Analysis
-
max time kernel
119s -
max time network
165s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
09-06-2021 19:07
Static task
static1
Behavioral task
behavioral1
Sample
7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe
Resource
win10v20210410
General
-
Target
7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe
-
Size
5KB
-
MD5
08c1b410a3c20bcc4cd1ee2906c240af
-
SHA1
97864c23a1c46e30633c9c3a2ee74e3d6de262a9
-
SHA256
7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31
-
SHA512
d11530a312f13b0e24009ba54751bc29d21144c474e8211bfdb3446ed4cac409049e3553eca117b29a2d3898612419bfd8dfc7a89da43c309c30c2fa19479d47
Malware Config
Signatures
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exedescription ioc process File created C:\Users\Admin\Pictures\EnableEnter.crw.sick 7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe File created C:\Users\Admin\Pictures\HideAdd.tif.sick 7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe File created C:\Users\Admin\Pictures\MountSync.raw.sick 7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe File created C:\Users\Admin\Pictures\SaveUpdate.raw.sick 7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe File created C:\Users\Admin\Pictures\SuspendShow.png.sick 7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe File created C:\Users\Admin\Pictures\UseConvertTo.crw.sick 7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe File created C:\Users\Admin\Pictures\ConvertFromReceive.crw.sick 7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe File created C:\Users\Admin\Pictures\PingMeasure.raw.sick 7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe File created C:\Users\Admin\Pictures\RestartSave.raw.sick 7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe -
Drops startup file 1 IoCs
Processes:
7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.sick 7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 13 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\sick_auto_file\shell\open rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\sick_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.sick rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.sick\ = "sick_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\sick_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\sick_auto_file\shell\edit\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\sick_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\sick_auto_file\shell\open\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\sick_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\sick_auto_file\shell\edit rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\sick_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe -
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXEpid process 936 NOTEPAD.EXE 1220 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1796 wrote to memory of 1604 1796 rundll32.exe NOTEPAD.EXE PID 1796 wrote to memory of 1604 1796 rundll32.exe NOTEPAD.EXE PID 1796 wrote to memory of 1604 1796 rundll32.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe"C:\Users\Admin\AppData\Local\Temp\7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe"1⤵
- Modifies extensions of user files
- Drops startup file
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.sick1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.sick2⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HELP.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HELP.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.sickMD5
c37eb8311d8c7940ae59b48b1d3d3780
SHA1470ab38c238b43caf9cb381c01be9fac43ef6ad8
SHA25684772f3f9a7c6ebe2fa4131eb8420a657fd57c4e08c6db40886ec999f1b9f714
SHA512e249e425f4eb58d9178517774e9b8255aa8ea4ab8df158218318443814ead2c4e77d6aab43bb7feeb3069986d65bc368a438ffaaca37624a978696b7aecc8681
-
C:\Users\Admin\Desktop\HELP.txtMD5
615fbbc155ef987e6645928e1fc77340
SHA16db7318f0c0844848a75241b99df0b37bcfdaf3a
SHA256e8fb5b72c8f5ef1aa92e9eaa18d49e420a9284fe0584afbbec4f0486e820fb83
SHA5127d2b29de06cfdc3b65cca5619f0379bcdf9375e0de6b88eaf385844c25711a4059212442109f31ab4b8b900a8efc8d2162e459ad474fa091257a44d24686f1b7
-
memory/1076-59-0x00000000002F0000-0x00000000002F1000-memory.dmpFilesize
4KB
-
memory/1604-62-0x0000000000000000-mapping.dmp
-
memory/1796-61-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmpFilesize
8KB