Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 12:39
Static task
static1
Behavioral task
behavioral1
Sample
6af16a07d19bcb99eed8b440d7a110ee1bad1dd95eaeda2302c423ab9a5a146c.sample.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
6af16a07d19bcb99eed8b440d7a110ee1bad1dd95eaeda2302c423ab9a5a146c.sample.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
6af16a07d19bcb99eed8b440d7a110ee1bad1dd95eaeda2302c423ab9a5a146c.sample.exe
-
Size
360KB
-
MD5
354f7ec15741db7fcdfe7b158c14dfaa
-
SHA1
1265f62cb1bf781baaf5161e8b2fcd40a4026747
-
SHA256
6af16a07d19bcb99eed8b440d7a110ee1bad1dd95eaeda2302c423ab9a5a146c
-
SHA512
c8425a333a0aa7cb916406b825baaba2e462a81dcfc64b725dceadd81163f8928463603f70e6d5c354dd0ad59e4ed74572bcd780957d947bfa9d97ae89477227
Score
10/10
Malware Config
Signatures
-
CryptoLocker
Ransomware family with multiple variants.
-
suricata: ET MALWARE Zeus GameOver Possible DGA NXDOMAIN Responses
-
Executes dropped EXE 2 IoCs
pid Process 1216 Wawbmdknpbal.exe 1968 Wawbmdknpbal.exe -
Deletes itself 1 IoCs
pid Process 1216 Wawbmdknpbal.exe -
Loads dropped DLL 2 IoCs
pid Process 1888 6af16a07d19bcb99eed8b440d7a110ee1bad1dd95eaeda2302c423ab9a5a146c.sample.exe 1216 Wawbmdknpbal.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\Wawbmdknpbal.exe" Wawbmdknpbal.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run Wawbmdknpbal.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1888 wrote to memory of 1216 1888 6af16a07d19bcb99eed8b440d7a110ee1bad1dd95eaeda2302c423ab9a5a146c.sample.exe 26 PID 1888 wrote to memory of 1216 1888 6af16a07d19bcb99eed8b440d7a110ee1bad1dd95eaeda2302c423ab9a5a146c.sample.exe 26 PID 1888 wrote to memory of 1216 1888 6af16a07d19bcb99eed8b440d7a110ee1bad1dd95eaeda2302c423ab9a5a146c.sample.exe 26 PID 1888 wrote to memory of 1216 1888 6af16a07d19bcb99eed8b440d7a110ee1bad1dd95eaeda2302c423ab9a5a146c.sample.exe 26 PID 1216 wrote to memory of 1968 1216 Wawbmdknpbal.exe 27 PID 1216 wrote to memory of 1968 1216 Wawbmdknpbal.exe 27 PID 1216 wrote to memory of 1968 1216 Wawbmdknpbal.exe 27 PID 1216 wrote to memory of 1968 1216 Wawbmdknpbal.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\6af16a07d19bcb99eed8b440d7a110ee1bad1dd95eaeda2302c423ab9a5a146c.sample.exe"C:\Users\Admin\AppData\Local\Temp\6af16a07d19bcb99eed8b440d7a110ee1bad1dd95eaeda2302c423ab9a5a146c.sample.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Users\Admin\AppData\Roaming\Wawbmdknpbal.exe"C:\Users\Admin\AppData\Roaming\Wawbmdknpbal.exe" "/rC:\Users\Admin\AppData\Local\Temp\6af16a07d19bcb99eed8b440d7a110ee1bad1dd95eaeda2302c423ab9a5a146c.sample.exe"2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Users\Admin\AppData\Roaming\Wawbmdknpbal.exe"C:\Users\Admin\AppData\Roaming\Wawbmdknpbal.exe" /w000000D03⤵
- Executes dropped EXE
PID:1968
-
-