Overview

overview

5

Static

static

sample.exe

windows7_x64

5

sample.exe

windows10_x64

5

Resubmissions

28-08-2022 23:26

220828-3e8ymagabq 5

10-06-2021 11:42

210610-j9y37a6cma 5

10-06-2021 11:31

210610-k9s461t52a 5

Analysis

  • max time kernel
    145s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    10-06-2021 11:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample.exe

  • Size

    2.3MB

  • MD5

    84ffb87cc91d697db2f5685df68de7af

  • SHA1

    4f0360d60b685ed6059d32aef24c6b3cbbd46e9e

  • SHA256

    10bba07a1965c61a2ec05b46331e3eeda3d7bdeb8074c86009dc11f2564048fa

  • SHA512

    c6b178f37b2318b4eeaf1e151cac70a10b0be8eeb0e8153bd324a66314a33dca27e43254518a4b2db2ed5cab31ff836e0fa84e2a8112b67772409d77f39d5e9f

Score
5/10
ransomware

Malware Config

Signatures

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 12 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sample.exe
    "C:\Users\Admin\AppData\Local\Temp\sample.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    PID:736
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\AssertEnable.vsdx.bam!
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\AssertEnable.vsdx.bam!
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:524
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x4f8
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Documents\AssertEnable.vsdx.bam!
    MD5

    d65ba7e9847369b709cbbd74d6a09aaf

    SHA1

    72922d0ab9dba5a5bd1cd8c1dfdf3ab62112755d

    SHA256

    1e323d09edf69d246103061ff0f14dfed226cb902b14611b1c06bfec3beab4ca

    SHA512

    da20ecba20b4369ad491e599e146ecfe54e0831f4ebecd014b0f3be642c67f02bfaa9dd86094cc721301a49deb37dad0969c5821c5de4f81a7fc9a704637fb40

    Download Submit
  • memory/524-62-0x0000000000000000-mapping.dmp
    Download
  • memory/736-60-0x0000000075891000-0x0000000075893000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1792-61-0x000007FEFBEA1000-0x000007FEFBEA3000-memory.dmp
    Filesize

    8KB

    Download