Analysis
-
max time kernel
121s -
max time network
173s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
12-08-2021 20:09
Static task
static1
Behavioral task
behavioral1
Sample
2468852.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
2468852.exe
Resource
win10v20210410
Behavioral task
behavioral3
Sample
4422625.exe
Resource
win7v20210410
Behavioral task
behavioral4
Sample
4422625.exe
Resource
win10v20210408
Behavioral task
behavioral5
Sample
4701556.exe
Resource
win7v20210410
Behavioral task
behavioral6
Sample
4701556.exe
Resource
win10v20210410
Behavioral task
behavioral7
Sample
8383001.exe
Resource
win7v20210408
General
-
Target
4701556.exe
-
Size
46KB
-
MD5
1d095bc417db73c6bc6e4c4e7b43106f
-
SHA1
db7e49df1fb5a0a665976f98ff7128aeba40c5f3
-
SHA256
b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee
-
SHA512
3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WinHoster.exepid process 1980 WinHoster.exe -
Loads dropped DLL 1 IoCs
Processes:
4701556.exepid process 856 4701556.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
4701556.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 4701556.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
4701556.exedescription pid process target process PID 856 wrote to memory of 1980 856 4701556.exe WinHoster.exe PID 856 wrote to memory of 1980 856 4701556.exe WinHoster.exe PID 856 wrote to memory of 1980 856 4701556.exe WinHoster.exe PID 856 wrote to memory of 1980 856 4701556.exe WinHoster.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4701556.exe"C:\Users\Admin\AppData\Local\Temp\4701556.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"2⤵
- Executes dropped EXE
PID:1980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exeMD5
1d095bc417db73c6bc6e4c4e7b43106f
SHA1db7e49df1fb5a0a665976f98ff7128aeba40c5f3
SHA256b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee
SHA5123d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exeMD5
1d095bc417db73c6bc6e4c4e7b43106f
SHA1db7e49df1fb5a0a665976f98ff7128aeba40c5f3
SHA256b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee
SHA5123d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097
-
\Users\Admin\AppData\Roaming\WinHost\WinHoster.exeMD5
1d095bc417db73c6bc6e4c4e7b43106f
SHA1db7e49df1fb5a0a665976f98ff7128aeba40c5f3
SHA256b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee
SHA5123d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097
-
memory/856-60-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/856-62-0x0000000000270000-0x0000000000277000-memory.dmpFilesize
28KB
-
memory/1980-64-0x0000000000000000-mapping.dmp
-
memory/1980-67-0x0000000001070000-0x0000000001071000-memory.dmpFilesize
4KB
-
memory/1980-70-0x0000000000440000-0x0000000000441000-memory.dmpFilesize
4KB