Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
29-04-2021 12:10
Static task
static1
Behavioral task
behavioral1
Sample
PO0900009.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
PO0900009.exe
Resource
win10v20210408
General
-
Target
PO0900009.exe
-
Size
168KB
-
MD5
92a796d32256c200d3d3059c69de74a4
-
SHA1
8d203a1473eb53e9fe87b38bb66bc8d701535285
-
SHA256
54b874aa168963924382bcadb4e63d087c7dbf587a52f16df9efa19157f700b2
-
SHA512
8230c5e165667f40bd7a4e2ceb0f1c2d91edd94acfc152a26d5675ccb27655032ba4feb7b3ce775af553f7e503f70f1f3685905600d6002e21d2db17a4780fc6
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
PO0900009.exepid process 452 PO0900009.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PO0900009.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\xifmvwyqevrrbn = "C:\\Users\\Admin\\AppData\\Roaming\\ncdsynuuc\\aiaf.exe" PO0900009.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO0900009.exedescription pid process target process PID 452 set thread context of 1432 452 PO0900009.exe PO0900009.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
PO0900009.exepid process 452 PO0900009.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PO0900009.exepid process 1432 PO0900009.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
PO0900009.exedescription pid process target process PID 452 wrote to memory of 1432 452 PO0900009.exe PO0900009.exe PID 452 wrote to memory of 1432 452 PO0900009.exe PO0900009.exe PID 452 wrote to memory of 1432 452 PO0900009.exe PO0900009.exe PID 452 wrote to memory of 1432 452 PO0900009.exe PO0900009.exe PID 452 wrote to memory of 1432 452 PO0900009.exe PO0900009.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO0900009.exe"C:\Users\Admin\AppData\Local\Temp\PO0900009.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO0900009.exe"C:\Users\Admin\AppData\Local\Temp\PO0900009.exe"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nss1F6.tmp\ycphcnmmr30h8eb.dllMD5
a2f6bef2275decc2f61687e3240892d6
SHA191a0dafd3cb00b305e66e228479685daf8e33461
SHA256adb89dda6285e09a24ff43fb71b94126a4a66c9b3319bfa300ab92e7b103e655
SHA5125da33b062145b1e5a56ba3c362d170548e4d4d1fb235748a932903a0611bd4ed0f5903355f6c72dbc4adf9082060dca00d101803280312c99455c5e8820c488a
-
memory/452-60-0x00000000753E1000-0x00000000753E3000-memory.dmpFilesize
8KB
-
memory/452-64-0x0000000000490000-0x0000000000493000-memory.dmpFilesize
12KB
-
memory/1432-62-0x00000000004172EC-mapping.dmp
-
memory/1432-65-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB