aabe7544db1fafb380e21cc2d80c09b06c8d6b153d9badedeb5622add0d1cd97

Analysis

max time kernel
148s
max time network
153s
platform
windows10_x64
resource
win10-en-20210920
submitted
25-10-2021 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3523671dc78bc32e8caf574110eb09023588eb0a9edb91eb7f6afc7c762d332a.exe
Size

425KB
MD5

c50f9125f9bb1a4e5a93e23b577ff25c
SHA1

fa129772bf1201dac210fb1f54dbf949a02e4afd
SHA256

3523671dc78bc32e8caf574110eb09023588eb0a9edb91eb7f6afc7c762d332a
SHA512

2b6419057f66d4231acb25395596e36c3ebb1ba42e7bf7e723867dd9cdb4087bb3316ad2f35c9bcb2f3ac4b29197d516b88b7ead9b5cd062ab6afed9989c2ba1

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

downloader.exeipfs.exeipfs.exedownloader.exe

pid process

2244 downloader.exe
1152 ipfs.exe
1676 ipfs.exe
856 downloader.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2244	downloader.exe
1152	ipfs.exe
1676	ipfs.exe
856	downloader.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

3523671dc78bc32e8caf574110eb09023588eb0a9edb91eb7f6afc7c762d332a.exeipfs.exe

description	pid	process	target process
PID 1836 wrote to memory of 2244	1836	3523671dc78bc32e8caf574110eb09023588eb0a9edb91eb7f6afc7c762d332a.exe	downloader.exe
PID 1836 wrote to memory of 2244	1836	3523671dc78bc32e8caf574110eb09023588eb0a9edb91eb7f6afc7c762d332a.exe	downloader.exe
PID 1836 wrote to memory of 1152	1836	3523671dc78bc32e8caf574110eb09023588eb0a9edb91eb7f6afc7c762d332a.exe	ipfs.exe
PID 1836 wrote to memory of 1152	1836	3523671dc78bc32e8caf574110eb09023588eb0a9edb91eb7f6afc7c762d332a.exe	ipfs.exe
PID 1836 wrote to memory of 1676	1836	3523671dc78bc32e8caf574110eb09023588eb0a9edb91eb7f6afc7c762d332a.exe	ipfs.exe
PID 1836 wrote to memory of 1676	1836	3523671dc78bc32e8caf574110eb09023588eb0a9edb91eb7f6afc7c762d332a.exe	ipfs.exe
PID 1836 wrote to memory of 856	1836	3523671dc78bc32e8caf574110eb09023588eb0a9edb91eb7f6afc7c762d332a.exe	downloader.exe
PID 1836 wrote to memory of 856	1836	3523671dc78bc32e8caf574110eb09023588eb0a9edb91eb7f6afc7c762d332a.exe	downloader.exe
PID 1676 wrote to memory of 3992	1676	ipfs.exe	route.exe
PID 1676 wrote to memory of 3992	1676	ipfs.exe	route.exe

C:\Users\Admin\AppData\Local\Temp\3523671dc78bc32e8caf574110eb09023588eb0a9edb91eb7f6afc7c762d332a.exe
"C:\Users\Admin\AppData\Local\Temp\3523671dc78bc32e8caf574110eb09023588eb0a9edb91eb7f6afc7c762d332a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Users\Admin\AppData\Local\Temp\data\downloader.exe
"C:\Users\Admin\AppData\Local\Temp\data\downloader.exe" preferences-ips
2⤵
- Executes dropped EXE
PID:2244

C:\Users\Admin\AppData\Roaming\ipfs\ipfs.exe
"C:\Users\Admin\AppData\Roaming\ipfs\ipfs.exe" init
2⤵
- Executes dropped EXE
PID:1152

C:\Users\Admin\AppData\Roaming\ipfs\ipfs.exe
"C:\Users\Admin\AppData\Roaming\ipfs\ipfs.exe" daemon
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\system32\route.exe
route print 0.0.0.0
3⤵
PID:3992

C:\Users\Admin\AppData\Local\Temp\data\downloader.exe
"C:\Users\Admin\AppData\Local\Temp\data\downloader.exe" preferences-yt
2⤵
- Executes dropped EXE
PID:856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.ipfs\blocks\L5\CIQBIQXZ4NWWDXUSIYSCX7RE6EBXHMGENZNMUDEMGNKMGT2K6LLUL5Y.data
MD5
e5ceda8228b5f5cf03dc480911bc3d14

