Analysis
-
max time kernel
87s -
max time network
81s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-07-2021 12:06
Static task
static1
Behavioral task
behavioral1
Sample
d3e8a314209b568a8161c36aba3c799860ec55c867a4d9ded2183657d0e37eed.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
d3e8a314209b568a8161c36aba3c799860ec55c867a4d9ded2183657d0e37eed.exe
Resource
win10v20210408
General
-
Target
d3e8a314209b568a8161c36aba3c799860ec55c867a4d9ded2183657d0e37eed.exe
-
Size
1.6MB
-
MD5
3ce66caa331cbde38b08ac28665057ed
-
SHA1
65113ab42af92d2888005f77a38f319ae7957583
-
SHA256
d3e8a314209b568a8161c36aba3c799860ec55c867a4d9ded2183657d0e37eed
-
SHA512
40b636c384e7ee469954f160fb2e42daa6fd17ecffc5b694a85c96f4fd8d5b188a1d1e2c715a2f537ebf648c9317e73628bb5dffcb7b4c0669e0b91364dc7b8d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
filename.scrpid process 4076 filename.scr -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Registry Key Name = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder\\filename.vbs" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
d3e8a314209b568a8161c36aba3c799860ec55c867a4d9ded2183657d0e37eed.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings d3e8a314209b568a8161c36aba3c799860ec55c867a4d9ded2183657d0e37eed.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
d3e8a314209b568a8161c36aba3c799860ec55c867a4d9ded2183657d0e37eed.exefilename.scrpid process 656 d3e8a314209b568a8161c36aba3c799860ec55c867a4d9ded2183657d0e37eed.exe 4076 filename.scr -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d3e8a314209b568a8161c36aba3c799860ec55c867a4d9ded2183657d0e37eed.exeWScript.exedescription pid process target process PID 656 wrote to memory of 2236 656 d3e8a314209b568a8161c36aba3c799860ec55c867a4d9ded2183657d0e37eed.exe WScript.exe PID 656 wrote to memory of 2236 656 d3e8a314209b568a8161c36aba3c799860ec55c867a4d9ded2183657d0e37eed.exe WScript.exe PID 656 wrote to memory of 2236 656 d3e8a314209b568a8161c36aba3c799860ec55c867a4d9ded2183657d0e37eed.exe WScript.exe PID 2236 wrote to memory of 4076 2236 WScript.exe filename.scr PID 2236 wrote to memory of 4076 2236 WScript.exe filename.scr PID 2236 wrote to memory of 4076 2236 WScript.exe filename.scr
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3e8a314209b568a8161c36aba3c799860ec55c867a4d9ded2183657d0e37eed.exe"C:\Users\Admin\AppData\Local\Temp\d3e8a314209b568a8161c36aba3c799860ec55c867a4d9ded2183657d0e37eed.exe"1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.scr"C:\Users\Admin\AppData\Local\Temp\subfolder\filename.scr" /S3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4076
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.scrMD5
87acbe373b756267c98bb7fe9678b9f5
SHA14ea741ca32b8aa1764e091edb240aacdef2fcded
SHA256f848ffe03437e9909d9f879a92e283bc31a498287ff3bcd1a1dcd230f164a86a
SHA512edf25d4f8a9adde8f64676f47a6700641f82f5e976be053277fd24168435fd8153443e1fac97a8fca32a60f887fa6e572c8c10b3fb68fe4708af1865379ce178
-
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.scrMD5
87acbe373b756267c98bb7fe9678b9f5
SHA14ea741ca32b8aa1764e091edb240aacdef2fcded
SHA256f848ffe03437e9909d9f879a92e283bc31a498287ff3bcd1a1dcd230f164a86a
SHA512edf25d4f8a9adde8f64676f47a6700641f82f5e976be053277fd24168435fd8153443e1fac97a8fca32a60f887fa6e572c8c10b3fb68fe4708af1865379ce178
-
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbsMD5
639af09046d288faa04e81903466ddac
SHA11efdb5d52fed8d7e059cc159b4766c4cca14de95
SHA256de9447a07c6c194efc30ca2ca03f6d5d64634d573760833b1f585052a590b76e
SHA51239a0e9af662ce7c94d8d0c1d08e8497845a3ceaa10d59e23ba25c1dcb2f6781ea77a5609321aa74ad6e04cde295926c9297bf72b4d55ac7de25df849ec80592d
-
memory/656-116-0x0000000002B20000-0x0000000002B26000-memory.dmpFilesize
24KB
-
memory/2236-117-0x0000000000000000-mapping.dmp
-
memory/4076-120-0x0000000000000000-mapping.dmp