Analysis
-
max time kernel
271s -
max time network
139s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
28-10-2021 08:29
Static task
static1
Behavioral task
behavioral1
Sample
IHAransom.exe
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
IHAransom.exe
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
IHAransom.exe
-
Size
231KB
-
MD5
5f775c9a9d49013ef37aa7d332327af4
-
SHA1
f96eeeaebef8e4d1ed74f7c557ef2a9d3c021bc8
-
SHA256
6fafb9d3eec58313bfeb572ebeb09739a413b1df2b7755611f06ef62d8c9cf8e
-
SHA512
fb6c0231f4821ded9c1fa7045d2581bd816d9dbe792394742b946f7ba76a06e18b84078bef6e0206f5dff2e42145f6e9f9f43829dc567ca571884b60c745f31f
Score
8/10
Malware Config
Signatures
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
IHAransom.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\EnableEnter.png.IHA IHAransom.exe File opened for modification C:\Users\Admin\Pictures\ImportWrite.crw.IHA IHAransom.exe File opened for modification C:\Users\Admin\Pictures\SaveLimit.crw.IHA IHAransom.exe File opened for modification C:\Users\Admin\Pictures\SyncPush.tif.IHA IHAransom.exe File opened for modification C:\Users\Admin\Pictures\SyncUndo.raw.IHA IHAransom.exe File opened for modification C:\Users\Admin\Pictures\CopyInitialize.tiff.IHA IHAransom.exe File opened for modification C:\Users\Admin\Pictures\CompleteUnregister.tiff.IHA IHAransom.exe File opened for modification C:\Users\Admin\Pictures\EditPop.raw.IHA IHAransom.exe File opened for modification C:\Users\Admin\Pictures\LockUnpublish.tiff.IHA IHAransom.exe File opened for modification C:\Users\Admin\Pictures\ApproveOpen.raw.IHA IHAransom.exe -
Drops startup file 2 IoCs
Processes:
IHAransom.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2aylA1lZf9IPqtjo.exe IHAransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2aylA1lZf9IPqtjo.exe IHAransom.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
IHAransom.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cry.img" IHAransom.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
IHAransom.exedescription pid process Token: SeDebugPrivilege 4112 IHAransom.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4112-115-0x0000000002A10000-0x0000000002A12000-memory.dmpFilesize
8KB
-
memory/4112-116-0x0000000002A15000-0x0000000002A16000-memory.dmpFilesize
4KB
-
memory/4112-118-0x0000000002A17000-0x0000000002A18000-memory.dmpFilesize
4KB
-
memory/4112-117-0x0000000002A16000-0x0000000002A17000-memory.dmpFilesize
4KB