Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
13-05-2021 02:00
Static task
static1
Behavioral task
behavioral1
Sample
f0f628fd84e94101658a4bd291b8918cc77936a6dbc2dcdca9a019e30fcfa26a.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
f0f628fd84e94101658a4bd291b8918cc77936a6dbc2dcdca9a019e30fcfa26a.exe
Resource
win10v20210410
General
-
Target
f0f628fd84e94101658a4bd291b8918cc77936a6dbc2dcdca9a019e30fcfa26a.exe
-
Size
164KB
-
MD5
636cee26da9af2b6beaebc246fd207cc
-
SHA1
679e2bfdd2a1ebf9090c4f1ea797ca0dfd87d6ff
-
SHA256
f0f628fd84e94101658a4bd291b8918cc77936a6dbc2dcdca9a019e30fcfa26a
-
SHA512
3e53024129bbca8776387280743733c0942a7ffb01ed2b301671b087abcd26daa5233755f0c8d12ae8a651419f0a899c303e9cb86742695399c36fef5921e572
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
syncbundle.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat syncbundle.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
f0f628fd84e94101658a4bd291b8918cc77936a6dbc2dcdca9a019e30fcfa26a.exef0f628fd84e94101658a4bd291b8918cc77936a6dbc2dcdca9a019e30fcfa26a.exesyncbundle.exesyncbundle.exepid process 3872 f0f628fd84e94101658a4bd291b8918cc77936a6dbc2dcdca9a019e30fcfa26a.exe 3872 f0f628fd84e94101658a4bd291b8918cc77936a6dbc2dcdca9a019e30fcfa26a.exe 3164 f0f628fd84e94101658a4bd291b8918cc77936a6dbc2dcdca9a019e30fcfa26a.exe 3164 f0f628fd84e94101658a4bd291b8918cc77936a6dbc2dcdca9a019e30fcfa26a.exe 3580 syncbundle.exe 3580 syncbundle.exe 1188 syncbundle.exe 1188 syncbundle.exe 1188 syncbundle.exe 1188 syncbundle.exe 1188 syncbundle.exe 1188 syncbundle.exe 1188 syncbundle.exe 1188 syncbundle.exe 1188 syncbundle.exe 1188 syncbundle.exe 1188 syncbundle.exe 1188 syncbundle.exe 1188 syncbundle.exe 1188 syncbundle.exe 1188 syncbundle.exe 1188 syncbundle.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
f0f628fd84e94101658a4bd291b8918cc77936a6dbc2dcdca9a019e30fcfa26a.exepid process 3164 f0f628fd84e94101658a4bd291b8918cc77936a6dbc2dcdca9a019e30fcfa26a.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f0f628fd84e94101658a4bd291b8918cc77936a6dbc2dcdca9a019e30fcfa26a.exesyncbundle.exedescription pid process target process PID 3872 wrote to memory of 3164 3872 f0f628fd84e94101658a4bd291b8918cc77936a6dbc2dcdca9a019e30fcfa26a.exe f0f628fd84e94101658a4bd291b8918cc77936a6dbc2dcdca9a019e30fcfa26a.exe PID 3872 wrote to memory of 3164 3872 f0f628fd84e94101658a4bd291b8918cc77936a6dbc2dcdca9a019e30fcfa26a.exe f0f628fd84e94101658a4bd291b8918cc77936a6dbc2dcdca9a019e30fcfa26a.exe PID 3872 wrote to memory of 3164 3872 f0f628fd84e94101658a4bd291b8918cc77936a6dbc2dcdca9a019e30fcfa26a.exe f0f628fd84e94101658a4bd291b8918cc77936a6dbc2dcdca9a019e30fcfa26a.exe PID 3580 wrote to memory of 1188 3580 syncbundle.exe syncbundle.exe PID 3580 wrote to memory of 1188 3580 syncbundle.exe syncbundle.exe PID 3580 wrote to memory of 1188 3580 syncbundle.exe syncbundle.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0f628fd84e94101658a4bd291b8918cc77936a6dbc2dcdca9a019e30fcfa26a.exe"C:\Users\Admin\AppData\Local\Temp\f0f628fd84e94101658a4bd291b8918cc77936a6dbc2dcdca9a019e30fcfa26a.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Users\Admin\AppData\Local\Temp\f0f628fd84e94101658a4bd291b8918cc77936a6dbc2dcdca9a019e30fcfa26a.exe"C:\Users\Admin\AppData\Local\Temp\f0f628fd84e94101658a4bd291b8918cc77936a6dbc2dcdca9a019e30fcfa26a.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:3164
-
C:\Windows\SysWOW64\syncbundle.exe"C:\Windows\SysWOW64\syncbundle.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\syncbundle.exe"C:\Windows\SysWOW64\syncbundle.exe"2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1188
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1188-131-0x0000000000000000-mapping.dmp
-
memory/1188-139-0x0000000000560000-0x0000000000570000-memory.dmpFilesize
64KB
-
memory/1188-138-0x0000000000580000-0x00000000006CA000-memory.dmpFilesize
1.3MB
-
memory/1188-135-0x0000000001040000-0x0000000001057000-memory.dmpFilesize
92KB
-
memory/1188-132-0x0000000001040000-0x0000000001057000-memory.dmpFilesize
92KB
-
memory/3164-120-0x0000000000000000-mapping.dmp
-
memory/3164-124-0x0000000002770000-0x0000000002787000-memory.dmpFilesize
92KB
-
memory/3164-126-0x00000000004A0000-0x000000000054E000-memory.dmpFilesize
696KB
-
memory/3164-121-0x0000000002770000-0x0000000002787000-memory.dmpFilesize
92KB
-
memory/3580-127-0x0000000000980000-0x0000000000997000-memory.dmpFilesize
92KB
-
memory/3580-130-0x0000000000980000-0x0000000000997000-memory.dmpFilesize
92KB
-
memory/3580-137-0x0000000000520000-0x000000000066A000-memory.dmpFilesize
1.3MB
-
memory/3580-136-0x0000000000520000-0x000000000066A000-memory.dmpFilesize
1.3MB
-
memory/3872-114-0x0000000002790000-0x00000000027A7000-memory.dmpFilesize
92KB
-
memory/3872-119-0x0000000000490000-0x00000000004A0000-memory.dmpFilesize
64KB
-
memory/3872-118-0x0000000000A40000-0x0000000000A57000-memory.dmpFilesize
92KB
-
memory/3872-117-0x0000000002790000-0x00000000027A7000-memory.dmpFilesize
92KB