Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
23-04-2021 10:32
Static task
static1
Behavioral task
behavioral1
Sample
0900000000000000000900.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
0900000000000000000900.exe
Resource
win10v20210408
General
-
Target
0900000000000000000900.exe
-
Size
84KB
-
MD5
030daaca1bd4fc284e4b4ab63d1b6419
-
SHA1
088aa59dc4185f60d450087899a4964957e49319
-
SHA256
033f4d8bd914597ee146ea8761a3f79fceb4f49af99f411e9ee94775ed298179
-
SHA512
cccd2d4f70e54ba9de9d8b7b1cbf6ef59ce4820e6d2d231b7a073d8b2c4dafa49edbb9cb6baf926075ad9e9bf23289e71ed48a3db8a8dc7f2a5076a921626b6c
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
0900000000000000000900.exepid process 1688 0900000000000000000900.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0900000000000000000900.exedescription pid process target process PID 1688 set thread context of 1984 1688 0900000000000000000900.exe 0900000000000000000900.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
0900000000000000000900.exepid process 1688 0900000000000000000900.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
0900000000000000000900.exepid process 1984 0900000000000000000900.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
0900000000000000000900.exedescription pid process target process PID 1688 wrote to memory of 1984 1688 0900000000000000000900.exe 0900000000000000000900.exe PID 1688 wrote to memory of 1984 1688 0900000000000000000900.exe 0900000000000000000900.exe PID 1688 wrote to memory of 1984 1688 0900000000000000000900.exe 0900000000000000000900.exe PID 1688 wrote to memory of 1984 1688 0900000000000000000900.exe 0900000000000000000900.exe PID 1688 wrote to memory of 1984 1688 0900000000000000000900.exe 0900000000000000000900.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0900000000000000000900.exe"C:\Users\Admin\AppData\Local\Temp\0900000000000000000900.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\0900000000000000000900.exe"C:\Users\Admin\AppData\Local\Temp\0900000000000000000900.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:1984
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
96c19f4be5eb899973ad0090567c769e
SHA1f52e2194466763adb44b604b2d06c0222e870c81
SHA256c08e2ff95e39780720c26ec0535a05f23557d3e3122ed8f593dee2950ebef702
SHA512963a02342ecceac16cdc671a57e9894e0a872cb7f8066c5a2dc810524c5e5c3eaac267917f2381ac6e54b94284a141ced956deefb44174a50f20673ce230b2f0