Analysis
-
max time kernel
3s -
max time network
36s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
14-09-2021 06:40
Static task
static1
Behavioral task
behavioral1
Sample
c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe
Resource
win10-en
General
-
Target
c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe
-
Size
1.5MB
-
MD5
05def69117bc5228432feac2bed343d2
-
SHA1
7dadf53ee11702034176939a5d73891bf3cf5f61
-
SHA256
c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553
-
SHA512
1d253ae2efb360ea4120f18ff2ac20ea175cb3650a9257122b847d0b1b6b366b74e91835368004aa5c8f63136da01fad44ef017b27a5f25197e312d7c60a5e45
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
explorer.exepid process 540 explorer.exe -
Loads dropped DLL 1 IoCs
Processes:
c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exepid process 1840 c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exedescription pid process target process PID 1840 wrote to memory of 540 1840 c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe explorer.exe PID 1840 wrote to memory of 540 1840 c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe explorer.exe PID 1840 wrote to memory of 540 1840 c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe explorer.exe PID 1840 wrote to memory of 540 1840 c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe"C:\Users\Admin\AppData\Local\Temp\c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\explorer.exe"C:\Users\Admin\AppData\Roaming\explorer.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\explorer.exeMD5
05def69117bc5228432feac2bed343d2
SHA17dadf53ee11702034176939a5d73891bf3cf5f61
SHA256c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553
SHA5121d253ae2efb360ea4120f18ff2ac20ea175cb3650a9257122b847d0b1b6b366b74e91835368004aa5c8f63136da01fad44ef017b27a5f25197e312d7c60a5e45
-
C:\Users\Admin\AppData\Roaming\explorer.exeMD5
05def69117bc5228432feac2bed343d2
SHA17dadf53ee11702034176939a5d73891bf3cf5f61
SHA256c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553
SHA5121d253ae2efb360ea4120f18ff2ac20ea175cb3650a9257122b847d0b1b6b366b74e91835368004aa5c8f63136da01fad44ef017b27a5f25197e312d7c60a5e45
-
\Users\Admin\AppData\Roaming\explorer.exeMD5
05def69117bc5228432feac2bed343d2
SHA17dadf53ee11702034176939a5d73891bf3cf5f61
SHA256c81fc1a7d158166451f398de956d84adbfdabb433717a3f31461d711ff313553
SHA5121d253ae2efb360ea4120f18ff2ac20ea175cb3650a9257122b847d0b1b6b366b74e91835368004aa5c8f63136da01fad44ef017b27a5f25197e312d7c60a5e45
-
memory/540-66-0x0000000000000000-mapping.dmp
-
memory/540-69-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/1840-60-0x0000000000C40000-0x0000000000C41000-memory.dmpFilesize
4KB
-
memory/1840-62-0x00000000003E0000-0x0000000000416000-memory.dmpFilesize
216KB
-
memory/1840-63-0x0000000000380000-0x0000000000388000-memory.dmpFilesize
32KB
-
memory/1840-65-0x00000000084C0000-0x00000000084C1000-memory.dmpFilesize
4KB