Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
25-10-2021 01:34
Static task
static1
Behavioral task
behavioral1
Sample
KERSEL00000209419.scr
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
KERSEL00000209419.scr
Resource
win10-en-20211014
General
-
Target
KERSEL00000209419.scr
-
Size
976KB
-
MD5
f9ddb4afd10f811f82d3efc7335a3899
-
SHA1
7132e4e6d07df37905950ef8d92f38b12ae4832e
-
SHA256
f7b6fe9f584bc1662bf71f4baa1a242edfe7d823eb1538f24065fd9094e9b02f
-
SHA512
a172061299d4b7ec2d54e32379f4e2156e0176964282b481acfd354993bddca979e5a98335b9905572de4c4ac8b5ab56b3743daff690f89933b9248a4eeec2ab
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
oamjouuda.pifpid process 1320 oamjouuda.pif -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
KERSEL00000209419.scrdescription pid process target process PID 412 wrote to memory of 1320 412 KERSEL00000209419.scr oamjouuda.pif PID 412 wrote to memory of 1320 412 KERSEL00000209419.scr oamjouuda.pif PID 412 wrote to memory of 1320 412 KERSEL00000209419.scr oamjouuda.pif
Processes
-
C:\Users\Admin\AppData\Local\Temp\KERSEL00000209419.scr"C:\Users\Admin\AppData\Local\Temp\KERSEL00000209419.scr" /S1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\29006555\oamjouuda.pif"C:\Users\Admin\AppData\Local\Temp\29006555\oamjouuda.pif" qgxxhbeeur.fak2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\29006555\oamjouuda.pifMD5
e1f85da023a9f5784e38a37c16c777e6
SHA16623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA51228e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba
-
memory/1320-115-0x0000000000000000-mapping.dmp