Analysis
-
max time kernel
32s -
max time network
47s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
22-10-2021 06:47
Static task
static1
Behavioral task
behavioral1
Sample
RansomWare.exe
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
RansomWare.exe
Resource
win10-en-20210920
windows10_x64
0 signatures
0 seconds
General
-
Target
RansomWare.exe
-
Size
158KB
-
MD5
d3c355a11849cbd0d4f3937a79c81c96
-
SHA1
bdc7567d33da81654395d8fefc7500d124d87a31
-
SHA256
8b0d359eb8167b044bf25b943820a3b71e94bc3f0c26d9ba295dee1df014a7c0
-
SHA512
a9091d36341135e74ba7918bc1f1f3960d8d1e049361ccea700662311bdbaa6e8c23a224ca0d640c596d5f8b269839e50104de5e5f96fcfe57ef8523d8a0ce7d
Score
8/10
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
RansomWare.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\DenyProtect.tiff RansomWare.exe File opened for modification C:\Users\Admin\Pictures\TraceUnpublish.tiff RansomWare.exe File opened for modification C:\Users\Admin\Pictures\WaitSync.tiff RansomWare.exe -
Drops desktop.ini file(s) 6 IoCs
Processes:
RansomWare.exedescription ioc process File created C:\Users\Admin\Desktop\desktop.ini RansomWare.exe File created C:\Users\Admin\Pictures\desktop.ini RansomWare.exe File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini RansomWare.exe File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini RansomWare.exe File created C:\Users\Admin\Videos\desktop.ini RansomWare.exe File created C:\Users\Admin\Documents\desktop.ini RansomWare.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
RansomWare.exepid process 2156 RansomWare.exe 2156 RansomWare.exe 2156 RansomWare.exe 2156 RansomWare.exe 2156 RansomWare.exe 2156 RansomWare.exe 2156 RansomWare.exe 2156 RansomWare.exe 2156 RansomWare.exe 2156 RansomWare.exe 2156 RansomWare.exe 2156 RansomWare.exe 2156 RansomWare.exe 2156 RansomWare.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RansomWare.exedescription pid process Token: SeDebugPrivilege 2156 RansomWare.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2156-115-0x0000000000030000-0x0000000000031000-memory.dmpFilesize
4KB
-
memory/2156-117-0x0000000004E60000-0x0000000004E61000-memory.dmpFilesize
4KB
-
memory/2156-118-0x0000000004960000-0x0000000004961000-memory.dmpFilesize
4KB
-
memory/2156-119-0x00000000024C0000-0x00000000024C1000-memory.dmpFilesize
4KB
-
memory/2156-120-0x0000000004A10000-0x0000000004A11000-memory.dmpFilesize
4KB
-
memory/2156-121-0x00000000024C3000-0x00000000024C5000-memory.dmpFilesize
8KB