Analysis
-
max time kernel
87s -
max time network
125s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-07-2021 12:06
Static task
static1
Behavioral task
behavioral1
Sample
24f0d922d0dbd20647e6c89d86b1dec6aac2316833d338dcf9eea7dff0a1c2b1.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
24f0d922d0dbd20647e6c89d86b1dec6aac2316833d338dcf9eea7dff0a1c2b1.exe
Resource
win10v20210408
General
-
Target
24f0d922d0dbd20647e6c89d86b1dec6aac2316833d338dcf9eea7dff0a1c2b1.exe
-
Size
1.6MB
-
MD5
5530e8dcb60d0dcc68fe18810bb9e53c
-
SHA1
0addb140b908fd95f1efdc26e9b90975d1b55b9f
-
SHA256
24f0d922d0dbd20647e6c89d86b1dec6aac2316833d338dcf9eea7dff0a1c2b1
-
SHA512
1c360cb33a8bf968ba492cdad811bc06cd7f4fdb59617b20e902e2254fc2d9bdff6e2ffca3d60f6b6a5310a15e5f2cea0a3aa61b5f93608f2ede64a9dfb8ec24
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
filename.scrpid process 3812 filename.scr -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Registry Key Name = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder\\filename.vbs" WScript.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
24f0d922d0dbd20647e6c89d86b1dec6aac2316833d338dcf9eea7dff0a1c2b1.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings 24f0d922d0dbd20647e6c89d86b1dec6aac2316833d338dcf9eea7dff0a1c2b1.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
24f0d922d0dbd20647e6c89d86b1dec6aac2316833d338dcf9eea7dff0a1c2b1.exefilename.scrpid process 632 24f0d922d0dbd20647e6c89d86b1dec6aac2316833d338dcf9eea7dff0a1c2b1.exe 3812 filename.scr -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
24f0d922d0dbd20647e6c89d86b1dec6aac2316833d338dcf9eea7dff0a1c2b1.exeWScript.exedescription pid process target process PID 632 wrote to memory of 1020 632 24f0d922d0dbd20647e6c89d86b1dec6aac2316833d338dcf9eea7dff0a1c2b1.exe WScript.exe PID 632 wrote to memory of 1020 632 24f0d922d0dbd20647e6c89d86b1dec6aac2316833d338dcf9eea7dff0a1c2b1.exe WScript.exe PID 632 wrote to memory of 1020 632 24f0d922d0dbd20647e6c89d86b1dec6aac2316833d338dcf9eea7dff0a1c2b1.exe WScript.exe PID 1020 wrote to memory of 3812 1020 WScript.exe filename.scr PID 1020 wrote to memory of 3812 1020 WScript.exe filename.scr PID 1020 wrote to memory of 3812 1020 WScript.exe filename.scr
Processes
-
C:\Users\Admin\AppData\Local\Temp\24f0d922d0dbd20647e6c89d86b1dec6aac2316833d338dcf9eea7dff0a1c2b1.exe"C:\Users\Admin\AppData\Local\Temp\24f0d922d0dbd20647e6c89d86b1dec6aac2316833d338dcf9eea7dff0a1c2b1.exe"1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.scr"C:\Users\Admin\AppData\Local\Temp\subfolder\filename.scr" /S3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.scrMD5
3ce66caa331cbde38b08ac28665057ed
SHA165113ab42af92d2888005f77a38f319ae7957583
SHA256d3e8a314209b568a8161c36aba3c799860ec55c867a4d9ded2183657d0e37eed
SHA51240b636c384e7ee469954f160fb2e42daa6fd17ecffc5b694a85c96f4fd8d5b188a1d1e2c715a2f537ebf648c9317e73628bb5dffcb7b4c0669e0b91364dc7b8d
-
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.scrMD5
3ce66caa331cbde38b08ac28665057ed
SHA165113ab42af92d2888005f77a38f319ae7957583
SHA256d3e8a314209b568a8161c36aba3c799860ec55c867a4d9ded2183657d0e37eed
SHA51240b636c384e7ee469954f160fb2e42daa6fd17ecffc5b694a85c96f4fd8d5b188a1d1e2c715a2f537ebf648c9317e73628bb5dffcb7b4c0669e0b91364dc7b8d
-
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbsMD5
639af09046d288faa04e81903466ddac
SHA11efdb5d52fed8d7e059cc159b4766c4cca14de95
SHA256de9447a07c6c194efc30ca2ca03f6d5d64634d573760833b1f585052a590b76e
SHA51239a0e9af662ce7c94d8d0c1d08e8497845a3ceaa10d59e23ba25c1dcb2f6781ea77a5609321aa74ad6e04cde295926c9297bf72b4d55ac7de25df849ec80592d
-
memory/632-116-0x0000000002290000-0x0000000002296000-memory.dmpFilesize
24KB
-
memory/1020-117-0x0000000000000000-mapping.dmp
-
memory/3812-120-0x0000000000000000-mapping.dmp