Overview
overview
8Static
static
0093b3e67f...d7.exe
windows7_x64
80093b3e67f...d7.exe
windows10_x64
806f3992479...6d.exe
windows7_x64
106f3992479...6d.exe
windows10_x64
14690e24ad2...ad.exe
windows7_x64
14690e24ad2...ad.exe
windows10_x64
16d9db6ba26...24.exe
windows7_x64
76d9db6ba26...24.exe
windows10_x64
79c47fe6c8d...3e.exe
windows7_x64
89c47fe6c8d...3e.exe
windows10_x64
8a1db42d46f...2a.exe
windows7_x64
1a1db42d46f...2a.exe
windows10_x64
1a798b09ca0...4d.exe
windows7_x64
7a798b09ca0...4d.exe
windows10_x64
7b4556fe3a6...34.exe
windows7_x64
7b4556fe3a6...34.exe
windows10_x64
7c8b952f70a...74.exe
windows7_x64
1c8b952f70a...74.exe
windows10_x64
1f35818a585...3c.exe
windows7_x64
1f35818a585...3c.exe
windows10_x64
1Analysis
-
max time kernel
150s -
max time network
114s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-04-2021 09:34
Static task
static1
Behavioral task
behavioral1
Sample
0093b3e67f9ac01a1b5ebedb7046a8e881bc403892288fe531c03018e41401d7.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
0093b3e67f9ac01a1b5ebedb7046a8e881bc403892288fe531c03018e41401d7.exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
06f39924792712f3db4454d68315f99518463d12fd5e1256888edc3f73ec9a6d.exe
Resource
win7v20210410
Behavioral task
behavioral4
Sample
06f39924792712f3db4454d68315f99518463d12fd5e1256888edc3f73ec9a6d.exe
Resource
win10v20210410
Behavioral task
behavioral5
Sample
4690e24ad2ebfc89565f5ddc0b86e1a8f7f570f41e1b5dcab3787e8d8ef025ad.exe
Resource
win7v20210408
Behavioral task
behavioral6
Sample
4690e24ad2ebfc89565f5ddc0b86e1a8f7f570f41e1b5dcab3787e8d8ef025ad.exe
Resource
win10v20210410
Behavioral task
behavioral7
Sample
6d9db6ba26b1730bf6910456b4a6c25821ddbfe8542bea456a3bbb924ea83524.exe
Resource
win7v20210408
Behavioral task
behavioral8
Sample
6d9db6ba26b1730bf6910456b4a6c25821ddbfe8542bea456a3bbb924ea83524.exe
Resource
win10v20210410
Behavioral task
behavioral9
Sample
9c47fe6c8dbedae7d4f92d185d56509f0932e74a5ed9d3a28a4789461968f03e.exe
Resource
win7v20210408
Behavioral task
behavioral10
Sample
9c47fe6c8dbedae7d4f92d185d56509f0932e74a5ed9d3a28a4789461968f03e.exe
Resource
win10v20210410
Behavioral task
behavioral11
Sample
a1db42d46f08b66f80d31f85c0a2ec932da4fca72247eacb0574d391ddd3162a.exe
Resource
win7v20210410
Behavioral task
behavioral12
Sample
a1db42d46f08b66f80d31f85c0a2ec932da4fca72247eacb0574d391ddd3162a.exe
Resource
win10v20210408
Behavioral task
behavioral13
Sample
a798b09ca056657bb97434edf659394d.exe
Resource
win7v20210410
Behavioral task
behavioral14
Sample
a798b09ca056657bb97434edf659394d.exe
Resource
win10v20210408
Behavioral task
behavioral15
Sample
b4556fe3a65fd59deebb705c66424a50a07ac077bcff31cae040ea2f5a4f0734.exe
Resource
win7v20210410
Behavioral task
behavioral16
Sample