SHA1
491cf9c0d333847bb6d625fc69bd39745100baff

SHA256
1442f9e36d61de9246242bfe24f10373b0c46e5aca0c8c3354c34f4af2d745f7

SHA512
d22211a5c55a26b11fd287fa9532dd226ab65a5e72930c9f8802ed8a655607afdbe63aa476963e0581cc5a5e5dc2dc37ffe0f8d069a7fb46e40b7988671c8d42

Download Submit
C:\Users\Admin\.ipfs\blocks\N2\CIQDWKPBHXLJ3XVELRJZA2SYY7OGCSX6FRSIZS2VQQPVKOA2Z4VXN2I.data
MD5
d1c3b632bb05d58fe6c1ab061b38ac2a

SHA1
e93e8525510de01168a842f918a69e388c5dc8d2

SHA256
3b29e13dd69ddea45c53906a58c7dc614afe2c648ccb55841f55381acf2b76e9

SHA512
89ec053962a115d40a281f3a4cb3e74f01d7d3e125ca7eb5d16a1d19f9b256c0d70dfea064724d8de413825328997bfdc71655831f12eb9513de68215d9bea2c

Download Submit
C:\Users\Admin\.ipfs\blocks\PM\CIQKNNRB2NFYXUZDJ2UWNMSKYLGTKUYDRQTJCDI7JTUDFH6YOYNUPMA.data
MD5
70a5a06cfef7dfbd5149425eb369ad0f

SHA1
83c42e8bcbcba098ae15c17f8c0c112cd148765b

SHA256
a6b621d34b8bd3234ea966b24ac2cd3553038c26910d1f4ce8329fd8761b47b0

SHA512
0fdb30a4ae5cbca15ea07bf763211a68a9853ec756d8bf0eb5fc83534f2a30da10255782e57fa34dc40a9cd54275f2d179c4d5b0db109803d6a8a95ff19022e4

Download Submit
C:\Users\Admin\.ipfs\blocks\SHARDING
MD5
d713ff4594563267cab170596493dea3

SHA1
9ce016fb4dc32ee86c3f7e0d738679345bbe7d6a

SHA256
70fb6665a8db5fcc035e93750fe34b5a001a69bbde676ebcf64665c4a5876d58

SHA512
30d551e35b9c810d88179b8c81385f8c1a2bff12817337c9cf6f555158a9a8a39cc0b221431be83c21f5193dd5210740a141370ddfff0ba79f6d6a1125d39a4c

Download Submit
C:\Users\Admin\.ipfs\blocks\_README
MD5
35ad9a49218542e6a42b00ddfb944363

SHA1
d5029fa77bd02d4f4088413ff3d661fb89af0df9

SHA256
46d5d0498e45d09fd77030a4f47c059477c4967c55b6a31d4eef8c94d086dfad

SHA512
fc8e52c6d03209e7367f92048c06f57835a939d8bbac101f53ffe5c7b4a21ea3ca692278a15139f8549bdb2c55a38c95e915c9a4688a483183de125f7b61c9cb

Download Submit
C:\Users\Admin\.ipfs\blocks\diskUsage.cache
MD5
4b5a4d351b793b2237e78a341c9c1356

SHA1
31438deca1d9665da1deeb4007125883a1d89a2b

SHA256
d5bbae038bdd4df108b65b09626c7ecd7c4249a26ff48cba8ff746eb249e2c99

SHA512
f1eaebe4af69efe120a70ea4aa20a8d75140424d84e44c56aaee9c1d5b2d44a7571f2efcbc3aac9a0b0a0d5ea50e7d1530414c89af8d959274a8e77bb72570c5

Download Submit
C:\Users\Admin\.ipfs\config
MD5
9a1610bb06f471c9eedf3fb04f451ecc

SHA1
f1d71a49df82af7178ca5552185479763fda4b69

SHA256
20752a0e0edad0b398bb4ebea244d4991035346bb947b444a63bd08e75113b5f

SHA512
7e3de8acc47767abc0c5e946bc95262afd3cb47a4d228f34a4762572d4b705e736e5f9011f15f7bd6a6d738abba9a89021f9d69d5fbf3b98612bfea370cbc61c

Download Submit
C:\Users\Admin\.ipfs\datastore\000002.ldb
MD5
867bab323a6b0356d762621e7cee4ea6

