Overview

overview

8

Static

static

7dc40a9e66...31.exe

windows7_x64

8

7dc40a9e66...31.exe

windows10_x64

8

Analysis

  • max time kernel
    119s
  • max time network
    165s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    09/06/2021, 19:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe

  • Size

    5KB

  • MD5

    08c1b410a3c20bcc4cd1ee2906c240af

  • SHA1

    97864c23a1c46e30633c9c3a2ee74e3d6de262a9

  • SHA256

    7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31

  • SHA512

    d11530a312f13b0e24009ba54751bc29d21144c474e8211bfdb3446ed4cac409049e3553eca117b29a2d3898612419bfd8dfc7a89da43c309c30c2fa19479d47

Score
8/10
ransomwarespywarestealer

Malware Config

Signatures

  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 13 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe
    "C:\Users\Admin\AppData\Local\Temp\7dc40a9e663d516089df8a653d79bcd705425fc74caf56b32f45c4786b51ba31.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    PID:1076
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.sick
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1796
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.sick
      2⤵
        PID:1604
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HELP.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:936
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HELP.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:1220

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1076-59-0x00000000002F0000-0x00000000002F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1796-61-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmp

      Filesize

      8KB

      Download