b4556fe3a65fd59deebb705c66424a50a07ac077bcff31cae040ea2f5a4f0734.exe
Resource
win10v20210408
Behavioral task
behavioral17
Sample
c8b952f70a8dea0a32c18cf42627c2b8059eb66b1bc3a019a21acf4c9f901d74.exe
Resource
win7v20210410
Behavioral task
behavioral18
Sample
c8b952f70a8dea0a32c18cf42627c2b8059eb66b1bc3a019a21acf4c9f901d74.exe
Resource
win10v20210410
Behavioral task
behavioral19
Sample
f35818a5851c9a037febbe09cdab1c046a76ce49a3d1af777e504f149144683c.exe
Resource
win7v20210408
Behavioral task
behavioral20
Sample
f35818a5851c9a037febbe09cdab1c046a76ce49a3d1af777e504f149144683c.exe
Resource
win10v20210410
General
-
Target
0093b3e67f9ac01a1b5ebedb7046a8e881bc403892288fe531c03018e41401d7.exe
-
Size
2.0MB
-
MD5
8540e2be7e84f2ddc37499b0a3aeb53f
-
SHA1
4767ac2a0eb586d52fa20a0253cbfce6c7ce198f
-
SHA256
0093b3e67f9ac01a1b5ebedb7046a8e881bc403892288fe531c03018e41401d7
-
SHA512
4ffcec4f7886ea371e4b5a6628aba29390f17dd6ea8d0746680fc7ea3105d77ad0d7a825d0ac6823e01d52a4c206b4f6fa4cb6a6d813e2f9521fb12e3b52dd35
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
WinConnection.exerkverify.exepid process 2228 WinConnection.exe 200 rkverify.exe -
Loads dropped DLL 8 IoCs
Processes:
0093b3e67f9ac01a1b5ebedb7046a8e881bc403892288fe531c03018e41401d7.exerkverify.exepid process 900 0093b3e67f9ac01a1b5ebedb7046a8e881bc403892288fe531c03018e41401d7.exe 900 0093b3e67f9ac01a1b5ebedb7046a8e881bc403892288fe531c03018e41401d7.exe 900 0093b3e67f9ac01a1b5ebedb7046a8e881bc403892288fe531c03018e41401d7.exe 900 0093b3e67f9ac01a1b5ebedb7046a8e881bc403892288fe531c03018e41401d7.exe 900 0093b3e67f9ac01a1b5ebedb7046a8e881bc403892288fe531c03018e41401d7.exe 200 rkverify.exe 900 0093b3e67f9ac01a1b5ebedb7046a8e881bc403892288fe531c03018e41401d7.exe 900 0093b3e67f9ac01a1b5ebedb7046a8e881bc403892288fe531c03018e41401d7.exe -
Drops file in System32 directory 1 IoCs
Processes:
0093b3e67f9ac01a1b5ebedb7046a8e881bc403892288fe531c03018e41401d7.exedescription ioc process File created C:\Windows\SysWOW64\GLBSINST.%$D 0093b3e67f9ac01a1b5ebedb7046a8e881bc403892288fe531c03018e41401d7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rkverify.exepid process 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
rkverify.exepid process 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe 200 rkverify.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0093b3e67f9ac01a1b5ebedb7046a8e881bc403892288fe531c03018e41401d7.exedescription pid process target process PID 900 wrote to memory of 2228 900 0093b3e67f9ac01a1b5ebedb7046a8e881bc403892288fe531c03018e41401d7.exe WinConnection.exe PID 900 wrote to memory of 2228 900 0093b3e67f9ac01a1b5ebedb7046a8e881bc403892288fe531c03018e41401d7.exe WinConnection.exe PID 900 wrote to memory of 2228 900 0093b3e67f9ac01a1b5ebedb7046a8e881bc403892288fe531c03018e41401d7.exe WinConnection.exe PID 900 wrote to memory of 200 900 0093b3e67f9ac01a1b5ebedb7046a8e881bc403892288fe531c03018e41401d7.exe rkverify.exe PID 900 wrote to memory of 200 900 0093b3e67f9ac01a1b5ebedb7046a8e881bc403892288fe531c03018e41401d7.exe rkverify.exe PID 900 wrote to memory of 200 900 0093b3e67f9ac01a1b5ebedb7046a8e881bc403892288fe531c03018e41401d7.exe rkverify.