Analysis

  • max time kernel
    151s
  • max time network
    120s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    03-06-2021 09:12

General

  • Target

    PL.exportcagrifance.exe

  • Size

    204KB

  • MD5

    e7b0bbe1482189169186f932f66fdfd4

  • SHA1

    7011360f134f5c68c5601885abfc7d894728b57d

  • SHA256

    4934774c7509bb829881702ef12f2fe40b9537e1a266de55f4b61248553dc248

  • SHA512

    af0a2d106e5c28234a8c8ab21bbe460cf2cbb1b1f645b6f38cf8f3548e5120b595536107dc8d5c988efac0581610a6aaef561047c704f82f76d9396ec4b789b4

Score
6/10

Malware Config

Signatures

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PL.exportcagrifance.exe
    "C:\Users\Admin\AppData\Local\Temp\PL.exportcagrifance.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
      2⤵
        PID:3196
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 96
          3⤵
          • Program crash
          PID:3244
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
        2⤵
          PID:1000
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 88
            3⤵
            • Program crash
            PID:476
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
          2⤵
            PID:1056
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 88
              3⤵
              • Program crash
              PID:1156

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads