Analysis
-
max time kernel
164s -
max time network
59s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-07-2021 12:58
Static task
static1
Behavioral task
behavioral1
Sample
b7eeb0746b8e5df88c9937463db3f12a07ed3cf62ff720c6c91b8610080f2d9c.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
b7eeb0746b8e5df88c9937463db3f12a07ed3cf62ff720c6c91b8610080f2d9c.sample.exe
Resource
win10v20210408
General
-
Target
b7eeb0746b8e5df88c9937463db3f12a07ed3cf62ff720c6c91b8610080f2d9c.sample.exe
-
Size
363KB
-
MD5
28b44669d6e7bc7ede7f5586a938b1cb
-
SHA1
8b5afcc257edb2e585fbe5ae9174921bbe51cffd
-
SHA256
b7eeb0746b8e5df88c9937463db3f12a07ed3cf62ff720c6c91b8610080f2d9c
-
SHA512
131d4a2baa13e38c3351a49aa3e4630a2766d16333e35b7e6eaf004f3ba46830765af505c5334e7df35e9aaf32bcb917018ea7b6e83f787ce432fe89969f86bd
Malware Config
Extracted
C:\ProgramData\cryptinfo.txt
team4004@gmx.com
166vHLnGB1pCQGxdBkRiMkHW5WGQDbsw6s
Signatures
-
DMA Locker
Ransomware family with some advanced features, like encryption of unmapped network shares.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
b7eeb0746b8e5df88c9937463db3f12a07ed3cf62ff720c6c91b8610080f2d9c.sample.exesvchosd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cssys = "C:\\ProgramData\\svchosd.exe" b7eeb0746b8e5df88c9937463db3f12a07ed3cf62ff720c6c91b8610080f2d9c.sample.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cryptedinfo = "notepad C:\\ProgramData\\cryptinfo.txt" b7eeb0746b8e5df88c9937463db3f12a07ed3cf62ff720c6c91b8610080f2d9c.sample.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cssys = "C:\\ProgramData\\svchosd.exe" svchosd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cryptedinfo = "notepad C:\\ProgramData\\cryptinfo.txt" svchosd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b7eeb0746b8e5df88c9937463db3f12a07ed3cf62ff720c6c91b8610080f2d9c.sample.exesvchosd.exepid process 1980 b7eeb0746b8e5df88c9937463db3f12a07ed3cf62ff720c6c91b8610080f2d9c.sample.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe 1304 svchosd.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
b7eeb0746b8e5df88c9937463db3f12a07ed3cf62ff720c6c91b8610080f2d9c.sample.exepid process 1980 b7eeb0746b8e5df88c9937463db3f12a07ed3cf62ff720c6c91b8610080f2d9c.sample.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
b7eeb0746b8e5df88c9937463db3f12a07ed3cf62ff720c6c91b8610080f2d9c.sample.exedescription pid process target process PID 1980 wrote to memory of 1304 1980 b7eeb0746b8e5df88c9937463db3f12a07ed3cf62ff720c6c91b8610080f2d9c.sample.exe svchosd.exe PID 1980 wrote to memory of 1304 1980 b7eeb0746b8e5df88c9937463db3f12a07ed3cf62ff720c6c91b8610080f2d9c.sample.exe svchosd.exe PID 1980 wrote to memory of 1304 1980 b7eeb0746b8e5df88c9937463db3f12a07ed3cf62ff720c6c91b8610080f2d9c.sample.exe svchosd.exe PID 1980 wrote to memory of 1304 1980 b7eeb0746b8e5df88c9937463db3f12a07ed3cf62ff720c6c91b8610080f2d9c.sample.exe svchosd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7eeb0746b8e5df88c9937463db3f12a07ed3cf62ff720c6c91b8610080f2d9c.sample.exe"C:\Users\Admin\AppData\Local\Temp\b7eeb0746b8e5df88c9937463db3f12a07ed3cf62ff720c6c91b8610080f2d9c.sample.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\svchosd.exe"C:\ProgramData\svchosd.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\cryptinfo.txtMD5
7cd3fa62bc4d420ef80c100abbda40b6
SHA188379ceaa920eecd59bfe96e1a54066f23505822
SHA256361962675202c6a8f6cfdc6bd5d12d8ba2f03dbb46cfe27449f7f83f9ead81f7
SHA5122e4fa81f114020fa49a361b95d535f90fd613ef1c54d9f9a6221c694b3194b9b944ea685690aca9607b995abe3527685cb75db61ef962a17b63ed80593b6d048
-
memory/1304-61-0x0000000000000000-mapping.dmp
-
memory/1980-60-0x00000000754F1000-0x00000000754F3000-memory.dmpFilesize
8KB