Overview

overview

8

Static

static

8

e4ac0728da...bf.exe

windows7_x64

7

e4ac0728da...bf.exe

windows10_x64

7

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    13-05-2021 12:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe

  • Size

    3.2MB

  • MD5

    a3caa75210ab96a021512552587e8370

  • SHA1

    5ee6e59dba738cae31c8c933c65fe297c8dce37c

  • SHA256

    e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf

  • SHA512

    50c14483e443cf0655556c82184016623485a9b61304e366e3dce080d7ed9b4ca710b100fd40149118e851a8d6c8f64a06964c2322bbc482814a6db07277c42d

Score
7/10
persistence

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe
    "C:\Users\Admin\AppData\Local\Temp\e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:768
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
        PID:1772
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        2⤵
          PID:1792

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
        MD5

        ba2d3c5534b734e1acaa1ec8b9e5808a

        SHA1

        bcded59bdb139073e277248981842b190f54b115

        SHA256

        9d4bfc90bc0b50fa4561cea5238384711da9f53cb84f0c8aae3a78ef4f9a9898

        SHA512

        4b4cc705696e6a4499b3052c87b6e44f22a0922dff8ba32e777973d3ad08ffaeea9a10d65858b19c622fe8a37e4ec578310ac6192ba4614b8780a4268bb253ee

        Download Submit
      • memory/768-59-0x0000000075EF1000-0x0000000075EF3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1772-60-0x0000000000000000-mapping.dmp
        Download
      • memory/1792-61-0x0000000000000000-mapping.dmp
        Download