Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
13-05-2021 12:54
Static task
static1
Behavioral task
behavioral1
Sample
f93fd9f38cea4dfdbace09e4bdc366abc10db4d19f6ee48248b0190d9a5a7ae6.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
f93fd9f38cea4dfdbace09e4bdc366abc10db4d19f6ee48248b0190d9a5a7ae6.exe
Resource
win10v20210410
General
-
Target
f93fd9f38cea4dfdbace09e4bdc366abc10db4d19f6ee48248b0190d9a5a7ae6.exe
-
Size
20KB
-
MD5
8b5114e29ca655f351584c504dff789a
-
SHA1
64ddda8413a96fc129b2585e5d3596fb5fe8155e
-
SHA256
f93fd9f38cea4dfdbace09e4bdc366abc10db4d19f6ee48248b0190d9a5a7ae6
-
SHA512
0e056691f475e77ff704917ecd52789c94897a616b4f791fdb115fbe425ffeb4e1a25a575a84e4305884359cd9ec1be32f0f52b4836ffd5b520460cacd85442e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
wsace.exepid process 1432 wsace.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\wsace.exe upx C:\Users\Admin\AppData\Local\Temp\wsace.exe upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
f93fd9f38cea4dfdbace09e4bdc366abc10db4d19f6ee48248b0190d9a5a7ae6.exedescription pid process target process PID 3872 wrote to memory of 1432 3872 f93fd9f38cea4dfdbace09e4bdc366abc10db4d19f6ee48248b0190d9a5a7ae6.exe wsace.exe PID 3872 wrote to memory of 1432 3872 f93fd9f38cea4dfdbace09e4bdc366abc10db4d19f6ee48248b0190d9a5a7ae6.exe wsace.exe PID 3872 wrote to memory of 1432 3872 f93fd9f38cea4dfdbace09e4bdc366abc10db4d19f6ee48248b0190d9a5a7ae6.exe wsace.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f93fd9f38cea4dfdbace09e4bdc366abc10db4d19f6ee48248b0190d9a5a7ae6.exe"C:\Users\Admin\AppData\Local\Temp\f93fd9f38cea4dfdbace09e4bdc366abc10db4d19f6ee48248b0190d9a5a7ae6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Users\Admin\AppData\Local\Temp\wsace.exe"C:\Users\Admin\AppData\Local\Temp\wsace.exe"2⤵
- Executes dropped EXE
PID:1432
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\wsace.exeMD5
c6f844a1ef5a81a0f4a84c54c2427f60
SHA138428733b1e37db8ff64a2b4b930c4a35652d28d
SHA256539c8138b6c725cd30866257f03ae801878dbcfa05d70e23ba7c6da52e6745ac
SHA512e0814a7b7e5bee14775e73f2b98cad65ff13723c57cba429444d929fafe1a89535fbed558e24dd45eebba917519ba60d4083bb9fadc55dfb5021573adcabb3e7
-
C:\Users\Admin\AppData\Local\Temp\wsace.exeMD5
c6f844a1ef5a81a0f4a84c54c2427f60
SHA138428733b1e37db8ff64a2b4b930c4a35652d28d
SHA256539c8138b6c725cd30866257f03ae801878dbcfa05d70e23ba7c6da52e6745ac
SHA512e0814a7b7e5bee14775e73f2b98cad65ff13723c57cba429444d929fafe1a89535fbed558e24dd45eebba917519ba60d4083bb9fadc55dfb5021573adcabb3e7
-
memory/1432-114-0x0000000000000000-mapping.dmp