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0093b3e67f9ac01a1b5ebedb7046a8e881bc403892288fe531c03018e41401d7.exe"C:\Users\Admin\AppData\Local\Temp\0093b3e67f9ac01a1b5ebedb7046a8e881bc403892288fe531c03018e41401d7.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WinConnection.exe"C:\Users\Admin\AppData\Local\Temp\WinConnection.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\rkverify.exe"C:\Users\Admin\AppData\Local\Temp\rkverify.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CSM8449.tmpMD5
5ac09190daf249c3e93c3ac961067024
SHA1bad9c0d552d54310f669d66b549dcada90583812
SHA256f4934185f75518a13ef5425959f47516cc8467f513e838a82e749ffb782d7e23
SHA5122a87686c038e8a34f8e04a844726de564a08baeedc87632219b86f455d5222efe2ed7557fad9658627e304d916a75cfcb3c9dede4e72057a070f64370aa52f39
-
C:\Users\Admin\AppData\Local\Temp\WinConnection.exeMD5
beee2adf7123f511cc259a1318c0e93d
SHA1186eb9ef6db540e2a1843127554351b6a7356904
SHA2568da017a8083013c46da2a3539cbe8388078f40a288cc85d352c182aaa39ddd1a
SHA5122633bed8e263fbe8ea9c854f470c02d6a622bb6de63afdb4812493459737a793062308822065542abf72db18c9e076d2eb9cc52a9dbdf30d556807b5b1811a70
-
C:\Users\Admin\AppData\Local\Temp\WinConnection.exeMD5
beee2adf7123f511cc259a1318c0e93d
SHA1186eb9ef6db540e2a1843127554351b6a7356904
SHA2568da017a8083013c46da2a3539cbe8388078f40a288cc85d352c182aaa39ddd1a
SHA5122633bed8e263fbe8ea9c854f470c02d6a622bb6de63afdb4812493459737a793062308822065542abf72db18c9e076d2eb9cc52a9dbdf30d556807b5b1811a70
-
C:\Users\Admin\AppData\Local\Temp\rkverify.exeMD5
020ce95075f8c93e6cc957953d7f4589
SHA1e192a200e36974b8e0637230a8cb5905090f7555
SHA256df9d068202c060a898cd441d5c170686cd9c2774a37cfda3ea10abc428e20ad3
SHA512fb74170ed9b5ee078a176540c198513ed3a8c2e587fbcbf6d2384f840f0b6a2637fd20b6a01b2caf6e92e5f592d517b4733d34fdb349fd770eb04e1eac769170
-
C:\Users\Admin\AppData\Local\Temp\rkverify.exeMD5
020ce95075f8c93e6cc957953d7f4589
SHA1e192a200e36974b8e0637230a8cb5905090f7555
SHA256df9d068202c060a898cd441d5c170686cd9c2774a37cfda3ea10abc428e20ad3
SHA512fb74170ed9b5ee078a176540c198513ed3a8c2e587fbcbf6d2384f840f0b6a2637fd20b6a01b2caf6e92e5f592d517b4733d34fdb349fd770eb04e1eac769170
-
\Users\Admin\AppData\Local\Temp\CSM8449.tmpMD5
5ac09190daf249c3e93c3ac961067024
SHA1bad9c0d552d54310f669d66b549dcada90583812
SHA256f4934185f75518a13ef5425959f47516cc8467f513e838a82e749ffb782d7e23
