d01953b8d0177712c33fb9f8d20bd2
-
SHA512
fda3208ff67f66b0495faa3054addcc10e5398fa75670171ffacae86797a4463e4b0aef05990578798c63fca97c9545f1225d854ace96606838a28ebbd424741
Malware Config
Extracted
amadey
2.11
176.111.174.67/7Ndd3SnW/index.php
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rween.exepid process 1640 rween.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exerween.execmd.exedescription pid process target process PID 3944 wrote to memory of 1640 3944 CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exe rween.exe PID 3944 wrote to memory of 1640 3944 CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exe rween.exe PID 3944 wrote to memory of 1640 3944 CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exe rween.exe PID 1640 wrote to memory of 2408 1640 rween.exe cmd.exe PID 1640 wrote to memory of 2408 1640 rween.exe cmd.exe PID 1640 wrote to memory of 2408 1640 rween.exe cmd.exe PID 2408 wrote to memory of 3528 2408 cmd.exe reg.exe PID 2408 wrote to memory of 3528 2408 cmd.exe reg.exe PID 2408 wrote to memory of 3528 2408 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exe"C:\Users\Admin\AppData\Local\Temp\CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\011ab573a3\rween.exe"C:\ProgramData\011ab573a3\rween.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\011ab573a3\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\011ab573a3\4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\011ab573a3\rween.exeMD5
72060693e5ebcbab80d41cf905ba4025
SHA184e128e1af6b133a8ba837f65cf4682ee4ca6066
SHA256abd47e708b483c496d4485e6b05d542932d01953b8d0177712c33fb9f8d20bd2
SHA512fda3208ff67f66b0495faa3054addcc10e5398fa75670171ffacae86797a4463e4b0aef05990578798c63fca97c9545f1225d854ace96606838a28ebbd424741
-
C:\ProgramData\011ab573a3\rween.exeMD5
72060693e5ebcbab80d41cf905ba4025
SHA184e128e1af6b133a8ba837f65cf4682ee4ca6066
SHA256abd47e708b483c496d4485e6b05d542932d01953b8d0177712c33fb9f8d20bd2
SHA512fda3208ff67f66b0495faa3054addcc10e5398fa75670171ffacae86797a4463e4b0aef05990578798c63fca97c9545f1225d854ace96606838a28ebbd424741
-
C:\ProgramData\152136866457237103368804MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1640-114-0x0000000000000000-mapping.dmp
-
memory/1640-121-0x0000000002C90000-0x0000000002DDA000-memory.dmpFilesize
1.3MB
-
memory/1640-122-0x0000000000400000-0x0000000002B9B000-memory.dmpFilesize
39.6MB
-
memory/2408-120-0x0000000000000000-mapping.dmp
-
memory/3528-123-0x0000000000000000-mapping.dmp
-
memory/3944-117-0x0000000002CC0000-0x0000000002E0A000-memory.dmpFilesize
1.3MB
-
memory/3944-118-0x0000000000400000-0x0000000002B9B000-memory.dmpFilesize
39.6MB