Analysis
-
max time kernel
122s -
max time network
136s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
27-10-2021 04:24
Static task
static1
Behavioral task
behavioral1
Sample
SESIN2107005101.JPG.scr
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
SESIN2107005101.JPG.scr
Resource
win10-en-20210920
General
-
Target
SESIN2107005101.JPG.scr
-
Size
1.0MB
-
MD5
4c9cc530b572cc74b0a3f98070209162
-
SHA1
37b9edc504f4d2a5b2735003decd03981be2a721
-
SHA256
6a1770e16518fb549c5f6807348c728ad91f82109188ffc704e4668d0919d16f
-
SHA512
313c70d6acc59684b4c3ac82a89beca47de379323102022e297aa64980046a50bf0dc709560500e316d5b0b729f9a536b718595f79898b8abcc971b50a2f2fa0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
jmmhvp.pifpid process 640 jmmhvp.pif -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
SESIN2107005101.JPG.scrdescription pid process target process PID 3800 wrote to memory of 640 3800 SESIN2107005101.JPG.scr jmmhvp.pif PID 3800 wrote to memory of 640 3800 SESIN2107005101.JPG.scr jmmhvp.pif PID 3800 wrote to memory of 640 3800 SESIN2107005101.JPG.scr jmmhvp.pif
Processes
-
C:\Users\Admin\AppData\Local\Temp\SESIN2107005101.JPG.scr"C:\Users\Admin\AppData\Local\Temp\SESIN2107005101.JPG.scr" /S1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\57837738\jmmhvp.pif"C:\Users\Admin\AppData\Roaming\57837738\jmmhvp.pif" khugi.hel2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\57837738\jmmhvp.pifMD5
e1f85da023a9f5784e38a37c16c777e6
SHA16623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA51228e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba
-
memory/640-115-0x0000000000000000-mapping.dmp