Analysis
-
max time kernel
195s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
12-10-2021 13:16
Static task
static1
Behavioral task
behavioral1
Sample
hptestu.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
hptestu.exe
Resource
win10-en-20210920
General
-
Target
hptestu.exe
-
Size
662KB
-
MD5
1f7b5c64fdc506bb5384b938c141d050
-
SHA1
ae1b5233145eb28c0e0b34d92da9c9b93efe73a0
-
SHA256
2c895d282fa795252bb859323040e62af0087e626244a9768eca8089ce25291f
-
SHA512
0309dec997b0c73177f97616afccacbce102c1b64aa6b71ccf0f8a370ce4e2633693a2b7a16f3f663be6f3a042d712ff9ba6e387b07e8cebdb1fafbb37e54231
Malware Config
Extracted
C:\Users\Admin\Desktop\README_encrypted.txt
https://www.getmonero.org/get-started/what-is-monero/
http://t2tqvp4pctcr7vxhgz5yd5x4ino5tw7jzs3whbntxirhp32djhi7q3id.onion/register
https://www.getmonero.org/resources/user-guides/make-payment.html
Signatures
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
hptestu.exedescription ioc process File created C:\Users\Admin\Pictures\UnprotectMount.tif_encrypted hptestu.exe File created C:\Users\Admin\Pictures\ShowGroup.tiff_encrypted hptestu.exe File created C:\Users\Admin\Pictures\SplitClose.tif_encrypted hptestu.exe File created C:\Users\Admin\Pictures\UnprotectReceive.tiff_encrypted hptestu.exe File created C:\Users\Admin\Pictures\EditRevoke.tiff_encrypted hptestu.exe File created C:\Users\Admin\Pictures\PingDismount.raw_encrypted hptestu.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2684 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 460 vssvc.exe Token: SeRestorePrivilege 460 vssvc.exe Token: SeAuditPrivilege 460 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\hptestu.exe"C:\Users\Admin\AppData\Local\Temp\hptestu.exe"1⤵
- Modifies extensions of user files
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README_encrypted.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\README_encrypted.txtMD5
431cc08e49697f465f0834df473223df
SHA1a8c0d09f3b84e225c6f7390d10155c42f4225674
SHA256f8f5938fad58747f6238e2761be8b7f1fdccaf637227c1e4eb7f000926f0d6c2
SHA512e74c44ecec011367d65cc4baf626953a8baa1bad04121718768d041c493a570e6d2b5039eee321478e046e8ddfdcc006c38f89e1b3dc5b37417e63b7857edf51
-
memory/2456-54-0x000007FEFC051000-0x000007FEFC053000-memory.dmpFilesize
8KB