Analysis
-
max time kernel
81s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
06-06-2021 15:38
Behavioral task
behavioral1
Sample
aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe
Resource
win10v20210410
General
-
Target
aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe
-
Size
1.9MB
-
MD5
063771d5573448ee6a271584a4b6a26a
-
SHA1
e23637ea81751e558fca17ef1a54b6e39d2e83c3
-
SHA256
69775389eb0207fec3a3f5649a0ad9315856c810f595c086ac49d68cdbc1d136
-
SHA512
b17cd1310d4fd2af4659e6e9b2a218c3930f5d1ec439939331c71af789e39865d8afdc7e1fc93b62311aae4ae6adea1eb0d29bbb67427877a8ef60a19cbadabf
Malware Config
Extracted
C:\PAYLOADBIN-README.txt
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WispWimmount\Auth cryptone C:\Users\Admin\AppData\Roaming\WispWimmount\Auth cryptone -
Executes dropped EXE 1 IoCs
Processes:
Authpid process 692 Auth -
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Authdescription ioc process File renamed C:\Users\Admin\Pictures\UpdateComplete.png => C:\Users\Admin\Pictures\UpdateComplete.png.PAYLOADBIN Auth File renamed C:\Users\Admin\Pictures\WaitBackup.tif => C:\Users\Admin\Pictures\WaitBackup.tif.PAYLOADBIN Auth File opened for modification C:\Users\Admin\Pictures\WaitBackup.tif.PAYLOADBIN Auth File renamed C:\Users\Admin\Pictures\ResolveHide.tiff => C:\Users\Admin\Pictures\ResolveHide.tiff.PAYLOADBIN Auth File opened for modification C:\Users\Admin\Pictures\ResolveHide.tiff.PAYLOADBIN Auth File renamed C:\Users\Admin\Pictures\StartUninstall.tif => C:\Users\Admin\Pictures\StartUninstall.tif.PAYLOADBIN Auth File opened for modification C:\Users\Admin\Pictures\StartUninstall.tif.PAYLOADBIN Auth File renamed C:\Users\Admin\Pictures\TraceExport.tif => C:\Users\Admin\Pictures\TraceExport.tif.PAYLOADBIN Auth File opened for modification C:\Users\Admin\Pictures\TraceExport.tif.PAYLOADBIN Auth File opened for modification C:\Users\Admin\Pictures\UpdateComplete.png.PAYLOADBIN Auth -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exeAuthcmd.execmd.exedescription pid process target process PID 3424 wrote to memory of 692 3424 aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe Auth PID 3424 wrote to memory of 692 3424 aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe Auth PID 692 wrote to memory of 3820 692 Auth cmd.exe PID 692 wrote to memory of 3820 692 Auth cmd.exe PID 3424 wrote to memory of 1348 3424 aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe cmd.exe PID 3424 wrote to memory of 1348 3424 aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe cmd.exe PID 3820 wrote to memory of 3120 3820 cmd.exe waitfor.exe PID 3820 wrote to memory of 3120 3820 cmd.exe waitfor.exe PID 1348 wrote to memory of 3104 1348 cmd.exe waitfor.exe PID 1348 wrote to memory of 3104 1348 cmd.exe waitfor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe"C:\Users\Admin\AppData\Local\Temp\aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WispWimmount\AuthC:\Users\Admin\AppData\Roaming\WispWimmount\Auth /go2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c waitfor /t 10 pause /d y & del "C:\Users\Admin\AppData\Roaming\WispWimmount\Auth" & rd "C:\Users\Admin\AppData\Roaming\WispWimmount\"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y4⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c waitfor /t 10 pause /d y & del "C:\Users\Admin\AppData\Local\Temp\aXdTiesCB-7Do-VkmgrZMVhWyBD1lcCGrEnWjNvB0TY.bin.exe" & rd "C:\Users\Admin\AppData\Local\Temp\"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WispWimmount\AuthMD5
063771d5573448ee6a271584a4b6a26a
SHA1e23637ea81751e558fca17ef1a54b6e39d2e83c3
SHA25669775389eb0207fec3a3f5649a0ad9315856c810f595c086ac49d68cdbc1d136
SHA512b17cd1310d4fd2af4659e6e9b2a218c3930f5d1ec439939331c71af789e39865d8afdc7e1fc93b62311aae4ae6adea1eb0d29bbb67427877a8ef60a19cbadabf
-
C:\Users\Admin\AppData\Roaming\WispWimmount\AuthMD5
063771d5573448ee6a271584a4b6a26a
SHA1e23637ea81751e558fca17ef1a54b6e39d2e83c3
SHA25669775389eb0207fec3a3f5649a0ad9315856c810f595c086ac49d68cdbc1d136
SHA512b17cd1310d4fd2af4659e6e9b2a218c3930f5d1ec439939331c71af789e39865d8afdc7e1fc93b62311aae4ae6adea1eb0d29bbb67427877a8ef60a19cbadabf
-
memory/692-116-0x0000000000000000-mapping.dmp
-
memory/692-119-0x0000000140000000-0x00000001401EC000-memory.dmpFilesize
1.9MB
-
memory/1348-122-0x0000000000000000-mapping.dmp
-
memory/3104-124-0x0000000000000000-mapping.dmp
-
memory/3120-123-0x0000000000000000-mapping.dmp
-
memory/3424-114-0x0000000140000000-0x00000001401EC000-memory.dmpFilesize
1.9MB
-
memory/3424-115-0x0000000001F10000-0x00000000020D8000-memory.dmpFilesize
1.8MB
-
memory/3820-121-0x0000000000000000-mapping.dmp