Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
13-05-2021 12:56
Static task
static1
Behavioral task
behavioral1
Sample
e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe
Resource
win10v20210410
General
-
Target
e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe
-
Size
3.2MB
-
MD5
a3caa75210ab96a021512552587e8370
-
SHA1
5ee6e59dba738cae31c8c933c65fe297c8dce37c
-
SHA256
e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf
-
SHA512
50c14483e443cf0655556c82184016623485a9b61304e366e3dce080d7ed9b4ca710b100fd40149118e851a8d6c8f64a06964c2322bbc482814a6db07277c42d
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe" e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exepid process 768 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe 768 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe 768 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe 768 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe 768 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe 768 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe 768 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe 768 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exepid process 768 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exepid process 768 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe 768 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exedescription pid process target process PID 768 wrote to memory of 1792 768 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe WScript.exe PID 768 wrote to memory of 1772 768 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe WScript.exe PID 768 wrote to memory of 1792 768 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe WScript.exe PID 768 wrote to memory of 1792 768 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe WScript.exe PID 768 wrote to memory of 1772 768 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe WScript.exe PID 768 wrote to memory of 1792 768 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe WScript.exe PID 768 wrote to memory of 1772 768 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe WScript.exe PID 768 wrote to memory of 1772 768 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe"C:\Users\Admin\AppData\Local\Temp\e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵PID:1772
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵PID:1792
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbsMD5
ba2d3c5534b734e1acaa1ec8b9e5808a
SHA1bcded59bdb139073e277248981842b190f54b115
SHA2569d4bfc90bc0b50fa4561cea5238384711da9f53cb84f0c8aae3a78ef4f9a9898
SHA5124b4cc705696e6a4499b3052c87b6e44f22a0922dff8ba32e777973d3ad08ffaeea9a10d65858b19c622fe8a37e4ec578310ac6192ba4614b8780a4268bb253ee
-
memory/768-59-0x0000000075EF1000-0x0000000075EF3000-memory.dmpFilesize
8KB
-
memory/1772-60-0x0000000000000000-mapping.dmp
-
memory/1792-61-0x0000000000000000-mapping.dmp