68eddce0bad4515b40581f454e479a42fdd3b89e004fbba162acf339fbe46f09

Analysis

max time kernel
123s
max time network
160s
platform
windows7_x64
resource
win7v20210408
submitted
19/05/2021, 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68eddce0bad4515b40581f454e479a42fdd3b89e004fbba162acf339fbe46f09.exe
Size

10KB
MD5

c41d36f50230996c2c0f6b245658f930
SHA1

02abda2ec6cc3ea0eb8067c598079d7808df51f3
SHA256

68eddce0bad4515b40581f454e479a42fdd3b89e004fbba162acf339fbe46f09
SHA512

21ba1ee1886552a240d2c2c5e842d96cada8eb518f04f42526e33bb08a939caa3f699b1d3dff80a803d6ce22d4241ffb72772c1c90c1149b5cf22a85b57eaa51

Score

8^/10

ransomware

Malware Config

Signatures

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\LimitUnregister.png => C:\Users\Admin\Pictures\LimitUnregister.png.bagli	68eddce0bad4515b40581f454e479a42fdd3b89e004fbba162acf339fbe46f09.exe
File renamed	C:\Users\Admin\Pictures\StartSend.png => C:\Users\Admin\Pictures\StartSend.png.bagli	68eddce0bad4515b40581f454e479a42fdd3b89e004fbba162acf339fbe46f09.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oxu.txt	68eddce0bad4515b40581f454e479a42fdd3b89e004fbba162acf339fbe46f09.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 576	1840	68eddce0bad4515b40581f454e479a42fdd3b89e004fbba162acf339fbe46f09.exe	27
PID 1840 wrote to memory of 576	1840	68eddce0bad4515b40581f454e479a42fdd3b89e004fbba162acf339fbe46f09.exe	27
PID 1840 wrote to memory of 576	1840	68eddce0bad4515b40581f454e479a42fdd3b89e004fbba162acf339fbe46f09.exe	27

C:\Users\Admin\AppData\Local\Temp\68eddce0bad4515b40581f454e479a42fdd3b89e004fbba162acf339fbe46f09.exe
"C:\Users\Admin\AppData\Local\Temp\68eddce0bad4515b40581f454e479a42fdd3b89e004fbba162acf339fbe46f09.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oxu.txt
  2⤵
  PID:576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/576-62-0x000007FEFC4A1000-0x000007FEFC4A3000-memory.dmp

Filesize
8KB

Download
memory/1840-59-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download