Overview

overview

10

Static

static

ﱞﱞﱞ...ﱞﱞ

windows10_x64

1

ﱞﱞﱞ...ﱞﱞ

windows10_x64

ﱞﱞﱞ...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ...ﱞﱞ

windows10_x64

ﱞﱞﱞ...ﱞﱞ

windows7_x64

1

ﱞﱞﱞ...ﱞﱞ

windows7_x64

ﱞﱞﱞ...ﱞﱞ

windows7_x64

ﱞﱞﱞ...ﱞﱞ

windows7_x64

10

win102

windows10_x64

1

win102

windows10_x64

10

win102

windows10_x64

8

win102

windows10_x64

10

win104

windows10_x64

1

win104

windows10_x64

10

win104

windows10_x64

10

win104

windows10_x64

win105

windows10_x64

1

win105

windows10_x64

10

win105

windows10_x64

10

win105

windows10_x64

win106

windows10_x64

1

win106

windows10_x64

win106

windows10_x64

10

win106

windows10_x64

10

win103

windows10_x64

1

win103

windows10_x64

win103

windows10_x64

8

win103

windows10_x64

8

win101

windows10_x64

1

win101

windows10_x64

10

win101

windows10_x64

10

win101

windows10_x64

Resubmissions

25-04-2021 09:42

210425-v9mttlcxke 10

25-04-2021 08:59

210425-1d89vxfyln 10

25-04-2021 07:37

210425-b8smdccdwe 10

25-04-2021 06:55

210425-1csfnkw57n 10

24-04-2021 20:32

210424-x7kp9rrf4x 10

Analysis

  • max time kernel
    4s
  • max time network
    4s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    24-04-2021 20:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    keygen-step-4 — копия.exe

  • Size

    4.6MB

  • MD5

    563107b1df2a00f4ec868acd9e08a205

  • SHA1

    9cb9c91d66292f5317aa50d92e38834861e9c9b7

  • SHA256

    bf2bd257dde4921ce83c7c1303fafe7f9f81e53c2775d3c373ced482b22eb8a9

  • SHA512

    99a8d247fa435c4cd95be7bc64c7dd6e382371f3a3c160aac3995fd705e4fd3f6622c23784a4ae3457c87536347d15eda3f08aa616450778a99376df540d74d1

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\keygen-step-4 — копия.exe
    "C:\Users\Admin\AppData\Local\Temp\keygen-step-4 — копия.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3904
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe"
      2⤵
      • Executes dropped EXE
      PID:2352
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
        3⤵
          PID:3304
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe"
        2⤵
          PID:3328
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        1⤵
          PID:3832

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\install.dat
          MD5

          ad824c9aed459a9121e0155181c5d651

          SHA1

          4dfab89653e5b24a972739cd6df3f04677b14095

          SHA256

          5877a2022475b4b9f7975b856cc6728e253b5904071a35a89841ffd724e17b90

          SHA512

          8d9f1591cda3a840cd19c31cb4a7a142c21cda57b32002e565db07737566973b04dd7dcede32942d1db32e800233bfa0cff00186b1bf39e00b50b50ebf74c3fd

          Download Submit
        • C:\Program Files\install.dll
          MD5

          fe60ddbeab6e50c4f490ddf56b52057c

          SHA1

          6a71fdf73761a1192fd9c6961f66754a63d6db17

          SHA256

          9fcfa73600ff1b588015ffa20779cec6714e48ee6ae15db8766f7ffd5ee3031d

          SHA512

          0113b47ba1a33a2f597a26c9b66435483373cde4edb183e0e92abef8ed003743f426ba5ffe25a5807c030cc14d8a95d73aa6af95a85f44a86dd40264ecb96536

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe
          MD5

          3b1b318df4d314a35dce9e8fd89e5121

          SHA1

          55b0f8d56212a74bda0fc5f8cc0632ef52a4bc71

          SHA256

          4df9e7fcd10900ae5def897377f54856b0ddad1798fa22614eba56096940885b

          SHA512

          f04faca320d344378dd31bf05556fb3ac02873e46e2140d5858162e739f5c25bc9b32d619587c84c36b768b9193ea5292d63f62bb0b8458b35d65959b52df6b4

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe
          MD5

          3b1b318df4d314a35dce9e8fd89e5121

          SHA1

          55b0f8d56212a74bda0fc5f8cc0632ef52a4bc71

          SHA256

          4df9e7fcd10900ae5def897377f54856b0ddad1798fa22614eba56096940885b

          SHA512

          f04faca320d344378dd31bf05556fb3ac02873e46e2140d5858162e739f5c25bc9b32d619587c84c36b768b9193ea5292d63f62bb0b8458b35d65959b52df6b4

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe
          MD5

          e72eb3a565d7b5b83c7ff6fad519c6c9

          SHA1

          1a2668a26b01828eec1415aa614743abb0a4fb70

          SHA256

          8ff1e74643983f7ca9bca70f1bea562e805a86421defde1bd57fc0da3722f599

          SHA512

          71ae4db9c307c068f31a4e6471d950d1112d89d5661a4960dffbf6a7343cc313f98cfc35c5a10d38aae68be4b0a3f6a702fd5c28d938ca00094b26d0bcf03da3

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe
          MD5

          e72eb3a565d7b5b83c7ff6fad519c6c9

          SHA1

          1a2668a26b01828eec1415aa614743abb0a4fb70

          SHA256

          8ff1e74643983f7ca9bca70f1bea562e805a86421defde1bd57fc0da3722f599

          SHA512

          71ae4db9c307c068f31a4e6471d950d1112d89d5661a4960dffbf6a7343cc313f98cfc35c5a10d38aae68be4b0a3f6a702fd5c28d938ca00094b26d0bcf03da3

          Download Submit
        • \Program Files\install.dll
          MD5

          fe60ddbeab6e50c4f490ddf56b52057c

          SHA1

          6a71fdf73761a1192fd9c6961f66754a63d6db17

          SHA256

          9fcfa73600ff1b588015ffa20779cec6714e48ee6ae15db8766f7ffd5ee3031d

          SHA512

          0113b47ba1a33a2f597a26c9b66435483373cde4edb183e0e92abef8ed003743f426ba5ffe25a5807c030cc14d8a95d73aa6af95a85f44a86dd40264ecb96536

          Download Submit
        • memory/2352-116-0x0000000000000000-mapping.dmp
          Download
        • memory/3304-119-0x0000000000000000-mapping.dmp
          Download
        • memory/3304-134-0x000000000487C000-0x000000000497D000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3328-126-0x0000000000030000-0x0000000000031000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3328-128-0x0000000000630000-0x0000000000631000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3328-131-0x0000000000640000-0x000000000065C000-memory.dmp
          Filesize

          112KB

          Download
        • memory/3328-120-0x0000000000000000-mapping.dmp
          Download
        • memory/3328-138-0x0000000000660000-0x0000000000661000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3832-137-0x0000020AC4770000-0x0000020AC47BB000-memory.dmp
          Filesize

          300KB

          Download