Analysis
-
max time kernel
8s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
17-09-2021 19:11
Static task
static1
Behavioral task
behavioral1
Sample
de8a80136d8b6c2002ba8473bda2a617.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
de8a80136d8b6c2002ba8473bda2a617.exe
Resource
win10v20210408
General
-
Target
de8a80136d8b6c2002ba8473bda2a617.exe
-
Size
255KB
-
MD5
de8a80136d8b6c2002ba8473bda2a617
-
SHA1
6ccca366fd276d0bff3197b02bfb8c192fe75cb3
-
SHA256
4e18d364c4fa2db105557cf8105e5e3d77c9d7a06590b4f897051f99014da5be
-
SHA512
d93ca922a818f387312a317ef84e22d88ac9c091a8ddb85c742983fa37801614681d22b842aacd66f6d66621700a0e4eeacc632428303f8db6c7bd0f8d607875
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
de8a80136d8b6c2002ba8473bda2a617.exepid process 652 de8a80136d8b6c2002ba8473bda2a617.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
de8a80136d8b6c2002ba8473bda2a617.exedescription pid process target process PID 652 set thread context of 872 652 de8a80136d8b6c2002ba8473bda2a617.exe de8a80136d8b6c2002ba8473bda2a617.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
de8a80136d8b6c2002ba8473bda2a617.exepid process 652 de8a80136d8b6c2002ba8473bda2a617.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
de8a80136d8b6c2002ba8473bda2a617.exedescription pid process target process PID 652 wrote to memory of 872 652 de8a80136d8b6c2002ba8473bda2a617.exe de8a80136d8b6c2002ba8473bda2a617.exe PID 652 wrote to memory of 872 652 de8a80136d8b6c2002ba8473bda2a617.exe de8a80136d8b6c2002ba8473bda2a617.exe PID 652 wrote to memory of 872 652 de8a80136d8b6c2002ba8473bda2a617.exe de8a80136d8b6c2002ba8473bda2a617.exe PID 652 wrote to memory of 872 652 de8a80136d8b6c2002ba8473bda2a617.exe de8a80136d8b6c2002ba8473bda2a617.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\de8a80136d8b6c2002ba8473bda2a617.exe"C:\Users\Admin\AppData\Local\Temp\de8a80136d8b6c2002ba8473bda2a617.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\de8a80136d8b6c2002ba8473bda2a617.exe"C:\Users\Admin\AppData\Local\Temp\de8a80136d8b6c2002ba8473bda2a617.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsx4448.tmp\tkxaz.dllMD5
220b53f6a42f8f23f16378c8330763d1
SHA102078dc5f0d573ba4c7bb24f69c7218f31987be6
SHA2563c470a8a1732a7e3e06cd561f5566c192f851e763b3694d84f546fe8ba379637
SHA5126f442f207deaabb292851abae4d7c372504aa61a1ccfdce6d6f5b5d9d00fff681ff3a458731e47d227404a9bbab6f7fc61493a98075fac33db89766064cbb6f2
-
memory/872-115-0x000000000041D0B0-mapping.dmp