Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
22-10-2021 06:26
Static task
static1
Behavioral task
behavioral1
Sample
DualShot.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
DualShot.exe
Resource
win10-en-20211014
General
-
Target
DualShot.exe
-
Size
19KB
-
MD5
acb31c8ebe9344ab41bdeec32d952499
-
SHA1
15dad70b4b0061ab0db2de277595dcd4c8176eb0
-
SHA256
6ca2a65b6c59c2147e49096df836c088a949ec47323cb99655558e18a22025fe
-
SHA512
e562df64e35c710047d5d7aafda25305a24c5b7e1923924cf4b593defedfbff211b01f4c86795d573fe7af6db5a1a4d5afb98fc30ebb235d8b45977e2e004a8b
Malware Config
Signatures
-
DualShot
Ransomware first seen in June 2020.
-
DualShot Ransomware executable 3 IoCs
Detected known DualShot strings.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\DSNWIN1743.exe family_dualshot_ransomware C:\Users\Admin\AppData\Local\DSNWIN1743.exe family_dualshot_ransomware C:\Users\Admin\AppData\Local\DSNWIN1743.exe family_dualshot_ransomware -
Executes dropped EXE 2 IoCs
Processes:
DSNWIN1743.exeDSNWIN1743.exepid process 3876 DSNWIN1743.exe 1688 DSNWIN1743.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DSNWIN1743.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\WINUPD25128 = "C:\\Users\\Admin\\AppData\\Local\\DSNWIN1743.exe /ainain C:\\Users\\Admin\\AppData\\Local\\Temp\\TMP44190.dat C:\\Users\\Admin\\AppData\\Local\\Temp\\TMP1081718.dat" DSNWIN1743.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DualShot.exeDSNWIN1743.exedescription pid process Token: SeDebugPrivilege 3496 DualShot.exe Token: SeDebugPrivilege 3876 DSNWIN1743.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
DualShot.execmd.exeDSNWIN1743.exedescription pid process target process PID 3496 wrote to memory of 3876 3496 DualShot.exe DSNWIN1743.exe PID 3496 wrote to memory of 3876 3496 DualShot.exe DSNWIN1743.exe PID 3496 wrote to memory of 372 3496 DualShot.exe cmd.exe PID 3496 wrote to memory of 372 3496 DualShot.exe cmd.exe PID 372 wrote to memory of 1196 372 cmd.exe choice.exe PID 372 wrote to memory of 1196 372 cmd.exe choice.exe PID 3876 wrote to memory of 1688 3876 DSNWIN1743.exe DSNWIN1743.exe PID 3876 wrote to memory of 1688 3876 DSNWIN1743.exe DSNWIN1743.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DualShot.exe"C:\Users\Admin\AppData\Local\Temp\DualShot.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\DSNWIN1743.exe"C:\Users\Admin\AppData\Local\DSNWIN1743.exe" /inin2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\DSNWIN1743.exe"C:\Users\Admin\AppData\Local\DSNWIN1743.exe" /ainain C:\Users\Admin\AppData\Local\Temp\TMP44190.dat C:\Users\Admin\AppData\Local\Temp\TMP1081718.dat3⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c choice /c Y /n /d Y /t 3 & del "C:\Users\Admin\AppData\Local\Temp\DualShot.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /c Y /n /d Y /t 33⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\DSNWIN1743.exeMD5
acb31c8ebe9344ab41bdeec32d952499
SHA115dad70b4b0061ab0db2de277595dcd4c8176eb0
SHA2566ca2a65b6c59c2147e49096df836c088a949ec47323cb99655558e18a22025fe
SHA512e562df64e35c710047d5d7aafda25305a24c5b7e1923924cf4b593defedfbff211b01f4c86795d573fe7af6db5a1a4d5afb98fc30ebb235d8b45977e2e004a8b
-
C:\Users\Admin\AppData\Local\DSNWIN1743.exeMD5
acb31c8ebe9344ab41bdeec32d952499
SHA115dad70b4b0061ab0db2de277595dcd4c8176eb0
SHA2566ca2a65b6c59c2147e49096df836c088a949ec47323cb99655558e18a22025fe
SHA512e562df64e35c710047d5d7aafda25305a24c5b7e1923924cf4b593defedfbff211b01f4c86795d573fe7af6db5a1a4d5afb98fc30ebb235d8b45977e2e004a8b
-
C:\Users\Admin\AppData\Local\DSNWIN1743.exeMD5
acb31c8ebe9344ab41bdeec32d952499
SHA115dad70b4b0061ab0db2de277595dcd4c8176eb0
SHA2566ca2a65b6c59c2147e49096df836c088a949ec47323cb99655558e18a22025fe
SHA512e562df64e35c710047d5d7aafda25305a24c5b7e1923924cf4b593defedfbff211b01f4c86795d573fe7af6db5a1a4d5afb98fc30ebb235d8b45977e2e004a8b
-
C:\Users\Admin\AppData\Local\Temp\TMP1081718.datMD5
6b1a8629e01b38053e17762d4e4ad4f7
SHA1b8d0c36b11039c152fd663ca3b6a9091fe4b662a
SHA2560004940cb88d7f09bb7ffd22a15379f45ee24db306e315a71ecee857513a6d9e
SHA512be83697368954ccf93961e17c8bc8b13e92f52a10d8f74c9c5a5e835688a3b5c2e12ee7fabd783ba610416c1189b529d4d75292762e5f92c9f035dd77ab8f67d
-
C:\Users\Admin\AppData\Local\Temp\TMP44190.datMD5
4721d8c5a1c9d8a635375a3d47b0afe8
SHA147df51d15e3a9f4128b64b271db847eb84f196b7
SHA256b85e19007e59603620568f7ca8763d121930a3dface8a8ef0ba05b89eec80e7d
SHA512ddc3bb6d67b8dce1fc4083368c692a52f1fe2d2b6a41073f87000d59cdd9bcd0f155225e27941848b60c61f7e7a8e5151aa6ba40773a7111131cb4e2e6a18676
-
memory/372-122-0x0000000000000000-mapping.dmp
-
memory/1196-123-0x0000000000000000-mapping.dmp
-
memory/1688-124-0x0000000000000000-mapping.dmp
-
memory/1688-130-0x000000001B0A0000-0x000000001B0A2000-memory.dmpFilesize
8KB
-
memory/1688-131-0x000000001B0A2000-0x000000001B0A4000-memory.dmpFilesize
8KB
-
memory/3496-115-0x0000000000360000-0x0000000000361000-memory.dmpFilesize
4KB
-
memory/3876-117-0x0000000000000000-mapping.dmp