Analysis
-
max time kernel
143s -
max time network
158s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
14-05-2021 07:43
Static task
static1
Behavioral task
behavioral1
Sample
438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe
Resource
win7v20210410
General
-
Target
438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe
-
Size
5.3MB
-
MD5
fe76cfda06a226938e182b058877011a
-
SHA1
ac0c8fb27ea00530d95d00809756d9a71c6b137a
-
SHA256
438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b
-
SHA512
08a434d0b6802c80119f3a380975194cfc75ccd056bf42e353cfd4c381c2e628b52ab3d1f45051964945f8db1411f11437f460ed2c328a19643d6aa2027dacde
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
frame.exelphsi.exehrss.exepid process 2532 frame.exe 3752 lphsi.exe 4040 hrss.exe -
Drops startup file 1 IoCs
Processes:
hrss.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\script.lnk hrss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings 438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 3028 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 3028 vlc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEvlc.exedescription pid process Token: 33 3640 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3640 AUDIODG.EXE Token: 33 3028 vlc.exe Token: SeIncBasePriorityPrivilege 3028 vlc.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
Processes:
vlc.exepid process 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe -
Suspicious use of SendNotifyMessage 8 IoCs
Processes:
vlc.exepid process 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
vlc.exepid process 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe 3028 vlc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exeframe.exedescription pid process target process PID 2544 wrote to memory of 2532 2544 438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe frame.exe PID 2544 wrote to memory of 2532 2544 438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe frame.exe PID 2544 wrote to memory of 2532 2544 438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe frame.exe PID 2544 wrote to memory of 3028 2544 438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe vlc.exe PID 2544 wrote to memory of 3028 2544 438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe vlc.exe PID 2532 wrote to memory of 3752 2532 frame.exe lphsi.exe PID 2532 wrote to memory of 3752 2532 frame.exe lphsi.exe PID 2532 wrote to memory of 3752 2532 frame.exe lphsi.exe PID 2532 wrote to memory of 4040 2532 frame.exe hrss.exe PID 2532 wrote to memory of 4040 2532 frame.exe hrss.exe PID 2532 wrote to memory of 4040 2532 frame.exe hrss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe"C:\Users\Admin\AppData\Local\Temp\438230eff2aad1d53bdff9065c1648a8a798d618bbb23d3c3c1be45db3c1871b(1).exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Public\Video\frame.exe"C:\Users\Public\Video\frame.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Public\Video\lphsi.exe"C:\Users\Public\Video\lphsi.exe"3⤵
- Executes dropped EXE
PID:3752
-
-
C:\Users\Public\Video\hrss.exe"C:\Users\Public\Video\hrss.exe"3⤵
- Executes dropped EXE
- Drops startup file
PID:4040
-
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Public\Video\movie.mp4"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3028
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2141⤵
- Suspicious use of AdjustPrivilegeToken
PID:3640
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2d411dc28a5faeb5893d7769b7c3b8a4
SHA11db46d9a9e27146ca12dcc9caff51ede700cf026
SHA256b218fb4573b6c8fff51870de463a793238a4f317ce9abdcf8352954f92328eac
SHA5125aab004d78dc87528f8965426d446dde68f8c8ff4a34cfecf1b69ade65b625f15d34fccbf4629ff42e49410379bd447eaa4f2339f11483d950e174a7d5aa8804
-
MD5
2d411dc28a5faeb5893d7769b7c3b8a4
SHA11db46d9a9e27146ca12dcc9caff51ede700cf026
SHA256b218fb4573b6c8fff51870de463a793238a4f317ce9abdcf8352954f92328eac
SHA5125aab004d78dc87528f8965426d446dde68f8c8ff4a34cfecf1b69ade65b625f15d34fccbf4629ff42e49410379bd447eaa4f2339f11483d950e174a7d5aa8804
-
MD5
747d4870a9e1504b1f802fce83704bb1
SHA1cb5b1fb54a6f1081d985dc44462983e31778d9d5
SHA2563a04dd93ec9da19781ba97412b466452a9682a390f2cf4426f722e424465fb19
SHA51203adf5635828256581a4ec708c3734eebd11e603f9a4e3bd6a3149fcf525a85bf45ad4b880b0de37b9658794c88ad3cd6f9a4a43e4f6ad4bd01110d72a502a12
-
MD5
747d4870a9e1504b1f802fce83704bb1
SHA1cb5b1fb54a6f1081d985dc44462983e31778d9d5
SHA2563a04dd93ec9da19781ba97412b466452a9682a390f2cf4426f722e424465fb19
SHA51203adf5635828256581a4ec708c3734eebd11e603f9a4e3bd6a3149fcf525a85bf45ad4b880b0de37b9658794c88ad3cd6f9a4a43e4f6ad4bd01110d72a502a12
-
MD5
0bafccfaec9c7d45ce491e4b0ddc1bdf
SHA1f0fa26da45d04ca36e9eb0acbc2d8ddce881e096
SHA2569da1a55b88bda3810ccd482051dc7e0088e8539ef8da5ddd29c583f593244e1c
SHA512c32b734420be1ee3a54dfea117f2fb14353fbd39831d8bbe8a4515c983f0781c38d4bcc8a6c5fd0785693fa3a16add499387bd8add21f706c9927d537e38184e
-
MD5
0bafccfaec9c7d45ce491e4b0ddc1bdf
SHA1f0fa26da45d04ca36e9eb0acbc2d8ddce881e096
SHA2569da1a55b88bda3810ccd482051dc7e0088e8539ef8da5ddd29c583f593244e1c
SHA512c32b734420be1ee3a54dfea117f2fb14353fbd39831d8bbe8a4515c983f0781c38d4bcc8a6c5fd0785693fa3a16add499387bd8add21f706c9927d537e38184e
-
MD5
6db2f5ec1a147474049457da8a8b4e19
SHA12c27ea1a99da4d75e56bb1db0ba4476ef024db90
SHA256f2f673e454a9b91653b4c0dbaa12bafaef2151013dc78c9235339c4ca03c48e3
SHA512fc8eb7937940c08551b120408ce4920de5aa4aee3f53aab7e16328d4572c1dc5397fbd8f1b5f185f32b0addf31a35272ec8bf390725b566427eff2f801eb27d8