b3ca5d5244aacc4709ac02be2fa3f3525cf5f1e8bc7a8ad6ae3dfa668a8cf531

General

Target

7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe
Size

5KB
MD5

08c1b410a3c20bcc4cd1ee2906c240af
SHA1

97864c23a1c46e30633c9c3a2ee74e3d6de262a9
SHA256

7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31
SHA512

d11530a312f13b0e24009ba54751bc29d21144c474e8211bfdb3446ed4cac409049e3553eca117b29a2d3898612419bfd8dfc7a89da43c309c30c2fa19479d47

Score

8^/10

ransomware spyware stealer

Malware Config

Signatures

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\EnableEnter.crw.sick	7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe
File created	C:\Users\Admin\Pictures\HideAdd.tif.sick	7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe
File created	C:\Users\Admin\Pictures\MountSync.raw.sick	7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe
File created	C:\Users\Admin\Pictures\SaveUpdate.raw.sick	7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe
File created	C:\Users\Admin\Pictures\SuspendShow.png.sick	7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe
File created	C:\Users\Admin\Pictures\UseConvertTo.crw.sick	7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe
File created	C:\Users\Admin\Pictures\ConvertFromReceive.crw.sick	7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe
File created	C:\Users\Admin\Pictures\PingMeasure.raw.sick	7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe
File created	C:\Users\Admin\Pictures\RestartSave.raw.sick	7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe

Drops startup file 1 IoCs

Processes:

7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.sick	7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 13 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\sick_auto_file\shell\open	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\sick_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.sick	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.sick\ = "sick_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\sick_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\sick_auto_file\shell\edit\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\sick_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\sick_auto_file\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\sick_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\sick_auto_file\shell\edit	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\sick_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe

Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

936 NOTEPAD.EXE
1220 NOTEPAD.EXE

pid	process
936	NOTEPAD.EXE
1220	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1796 wrote to memory of 1604	1796	rundll32.exe	NOTEPAD.EXE
PID 1796 wrote to memory of 1604	1796	rundll32.exe	NOTEPAD.EXE
PID 1796 wrote to memory of 1604	1796	rundll32.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe
"C:\Users\Admin\AppData\Local\Temp\7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
PID:1076

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.sick
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.sick
2⤵
PID:1604

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HELP.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:936

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HELP.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1220

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.sick
MD5
c37eb8311d8c7940ae59b48b1d3d3780

SHA1
470ab38c238b43caf9cb381c01be9fac43ef6ad8

SHA256
84772f3f9a7c6ebe2fa4131eb8420a657fd57c4e08c6db40886ec999f1b9f714

SHA512
e249e425f4eb58d9178517774e9b8255aa8ea4ab8df158218318443814ead2c4e77d6aab43bb7feeb3069986d65bc368a438ffaaca37624a978696b7aecc8681

Download Submit
C:\Users\Admin\Desktop\HELP.txt
MD5
615fbbc155ef987e6645928e1fc77340

SHA1
6db7318f0c0844848a75241b99df0b37bcfdaf3a

SHA256
e8fb5b72c8f5ef1aa92e9eaa18d49e420a9284fe0584afbbec4f0486e820fb83

SHA512
7d2b29de06cfdc3b65cca5619f0379bcdf9375e0de6b88eaf385844c25711a4059212442109f31ab4b8b900a8efc8d2162e459ad474fa091257a44d24686f1b7

Download Submit
memory/1076-59-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1604-62-0x0000000000000000-mapping.dmp

Download
memory/1796-61-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads