Analysis
-
max time kernel
19s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
24-06-2021 06:03
Static task
static1
Behavioral task
behavioral1
Sample
808e34a763acd79d01eeb1f54b18a551.exe
Resource
win7v20210410
General
-
Target
808e34a763acd79d01eeb1f54b18a551.exe
-
Size
3.5MB
-
MD5
808e34a763acd79d01eeb1f54b18a551
-
SHA1
df3f6e0f29d9d65a2afc401ab6938044f24c5506
-
SHA256
86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595
-
SHA512
9638d841bbbb059f6c6be89f3664ce68b4749585a523a776e51b6d591c6ccb60b6df3aa34d25bf8df7521f883b7e31108da64c1112ff3fd369945acc0885a31c
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
unpakedree.exexc829374091FD.exexc829374091FD.exepid Process 1048 unpakedree.exe 1096 xc829374091FD.exe 752 xc829374091FD.exe -
Loads dropped DLL 3 IoCs
Processes:
cmd.execmd.exepid Process 1644 cmd.exe 688 cmd.exe 688 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
xc829374091FD.exedescription pid Process procid_target PID 1096 set thread context of 752 1096 xc829374091FD.exe 43 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 5 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid Process 1776 timeout.exe 772 timeout.exe 872 timeout.exe 436 timeout.exe 1952 timeout.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid Process 1628 taskkill.exe 784 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
taskkill.exetaskkill.exedescription pid Process Token: SeDebugPrivilege 1628 taskkill.exe Token: SeDebugPrivilege 784 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
808e34a763acd79d01eeb1f54b18a551.exeWScript.execmd.exeWScript.execmd.exexc829374091FD.exedescription pid Process procid_target PID 1116 wrote to memory of 1652 1116 808e34a763acd79d01eeb1f54b18a551.exe 29 PID 1116 wrote to memory of 1652 1116 808e34a763acd79d01eeb1f54b18a551.exe 29 PID 1116 wrote to memory of 1652 1116 808e34a763acd79d01eeb1f54b18a551.exe 29 PID 1116 wrote to memory of 1652 1116 808e34a763acd79d01eeb1f54b18a551.exe 29 PID 1652 wrote to memory of 1644 1652 WScript.exe 30 PID 1652 wrote to memory of 1644 1652 WScript.exe 30 PID 1652 wrote to memory of 1644 1652 WScript.exe 30 PID 1652 wrote to memory of 1644 1652 WScript.exe 30 PID 1644 wrote to memory of 1776 1644 cmd.exe 32 PID 1644 wrote to memory of 1776 1644 cmd.exe 32 PID 1644 wrote to memory of 1776 1644 cmd.exe 32 PID 1644 wrote to memory of 1776 1644 cmd.exe 32 PID 1644 wrote to memory of 1772 1644 cmd.exe 33 PID 1644 wrote to memory of 1772 1644 cmd.exe 33 PID 1644 wrote to memory of 1772 1644 cmd.exe 33 PID 1644 wrote to memory of 1772 1644 cmd.exe 33 PID 1644 wrote to memory of 1048 1644 cmd.exe 34 PID 1644 wrote to memory of 1048 1644 cmd.exe 34 PID 1644 wrote to memory of 1048 1644 cmd.exe 34 PID 1644 wrote to memory of 1048 1644 cmd.exe 34 PID 1644 wrote to memory of 772 1644 cmd.exe 35 PID 1644 wrote to memory of 772 1644 cmd.exe 35 PID 1644 wrote to memory of 772 1644 cmd.exe 35 PID 1644 wrote to memory of 772 1644 cmd.exe 35 PID 1644 wrote to memory of 1616 1644 cmd.exe 36 PID 1644 wrote to memory of 1616 1644 cmd.exe 36 PID 1644 wrote to memory of 1616 1644 cmd.exe 36 PID 1644 wrote to memory of 1616 1644 cmd.exe 36 PID 1644 wrote to memory of 872 1644 cmd.exe 37 PID 1644 wrote to memory of 872 1644 cmd.exe 37 PID 1644 wrote to memory of 872 1644 cmd.exe 37 PID 1644 wrote to memory of 872 1644 cmd.exe 37 PID 1616 wrote to memory of 688 1616 WScript.exe 38 PID 1616 wrote to memory of 688 1616 WScript.exe 38 PID 1616 wrote to memory of 688 1616 WScript.exe 38 PID 1616 wrote to memory of 688 1616 WScript.exe 38 PID 688 wrote to memory of 768 688 cmd.exe 40 PID 688 wrote to memory of 768 688 cmd.exe 40 PID 688 wrote to memory of 768 688 cmd.exe 40 PID 688 wrote to memory of 768 688 cmd.exe 40 PID 688 wrote to memory of 436 688 cmd.exe 41 PID 688 wrote to memory of 436 688 cmd.exe 41 PID 688 wrote to memory of 436 688 cmd.exe 41 PID 688 wrote to memory of 436 688 cmd.exe 41 PID 688 wrote to memory of 1096 688 cmd.exe 42 PID 688 wrote to memory of 1096 688 cmd.exe 42 PID 688 wrote to memory of 1096 688 cmd.exe 42 PID 688 wrote to memory of 1096 688 cmd.exe 42 PID 1096 wrote to memory of 752 1096 xc829374091FD.exe 43 PID 1096 wrote to memory of 752 1096 xc829374091FD.exe 43 PID 1096 wrote to memory of 752 1096 xc829374091FD.exe 43 PID 1096 wrote to memory of 752 1096 xc829374091FD.exe 43 PID 1096 wrote to memory of 752 1096 xc829374091FD.exe 43 PID 1096 wrote to memory of 752 1096 xc829374091FD.exe 43 PID 688 wrote to memory of 1628 688 cmd.exe 44 PID 688 wrote to memory of 1628 688 cmd.exe 44 PID 688 wrote to memory of 1628 688 cmd.exe 44 PID 688 wrote to memory of 1628 688 cmd.exe 44 PID 688 wrote to memory of 784 688 cmd.exe 46 PID 688 wrote to memory of 784 688 cmd.exe 46 PID 688 wrote to memory of 784 688 cmd.exe 46 PID 688 wrote to memory of 784 688 cmd.exe 46 PID 688 wrote to memory of 552 688 cmd.exe 47 PID 688 wrote to memory of 552 688 cmd.exe 47 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 552 attrib.exe 768 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\808e34a763acd79d01eeb1f54b18a551.exe"C:\Users\Admin\AppData\Local\Temp\808e34a763acd79d01eeb1f54b18a551.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\LMPupdate\set\435246.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\LMPupdate\set\183.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\timeout.exetimeout 04⤵
- Delays execution with timeout.exe
PID:1776
-
-
C:\Windows\SysWOW64\PING.EXEping dhgfg sgudy4⤵
- Runs ping.exe
PID:1772
-
-
C:\LMPupdate\set\unpakedree.exe"unpakedree.exe" e -p67dah9fasdd8kja8ds9h9sad 43939237cx.rar4⤵
- Executes dropped EXE
PID:1048
-
-
C:\Windows\SysWOW64\timeout.exetimeout 54⤵
- Delays execution with timeout.exe
PID:772
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\LMPupdate\set\3980392CV.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\LMPupdate\set\48551.bat" "5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\LMPupdate\set"6⤵
- Views/modifies file attributes
PID:768
-
-
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- Delays execution with timeout.exe
PID:436
-
-
C:\LMPupdate\set\xc829374091FD.exexc829374091FD.exe /start6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\LMPupdate\set\xc829374091FD.exexc829374091FD.exe /start7⤵
- Executes dropped EXE
PID:752
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im unpakedree.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im unpakedree.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:784
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\LMPupdate\set\xc829374091FD.exe"6⤵
- Views/modifies file attributes
PID:552
-
-
C:\Windows\SysWOW64\timeout.exetimeout 46⤵
- Delays execution with timeout.exe
PID:1952
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 64⤵
- Delays execution with timeout.exe
PID:872
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
49d00501554543d18a49c5b93c4528f0
SHA17a73595e37fda30fb1554b9d8bfe8a855f803d0b
SHA25674560d7c92a3cb7c3782e59fb45bd5a9b1a77a619fad985c4d5bdd17a48c2735
SHA5129c6c296b4bd21de5d13dc56dc92eab363bbd982335858a09537a34f2394be5632d34e002dfa73e312f685f45126c3d5d497a3d7c4553c46bcf4b8c65c4178fb6
-
MD5
0c4747ed40d52d992d44951de476c21b
SHA124cc5271d1a379e0ebdd0814a1148ecd6e7c880a
SHA2563c01bb32fd4de8574e37cb8293e61d869b8f5bbec69f3cb882a17d5d285b3264
SHA5126e7a264c288c8939c5d8f482229c92915a9bef427b5b1b1df8d942ffded006feba548acfa08588327587f34928acb0912d6f464536f5beb8027b78def01cffe1
-
MD5
f6e0c73782e7a0768006b7be0fc4a1a1
SHA12a5dea82a47544d00bfa99563fb899a41fa7a1f7
SHA2568c968d170289989dcca0c9bb5f2381dd6e38c3cfb6a324e80dbb6e556e6c5317
SHA51289827dcd80d9b5c2eedf18996a882feda400036df0b9691fc30701265f11528b0ab312dc69246f56e0388f75d2fa394329f502f9f796cbec702cd1dbfa9f2703
-
MD5
ec8f0f76fe14a110317c3b5c71fce669
SHA1d41207a90b96b124630f3f8ad7f1657cd39a4dd2
SHA2561447333e356ed3c1c5183ebef48730c370429c40137c2255585a1d3ba2a37614
SHA5129e78bf61280430edbc2ed2c5869acc2cde3e92f236f2eabf83f715a0d6fbc3a79a420c94364cdf4863dd5ca68e4b0109eefb34f7571c5acdc14944eaebdf8b1f
-
MD5
397a93800d56a2308bffc872d4a08032
SHA16f5334d51195a521e8a03f0e05ac777b96c77bc4
SHA256efe3abcfde6e9846a99049a68e6a38d0bc42baa3ac1cf6f236c894abef0a7720
SHA5127fc7b6c8ffe640295085cab4e56ba4c3eea9738a2c9fa27d1032fd60bb3a638e93cd2522058b6212dd7237366510a83c7d1d9b3cbd5f9712852c72959ace53eb
-
MD5
397a93800d56a2308bffc872d4a08032
SHA16f5334d51195a521e8a03f0e05ac777b96c77bc4
SHA256efe3abcfde6e9846a99049a68e6a38d0bc42baa3ac1cf6f236c894abef0a7720
SHA5127fc7b6c8ffe640295085cab4e56ba4c3eea9738a2c9fa27d1032fd60bb3a638e93cd2522058b6212dd7237366510a83c7d1d9b3cbd5f9712852c72959ace53eb
-
MD5
a5a4cc669d306e9b25ae2202e1ccc565
SHA14e8e841ba4915641f989a061f092f95f9070d164
SHA2563da185d70e391a0449a2e86823e181ca35f5356306a856701ec92cfee639c705
SHA5125398c3722d4c6119d9a033558ca6fe0d57735b8259b4907cf1844ba2921e48ffad1ae9f1dcc760158857c6fb13572cb4dd897ee6f6c260efce247b2b793b0216
-
MD5
a8d1d7e6c60c73faf55d64e724e97aa7
SHA19c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687
SHA2565624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122
SHA512237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1
-
MD5
a8d1d7e6c60c73faf55d64e724e97aa7
SHA19c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687
SHA2565624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122
SHA512237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1
-
MD5
a8d1d7e6c60c73faf55d64e724e97aa7
SHA19c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687
SHA2565624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122
SHA512237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1
-
MD5
397a93800d56a2308bffc872d4a08032
SHA16f5334d51195a521e8a03f0e05ac777b96c77bc4
SHA256efe3abcfde6e9846a99049a68e6a38d0bc42baa3ac1cf6f236c894abef0a7720
SHA5127fc7b6c8ffe640295085cab4e56ba4c3eea9738a2c9fa27d1032fd60bb3a638e93cd2522058b6212dd7237366510a83c7d1d9b3cbd5f9712852c72959ace53eb
-
MD5
a8d1d7e6c60c73faf55d64e724e97aa7
SHA19c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687
SHA2565624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122
SHA512237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1
-
MD5
a8d1d7e6c60c73faf55d64e724e97aa7
SHA19c0e3ff55ede8ad1e3a3e0eb8ff9ab467469f687
SHA2565624eea08b241314b8bd13ee9429449c53085a6bb2bcc481655f1f28b4314122
SHA512237507eef8f19f0f99dc15d30d43ec202963e00cb735902ac7304eb6cc8f658ab9db2b7952b94f082441a020725002dbf103dfc919e29235c87430fa19942df1