Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
16-10-2021 18:19
General
-
Target
DWS.exe
-
Size
129KB
-
MD5
d138cbdc2ae133c81752e4c1e4e8561e
-
SHA1
e8afba3556dc948b960622ff1054d5a809d43baf
-
SHA256
52025c86ec0b35f42f22742b92c4bbca97bef3f3f7593b488af738e16673048d
-
SHA512
774dc7ebd5c6d5df4e90767ab038e5b1f4ebd2e66fe0a0718126f0ee8613b230fca44dcc946ebf8ac9bd57f95642fb725cbbef795837b9f38fe051e59adf0fb5
Score
5/10
Malware Config
Signatures
-
Drops file in System32 directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\DWS.exe"C:\Users\Admin\AppData\Local\Temp\DWS.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DWS.exe"C:\Users\Admin\AppData\Local\Temp\DWS.exe"2⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\AppointmentDcard.exeC:\Windows\SysWOW64\AppointmentDcard.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\AppointmentDcard.exe"C:\Windows\SysWOW64\AppointmentDcard.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1044-131-0x0000000000410000-0x0000000000411000-memory.dmpFilesize
4KB
-
memory/1044-144-0x0000000000EF0000-0x0000000000F00000-memory.dmpFilesize
64KB
-
memory/1044-136-0x0000000000EE0000-0x0000000000EEE000-memory.dmpFilesize
56KB
-
memory/1044-133-0x0000000000EE0000-0x0000000000EEE000-memory.dmpFilesize
56KB
-
memory/1044-132-0x0000000000410000-0x0000000000411000-memory.dmpFilesize
4KB
-
memory/1920-122-0x0000000000000000-mapping.dmp
-
memory/1920-124-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/1920-125-0x0000000000C50000-0x0000000000C5E000-memory.dmpFilesize
56KB
-
memory/1920-128-0x0000000000C50000-0x0000000000C5E000-memory.dmpFilesize
56KB
-
memory/1920-123-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/1920-130-0x0000000000C60000-0x0000000000C70000-memory.dmpFilesize
64KB
-
memory/1988-138-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB
-
memory/1988-145-0x0000000000EE0000-0x0000000000EF0000-memory.dmpFilesize
64KB
-
memory/1988-143-0x0000000000C50000-0x0000000000C5E000-memory.dmpFilesize
56KB
-
memory/1988-140-0x0000000000C50000-0x0000000000C5E000-memory.dmpFilesize
56KB
-
memory/1988-139-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB
-
memory/1988-137-0x0000000000000000-mapping.dmp
-
memory/2072-129-0x0000000003310000-0x000000000345A000-memory.dmpFilesize
1.3MB
-
memory/2072-117-0x0000000000EF0000-0x0000000000EFE000-memory.dmpFilesize
56KB
-
memory/2072-121-0x00000000033C0000-0x00000000033CE000-memory.dmpFilesize
56KB
-
memory/2072-119-0x00000000033C0000-0x00000000033CE000-memory.dmpFilesize
56KB
-
memory/2072-116-0x0000000000CF0000-0x0000000000CF1000-memory.dmpFilesize
4KB
-
memory/2072-115-0x0000000000CF0000-0x0000000000CF1000-memory.dmpFilesize
4KB