Analysis
-
max time kernel
300s -
max time network
302s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
22-10-2021 06:26
Static task
static1
Behavioral task
behavioral1
Sample
DualShot.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
DualShot.exe
Resource
win10-en-20211014
General
-
Target
DualShot.exe
-
Size
19KB
-
MD5
acb31c8ebe9344ab41bdeec32d952499
-
SHA1
15dad70b4b0061ab0db2de277595dcd4c8176eb0
-
SHA256
6ca2a65b6c59c2147e49096df836c088a949ec47323cb99655558e18a22025fe
-
SHA512
e562df64e35c710047d5d7aafda25305a24c5b7e1923924cf4b593defedfbff211b01f4c86795d573fe7af6db5a1a4d5afb98fc30ebb235d8b45977e2e004a8b
Malware Config
Signatures
-
DualShot
Ransomware first seen in June 2020.
-
DualShot Ransomware executable 3 IoCs
Detected known DualShot strings.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\DSNWIN3693.exe family_dualshot_ransomware C:\Users\Admin\AppData\Local\DSNWIN3693.exe family_dualshot_ransomware C:\Users\Admin\AppData\Local\DSNWIN3693.exe family_dualshot_ransomware -
Executes dropped EXE 2 IoCs
Processes:
DSNWIN3693.exeDSNWIN3693.exepid process 1620 DSNWIN3693.exe 1692 DSNWIN3693.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DSNWIN3693.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\WINUPD40317 = "C:\\Users\\Admin\\AppData\\Local\\DSNWIN3693.exe /ainain C:\\Users\\Admin\\AppData\\Local\\Temp\\TMP78002.dat C:\\Users\\Admin\\AppData\\Local\\Temp\\TMP1091508.dat" DSNWIN3693.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DualShot.exeDSNWIN3693.exedescription pid process Token: SeDebugPrivilege 1524 DualShot.exe Token: SeDebugPrivilege 1620 DSNWIN3693.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
DualShot.execmd.exeDSNWIN3693.exedescription pid process target process PID 1524 wrote to memory of 1620 1524 DualShot.exe DSNWIN3693.exe PID 1524 wrote to memory of 1620 1524 DualShot.exe DSNWIN3693.exe PID 1524 wrote to memory of 1620 1524 DualShot.exe DSNWIN3693.exe PID 1524 wrote to memory of 980 1524 DualShot.exe cmd.exe PID 1524 wrote to memory of 980 1524 DualShot.exe cmd.exe PID 1524 wrote to memory of 980 1524 DualShot.exe cmd.exe PID 980 wrote to memory of 1392 980 cmd.exe choice.exe PID 980 wrote to memory of 1392 980 cmd.exe choice.exe PID 980 wrote to memory of 1392 980 cmd.exe choice.exe PID 1620 wrote to memory of 1692 1620 DSNWIN3693.exe DSNWIN3693.exe PID 1620 wrote to memory of 1692 1620 DSNWIN3693.exe DSNWIN3693.exe PID 1620 wrote to memory of 1692 1620 DSNWIN3693.exe DSNWIN3693.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DualShot.exe"C:\Users\Admin\AppData\Local\Temp\DualShot.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\DSNWIN3693.exe"C:\Users\Admin\AppData\Local\DSNWIN3693.exe" /inin2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\DSNWIN3693.exe"C:\Users\Admin\AppData\Local\DSNWIN3693.exe" /ainain C:\Users\Admin\AppData\Local\Temp\TMP78002.dat C:\Users\Admin\AppData\Local\Temp\TMP1091508.dat3⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"cmd" /c choice /c Y /n /d Y /t 3 & del "C:\Users\Admin\AppData\Local\Temp\DualShot.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /c Y /n /d Y /t 33⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\DSNWIN3693.exeMD5
acb31c8ebe9344ab41bdeec32d952499
SHA115dad70b4b0061ab0db2de277595dcd4c8176eb0
SHA2566ca2a65b6c59c2147e49096df836c088a949ec47323cb99655558e18a22025fe
SHA512e562df64e35c710047d5d7aafda25305a24c5b7e1923924cf4b593defedfbff211b01f4c86795d573fe7af6db5a1a4d5afb98fc30ebb235d8b45977e2e004a8b
-
C:\Users\Admin\AppData\Local\DSNWIN3693.exeMD5
acb31c8ebe9344ab41bdeec32d952499
SHA115dad70b4b0061ab0db2de277595dcd4c8176eb0
SHA2566ca2a65b6c59c2147e49096df836c088a949ec47323cb99655558e18a22025fe
SHA512e562df64e35c710047d5d7aafda25305a24c5b7e1923924cf4b593defedfbff211b01f4c86795d573fe7af6db5a1a4d5afb98fc30ebb235d8b45977e2e004a8b
-
C:\Users\Admin\AppData\Local\DSNWIN3693.exeMD5
acb31c8ebe9344ab41bdeec32d952499
SHA115dad70b4b0061ab0db2de277595dcd4c8176eb0
SHA2566ca2a65b6c59c2147e49096df836c088a949ec47323cb99655558e18a22025fe
SHA512e562df64e35c710047d5d7aafda25305a24c5b7e1923924cf4b593defedfbff211b01f4c86795d573fe7af6db5a1a4d5afb98fc30ebb235d8b45977e2e004a8b
-
C:\Users\Admin\AppData\Local\Temp\TMP1091508.datMD5
d43f02f020e181bedab13286615d72a5
SHA15c4eaf5eaf4e864b29ec46b9ead9f07f10c72d4a
SHA256b4fe1c93f2973bca08562bbe36eaba31c661961f12811b0878f94e6146897fdd
SHA512654a6704ab56d59cc413c8b1395c74dace1064243bf25b3380bad1a9f393493c4ea11751d0082ae461e197e69990f64f873d087356b6ab6b4f0abfc14c0adc95
-
C:\Users\Admin\AppData\Local\Temp\TMP78002.datMD5
67dfebc6e650570e59a7b8276f082421
SHA19597de4eb95310fa8dfc8450a89319b62dbdc070
SHA2568ad8f4f90d301f4b7971db095e08acd0c6c1215cc90d439b54533d27c0ae6bd3
SHA5120580221e291ea727b09e55df338a120f75e8b3e055e99d612286778ac8eb1565709dfd4a075dc604658b8766f42e3262ef888c77c9bb0d14b8e99a884b01141f
-
memory/980-61-0x0000000000000000-mapping.dmp
-
memory/1392-62-0x0000000000000000-mapping.dmp
-
memory/1524-54-0x0000000001000000-0x0000000001001000-memory.dmpFilesize
4KB
-
memory/1620-59-0x0000000001220000-0x0000000001221000-memory.dmpFilesize
4KB
-
memory/1620-56-0x0000000000000000-mapping.dmp
-
memory/1692-63-0x0000000000000000-mapping.dmp
-
memory/1692-69-0x000000001B390000-0x000000001B392000-memory.dmpFilesize
8KB
-
memory/1692-70-0x000000001B396000-0x000000001B3B5000-memory.dmpFilesize
124KB