Analysis
-
max time kernel
13s -
max time network
43s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
06-06-2021 15:38
Behavioral task
behavioral1
Sample
aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe
Resource
win10v20210410
General
-
Target
aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe
-
Size
1.9MB
-
MD5
063771d5573448ee6a271584a4b6a26a
-
SHA1
e23637ea81751e558fca17ef1a54b6e39d2e83c3
-
SHA256
69775389eb0207fec3a3f5649a0ad9315856c810f595c086ac49d68cdbc1d136
-
SHA512
b17cd1310d4fd2af4659e6e9b2a218c3930f5d1ec439939331c71af789e39865d8afdc7e1fc93b62311aae4ae6adea1eb0d29bbb67427877a8ef60a19cbadabf
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PAYLOADBIN-README.txt
Signatures
-
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\SetupPlay8\Dev cryptone \Users\Admin\AppData\Roaming\SetupPlay8\Dev cryptone C:\Users\Admin\AppData\Roaming\SetupPlay8\Dev cryptone C:\Users\Admin\AppData\Roaming\SetupPlay8\Dev cryptone -
Executes dropped EXE 1 IoCs
Processes:
Devpid process 612 Dev -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Devdescription ioc process File renamed C:\Users\Admin\Pictures\OptimizeUninstall.crw => C:\Users\Admin\Pictures\OptimizeUninstall.crw.PAYLOADBIN Dev File opened for modification C:\Users\Admin\Pictures\OptimizeUninstall.crw.PAYLOADBIN Dev -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1648 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exepid process 1072 aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe 1072 aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exeDevcmd.execmd.exedescription pid process target process PID 1072 wrote to memory of 612 1072 aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe Dev PID 1072 wrote to memory of 612 1072 aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe Dev PID 1072 wrote to memory of 612 1072 aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe Dev PID 612 wrote to memory of 620 612 Dev cmd.exe PID 612 wrote to memory of 620 612 Dev cmd.exe PID 612 wrote to memory of 620 612 Dev cmd.exe PID 1072 wrote to memory of 1648 1072 aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe cmd.exe PID 1072 wrote to memory of 1648 1072 aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe cmd.exe PID 1072 wrote to memory of 1648 1072 aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe cmd.exe PID 620 wrote to memory of 776 620 cmd.exe waitfor.exe PID 620 wrote to memory of 776 620 cmd.exe waitfor.exe PID 620 wrote to memory of 776 620 cmd.exe waitfor.exe PID 1648 wrote to memory of 672 1648 cmd.exe waitfor.exe PID 1648 wrote to memory of 672 1648 cmd.exe waitfor.exe PID 1648 wrote to memory of 672 1648 cmd.exe waitfor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe"C:\Users\Admin\AppData\Local\Temp\aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Users\Admin\AppData\Roaming\SetupPlay8\DevC:\Users\Admin\AppData\Roaming\SetupPlay8\Dev /go2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\system32\cmd.execmd /c waitfor /t 10 pause /d y & del "C:\Users\Admin\AppData\Roaming\SetupPlay8\Dev" & rd "C:\Users\Admin\AppData\Roaming\SetupPlay8\"3⤵
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y4⤵PID:776
-
C:\Windows\system32\cmd.execmd /c waitfor /t 10 pause /d y & del "C:\Users\Admin\AppData\Local\Temp\aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe" & rd "C:\Users\Admin\AppData\Local\Temp\"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y3⤵PID:672
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\SetupPlay8\DevMD5
063771d5573448ee6a271584a4b6a26a
SHA1e23637ea81751e558fca17ef1a54b6e39d2e83c3
SHA25669775389eb0207fec3a3f5649a0ad9315856c810f595c086ac49d68cdbc1d136
SHA512b17cd1310d4fd2af4659e6e9b2a218c3930f5d1ec439939331c71af789e39865d8afdc7e1fc93b62311aae4ae6adea1eb0d29bbb67427877a8ef60a19cbadabf
-
C:\Users\Admin\AppData\Roaming\SetupPlay8\DevMD5
063771d5573448ee6a271584a4b6a26a
SHA1e23637ea81751e558fca17ef1a54b6e39d2e83c3
SHA25669775389eb0207fec3a3f5649a0ad9315856c810f595c086ac49d68cdbc1d136
SHA512b17cd1310d4fd2af4659e6e9b2a218c3930f5d1ec439939331c71af789e39865d8afdc7e1fc93b62311aae4ae6adea1eb0d29bbb67427877a8ef60a19cbadabf
-
\Users\Admin\AppData\Roaming\SetupPlay8\DevMD5
063771d5573448ee6a271584a4b6a26a
SHA1e23637ea81751e558fca17ef1a54b6e39d2e83c3
SHA25669775389eb0207fec3a3f5649a0ad9315856c810f595c086ac49d68cdbc1d136
SHA512b17cd1310d4fd2af4659e6e9b2a218c3930f5d1ec439939331c71af789e39865d8afdc7e1fc93b62311aae4ae6adea1eb0d29bbb67427877a8ef60a19cbadabf
-
\Users\Admin\AppData\Roaming\SetupPlay8\DevMD5
063771d5573448ee6a271584a4b6a26a
SHA1e23637ea81751e558fca17ef1a54b6e39d2e83c3
SHA25669775389eb0207fec3a3f5649a0ad9315856c810f595c086ac49d68cdbc1d136
SHA512b17cd1310d4fd2af4659e6e9b2a218c3930f5d1ec439939331c71af789e39865d8afdc7e1fc93b62311aae4ae6adea1eb0d29bbb67427877a8ef60a19cbadabf
-
memory/612-63-0x0000000000000000-mapping.dmp
-
memory/612-65-0x0000000140000000-0x00000001401EC000-memory.dmpFilesize
1.9MB
-
memory/620-67-0x0000000000000000-mapping.dmp
-
memory/672-70-0x0000000000000000-mapping.dmp
-
memory/776-69-0x0000000000000000-mapping.dmp
-
memory/1072-59-0x0000000140000000-0x00000001401EC000-memory.dmpFilesize
1.9MB
-
memory/1072-60-0x0000000001B20000-0x0000000001CE8000-memory.dmpFilesize
1.8MB
-
memory/1648-68-0x0000000000000000-mapping.dmp