SHA1
3fcac7f7dfbf565a340ad4c3550eb577033745e1

SHA256
90c8afbad2aa860e1638c0bc341eb8712bb1f7c9452ffb75bac83d7f9fbd91e0

SHA512
0273a7a388757b6fda2630cf84edc9de680d61b17dea6f516b8f16da54d4ac43e318ad5aa2d97caf5a391463adb26eca55f953c8953c301893883a4eb3d4bc68

Download Submit
C:\Users\Admin\.ipfs\datastore\000003.log
MD5
86bb6856ca5447fe5e76a1bb0109d835

SHA1
293ccf7d0eb68aeccecb78a8b92a5caeb24eec1f

SHA256
77d87cd45c17586cf8b11d21fbc40fc491b94f6ee781114b5ff99e295218b3bd

SHA512
b1fdf912cc5b0b4f95bfaef4a2d6b92d0d2f97989023d7fecdc2ce74756fe249563d7f1bdbaa1017616dab4232586dd911b3f5abaccbb5330e41ac4422941457

Download Submit
C:\Users\Admin\.ipfs\datastore\CURRENT
MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\.ipfs\datastore\CURRENT.bak
MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\.ipfs\datastore\LOG
MD5
76cb48fc2240b15a947d67362408ef52

SHA1
49d6e74e0b29b13805692387bdd75d1e314a0276

SHA256
40c6f23f9f5ef210d4c298c087540f0673e33aeb11a7283958389563f409feee

SHA512
a951ee2da78b16a174ea492afc2069e5e54fd6c2ce64cf8fbe185d8a735bcb0390024567be6990d5ebc0264fea16b0543bb64fac7214193d18aab7e0a38ee420

Download Submit
C:\Users\Admin\.ipfs\datastore\MANIFEST-000004
MD5
2db88d28d0931eebf5e622cb716c1b39

SHA1
ea9f9183dce7f1a555556a0d7ba1f596e6a7410c

SHA256
f6cf2708d0394528e6171eecc3bce50fdd4ced44a41f0a0e48af21b0b9daf123

SHA512
d34e97d61e714cf99dce6ad97e335a3020b2b163910c753cabbf487f5b8e8f770ff71ff3c7b3fd0177de200bd63aa89ef7bf2a670a4461ef9b2d94e6192308fb

Download Submit
C:\Users\Admin\.ipfs\datastore_spec
MD5
9a9e40d83ab16950daa61f5ab536b77c

SHA1
f9f5fa0ab6f17688d6445a0502a81f093fb08d6c

SHA256
cb1f1e3c29472474de76bb5210dcd3f2500e91c8d88e3a709d519a754ee2eb6e

SHA512
6115c36d3112780c723bb9b1ddcd7ba255adcb8d905941fa3023004276c8a677d8bec4c5db24f873e054cc951cd8fdb9d235e2947adfa6aa9e9ed735e86bb42a

Download Submit
C:\Users\Admin\.ipfs\version
MD5
84bc3da1b3e33a18e8d5e1bdd7a18d7a

SHA1
d3964f9dad9f60363c81b688324d95b4ec7c8038

SHA256
10159baf262b43a92d95db59dae1f72c645127301661e0a3ce4e38b295a97c58

SHA512
61561e09d4cd2834f3714030c96f29d6aa16e7ab35051c91adbfdf3ee90bad5c2cb685d68e576325d16f521808ad560fa67ca0514905642ea3419e974d5e5893

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\downloader.exe
MD5
365e293e4b80813234723fdbe8a68143

SHA1
a066866f4bbc9a37bce66058e3cb19cb95f8c6b7

SHA256
1d7c6fbbb6b9b7a13b2e2c924d22fb76c061f7b6347a69ba6b66632668fa8ed5

SHA512
16108e60f168dc3db7b8169b5d56af47d80013f2d356aee7cc350d67fc8185b9c016c4856caa064d05de45a82fbfc6af77e6e17e514c5fff46a2a2913023411e

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\downloader.exe
MD5
365e293e4b80813234723fdbe8a68143

SHA1
a066866f4bbc9a37bce66058e3cb19cb95f8c6b7

SHA256
1d7c6fbbb6b9b7a13b2e2c924d22fb76c061f7b6347a69ba6b66632668fa8ed5

SHA512
16108e60f168dc3db7b8169b5d56af47d80013f2d356aee7cc350d67fc8185b9c016c4856caa064d05de45a82fbfc6af77e6e17e514c5fff46a2a2913023411e

