Analysis
-
max time kernel
107s -
max time network
140s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
13-05-2021 12:56
Static task
static1
Behavioral task
behavioral1
Sample
e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe
Resource
win10v20210410
General
-
Target
e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe
-
Size
3.2MB
-
MD5
a3caa75210ab96a021512552587e8370
-
SHA1
5ee6e59dba738cae31c8c933c65fe297c8dce37c
-
SHA256
e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf
-
SHA512
50c14483e443cf0655556c82184016623485a9b61304e366e3dce080d7ed9b4ca710b100fd40149118e851a8d6c8f64a06964c2322bbc482814a6db07277c42d
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe" e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exepid process 3876 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe 3876 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe 3876 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe 3876 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe 3876 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe 3876 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe 3876 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe 3876 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe 3876 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe 3876 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe 3876 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe 3876 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exepid process 3876 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exepid process 3876 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe 3876 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exedescription pid process target process PID 3876 wrote to memory of 2776 3876 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe WScript.exe PID 3876 wrote to memory of 2776 3876 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe WScript.exe PID 3876 wrote to memory of 2776 3876 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe WScript.exe PID 3876 wrote to memory of 2788 3876 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe WScript.exe PID 3876 wrote to memory of 2788 3876 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe WScript.exe PID 3876 wrote to memory of 2788 3876 e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe"C:\Users\Admin\AppData\Local\Temp\e4ac0728da98afb0547cad042a0ae73a202cfe7e2877dc57b84053e4f7603fbf.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbsMD5
54e2eecfd5ac390ca06538251e23058d
SHA1836255c36b07c6bdea22b60a2e5cf8c9594864f7
SHA256f5527774caf35537bf88f8e22dc784f467a59e0581b9a27732fc142523fd9c96
SHA5123a5857ee9ba0b301e826ddbbcafed225e2f86da57ae3226341192f6285995b17b47de8520c2171cdabd898115c9e0365a6df512768001ff3b42157a01b985236
-
memory/2776-114-0x0000000000000000-mapping.dmp
-
memory/2788-115-0x0000000000000000-mapping.dmp