Analysis
-
max time kernel
144s -
max time network
156s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
13-05-2021 12:55
Static task
static1
Behavioral task
behavioral1
Sample
e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe
Resource
win10v20210408
General
-
Target
e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe
-
Size
66KB
-
MD5
bd38a4e4d4c0903e094e4742c345d737
-
SHA1
40a89d66f0a2a6033ebfc25d03913dfca5e09dd4
-
SHA256
e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d
-
SHA512
5887f859e2ceda10dfd2f58997fa1920fb24f8ebaad3b29a79e8628b32cb251beaaaa924781eba604984b40dcce290d7302498aae932b19e02ab36aca24087c1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
pkghost.exepid process 2560 pkghost.exe -
Drops file in Windows directory 3 IoCs
Processes:
e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exeattrib.exedescription ioc process File created C:\Windows\Debug\pkghost.exe e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe File opened for modification C:\Windows\Debug\pkghost.exe e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe File opened for modification C:\Windows\Debug\pkghost.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exedescription pid process Token: SeIncBasePriorityPrivilege 424 e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exedescription pid process target process PID 424 wrote to memory of 2480 424 e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe attrib.exe PID 424 wrote to memory of 2480 424 e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe attrib.exe PID 424 wrote to memory of 2480 424 e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe attrib.exe PID 424 wrote to memory of 804 424 e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe cmd.exe PID 424 wrote to memory of 804 424 e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe cmd.exe PID 424 wrote to memory of 804 424 e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe cmd.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe"C:\Users\Admin\AppData\Local\Temp\e20e729dfedf405fca2776f0173a6dc9b76dc24c041330b9c6f7fcd9a6f2f84d.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +a +s +h +r C:\Windows\Debug\pkghost.exe2⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\E20E72~1.EXE > nul2⤵
-
C:\Windows\Debug\pkghost.exeC:\Windows\Debug\pkghost.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Debug\pkghost.exeMD5
a7478a65203f0509b92de196cfd0578d
SHA10bfe613c44609cafb929e8877413d93fb2efe8e0
SHA256ab8326179b716198f38da4451a31ba8c04ccb4509394da4f30304c8123865695
SHA512fa08caa2cb4dd36bfe8e66292ebfb6b08cf9d25c1f43d3dce9842defc99771d98bf9019b5b5f4d7b4edfb695bb0332af7c8ad9fbbf0b1e41b3f4394885057b6b
-
C:\Windows\debug\pkghost.exeMD5
a7478a65203f0509b92de196cfd0578d
SHA10bfe613c44609cafb929e8877413d93fb2efe8e0
SHA256ab8326179b716198f38da4451a31ba8c04ccb4509394da4f30304c8123865695
SHA512fa08caa2cb4dd36bfe8e66292ebfb6b08cf9d25c1f43d3dce9842defc99771d98bf9019b5b5f4d7b4edfb695bb0332af7c8ad9fbbf0b1e41b3f4394885057b6b
-
memory/804-117-0x0000000000000000-mapping.dmp
-
memory/2480-114-0x0000000000000000-mapping.dmp