Analysis
-
max time kernel
151s -
max time network
120s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
03-06-2021 09:12
Static task
static1
Behavioral task
behavioral1
Sample
PL.exportcagrifance.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
PL.exportcagrifance.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
PL.exportcagrifance.exe
-
Size
204KB
-
MD5
e7b0bbe1482189169186f932f66fdfd4
-
SHA1
7011360f134f5c68c5601885abfc7d894728b57d
-
SHA256
4934774c7509bb829881702ef12f2fe40b9537e1a266de55f4b61248553dc248
-
SHA512
af0a2d106e5c28234a8c8ab21bbe460cf2cbb1b1f645b6f38cf8f3548e5120b595536107dc8d5c988efac0581610a6aaef561047c704f82f76d9396ec4b789b4
Score
6/10
Malware Config
Signatures
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4804 set thread context of 3196 4804 PL.exportcagrifance.exe 75 PID 4804 set thread context of 1000 4804 PL.exportcagrifance.exe 81 PID 4804 set thread context of 1056 4804 PL.exportcagrifance.exe 83 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
pid pid_target Process procid_target 3244 3196 WerFault.exe 75 476 1000 WerFault.exe 81 1156 1056 WerFault.exe 83 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4804 PL.exportcagrifance.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4804 PL.exportcagrifance.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4804 PL.exportcagrifance.exe 4804 PL.exportcagrifance.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4804 wrote to memory of 3196 4804 PL.exportcagrifance.exe 75 PID 4804 wrote to memory of 3196 4804 PL.exportcagrifance.exe 75 PID 4804 wrote to memory of 3196 4804 PL.exportcagrifance.exe 75 PID 4804 wrote to memory of 3196 4804 PL.exportcagrifance.exe 75 PID 4804 wrote to memory of 1000 4804 PL.exportcagrifance.exe 81 PID 4804 wrote to memory of 1000 4804 PL.exportcagrifance.exe 81 PID 4804 wrote to memory of 1000 4804 PL.exportcagrifance.exe 81 PID 4804 wrote to memory of 1000 4804 PL.exportcagrifance.exe 81 PID 4804 wrote to memory of 1056 4804 PL.exportcagrifance.exe 83 PID 4804 wrote to memory of 1056 4804 PL.exportcagrifance.exe 83 PID 4804 wrote to memory of 1056 4804 PL.exportcagrifance.exe 83 PID 4804 wrote to memory of 1056 4804 PL.exportcagrifance.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\PL.exportcagrifance.exe"C:\Users\Admin\AppData\Local\Temp\PL.exportcagrifance.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"2⤵PID:3196
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 963⤵
- Program crash
PID:3244
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"2⤵PID:1000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 883⤵
- Program crash
PID:476
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"2⤵PID:1056
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 883⤵
- Program crash
PID:1156
-
-