SHA5122a87686c038e8a34f8e04a844726de564a08baeedc87632219b86f455d5222efe2ed7557fad9658627e304d916a75cfcb3c9dede4e72057a070f64370aa52f39
-
\Users\Admin\AppData\Local\Temp\CSM8449.tmpMD5
5ac09190daf249c3e93c3ac961067024
SHA1bad9c0d552d54310f669d66b549dcada90583812
SHA256f4934185f75518a13ef5425959f47516cc8467f513e838a82e749ffb782d7e23
SHA5122a87686c038e8a34f8e04a844726de564a08baeedc87632219b86f455d5222efe2ed7557fad9658627e304d916a75cfcb3c9dede4e72057a070f64370aa52f39
-
\Users\Admin\AppData\Local\Temp\CSM8449.tmpMD5
5ac09190daf249c3e93c3ac961067024
SHA1bad9c0d552d54310f669d66b549dcada90583812
SHA256f4934185f75518a13ef5425959f47516cc8467f513e838a82e749ffb782d7e23
SHA5122a87686c038e8a34f8e04a844726de564a08baeedc87632219b86f455d5222efe2ed7557fad9658627e304d916a75cfcb3c9dede4e72057a070f64370aa52f39
-
\Users\Admin\AppData\Local\Temp\GLC6EEC.tmpMD5
09e59d00df5d2effd8dd9b30385cb9d2
SHA10fa0d3f6692f31fdabefb719b0f7a28cbf5d5415
SHA2561c574eab5e83ccfe5a0bb7b59e028cc5fa2f4e77868051e305d83c709711ff77
SHA512d73e3832777341a4176dbd9988002ec94a32f162492e869a8c03d9bb10f1833821f99e15710e9fc103a2820c862cf14a0b990d7c7c09150bb14618a7c93ca5fd
-
\Users\Admin\AppData\Local\Temp\GLF7BA1.tmpMD5
9da8f742593d4bbca708b90725282ae2
SHA19aaa6ed98726e657252a098f2bf06066a8604d27
SHA256e362a9815527869e0f71fdf766a1c3648e307145defda7a5279914e522bcb57c
SHA512f8b4129dc4ab30e009cb4db8a80f06b16306c1a90a49e534befb925d6ce4d5713b98553a2107b40efa8b5abd025ff0556976cf46c3642ce8e372c34d105e36cb
-
\Users\Admin\AppData\Local\Temp\GLF7BA1.tmpMD5
9da8f742593d4bbca708b90725282ae2
SHA19aaa6ed98726e657252a098f2bf06066a8604d27
SHA256e362a9815527869e0f71fdf766a1c3648e307145defda7a5279914e522bcb57c
SHA512f8b4129dc4ab30e009cb4db8a80f06b16306c1a90a49e534befb925d6ce4d5713b98553a2107b40efa8b5abd025ff0556976cf46c3642ce8e372c34d105e36cb
-
\Users\Admin\AppData\Local\Temp\GLK6F6A.tmpMD5
517419cae37f6c78c80f9b7d0fbb8661
SHA1a9e419f3d9ef589522556e0920c84fe37a548873
SHA256bfe7e013cfb85e78b994d3ad34eca08286494a835cb85f1d7bced3df6fe93a11
SHA5125046565443cf463b6fa4d2d5868879efc6a9db969bf05e3c80725b99bd091ce062cfe66c5551eb1cc5f00a38f2cfcda1f36fb4d60d9ff816c4ec3107b5a0df40
-
\Users\Admin\AppData\Local\Temp\GLK6F6A.tmpMD5
517419cae37f6c78c80f9b7d0fbb8661
SHA1a9e419f3d9ef589522556e0920c84fe37a548873
SHA256bfe7e013cfb85e78b994d3ad34eca08286494a835cb85f1d7bced3df6fe93a11
SHA5125046565443cf463b6fa4d2d5868879efc6a9db969bf05e3c80725b99bd091ce062cfe66c5551eb1cc5f00a38f2cfcda1f36fb4d60d9ff816c4ec3107b5a0df40
-
memory/200-124-0x0000000000000000-mapping.dmp
-
memory/900-120-0x00000000021C1000-0x00000000021C3000-memory.dmpFilesize
8KB
-
memory/900-117-0x0000000000651000-0x0000000000653000-memory.dmpFilesize
8KB
-
memory/2228-121-0x0000000000000000-mapping.dmp