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\downloader.exe
MD5
365e293e4b80813234723fdbe8a68143

SHA1
a066866f4bbc9a37bce66058e3cb19cb95f8c6b7

SHA256
1d7c6fbbb6b9b7a13b2e2c924d22fb76c061f7b6347a69ba6b66632668fa8ed5

SHA512
16108e60f168dc3db7b8169b5d56af47d80013f2d356aee7cc350d67fc8185b9c016c4856caa064d05de45a82fbfc6af77e6e17e514c5fff46a2a2913023411e

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\go-ipfs_v0.4.21_windows-amd64.zip
MD5
ddcc03dc14f929087fcebaccf9d2cac7

SHA1
cadf68214877e22df91a35d30aa9fd96cc3ed046

SHA256
f7bbfefa25c3c725158ae66d15ba2be5139fa4a93d2736f80446e0f6157d52ff

SHA512
a6f150a494d3ecaaeba30dde9336aed555d9e5ff54325a0ba5d52048ea4c3f6739e5c72a8d09cd9d60deb2e0efddada9ae1b8f4dc1dfcc19794af2f99a8575cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\preferences-ips
MD5
6f3c46b66da466981a0f860a9b396dab

SHA1
5cab0ae7dd9a23e3615934cf25014f8506ec4a02

SHA256
5e901bee4d941183921627ed5b57c018dffe598eb760f9e60b00a367419a00af

SHA512
9011a20c62140820a8fdf53fc7631b993484319c79014a12a50e52a09f9432f14546f33ca5af434039d91e3c90427ca5ab5528ad6c6c51f412527fcfca2815db

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\preferences-yt
MD5
7ef7a739de5a36397d8f203d5e6ccd12

SHA1
8924e0f41e9248c0cbafdf936eae20f7b602cb56

SHA256
e5c914f48ed8182f623751142c1cb338ff1c07d60a345536a5ca4aa5e972d8ab

SHA512
277f0560b6a5ba169e8717e8be901a2d2c8b40e7329288cc1e5900a931aea2c26eb49da778c094583b4200894cd46b14fd51571f4d557e9e5ea12cd302aa8161

Download Submit
C:\Users\Admin\AppData\Roaming\ipfs\ipfs.exe
MD5
a7fab130bddbac883d9b654207a3a828

SHA1
6ffe624b5545e9ba4a2677a3b3ef85818a5c1e54

SHA256
733729837774563932f72cf06ce79914991c8fd1d3c2bb773f3c131b893754a5

SHA512
50059e07776134c73514d02325539d8bf41a425fb36924a5d2d30ffbe2c260d269938791ed537879dc243943a09817bb439eda356f7132f19e2c6d14af8b990c

Download Submit
C:\Users\Admin\AppData\Roaming\ipfs\ipfs.exe
MD5
a7fab130bddbac883d9b654207a3a828

SHA1
6ffe624b5545e9ba4a2677a3b3ef85818a5c1e54

SHA256
733729837774563932f72cf06ce79914991c8fd1d3c2bb773f3c131b893754a5

SHA512
50059e07776134c73514d02325539d8bf41a425fb36924a5d2d30ffbe2c260d269938791ed537879dc243943a09817bb439eda356f7132f19e2c6d14af8b990c

Download Submit
C:\Users\Admin\AppData\Roaming\ipfs\ipfs.exe
MD5
a7fab130bddbac883d9b654207a3a828

SHA1
6ffe624b5545e9ba4a2677a3b3ef85818a5c1e54

SHA256
733729837774563932f72cf06ce79914991c8fd1d3c2bb773f3c131b893754a5

SHA512
50059e07776134c73514d02325539d8bf41a425fb36924a5d2d30ffbe2c260d269938791ed537879dc243943a09817bb439eda356f7132f19e2c6d14af8b990c

Download Submit
memory/856-125-0x0000000000000000-mapping.dmp

Download
memory/1152-121-0x0000000000000000-mapping.dmp

Download
memory/1676-124-0x0000000000000000-mapping.dmp

Download
memory/2244-116-0x0000000000000000-mapping.dmp

Download
memory/3992-139-0x0000000000000000-mapping.dmp

Download