Overview

overview

3

Static

static

RsEncP.exe

windows7_x64

3

RsEncP.exe

windows10_x64

3

Resubmissions

08/12/2021, 11:46

211208-nxfx8scgh4 3

08/07/2021, 12:20

210708-lww6e74kma 1

08/07/2021, 07:33

210708-x3v895zhz2 1

Analysis

  • max time kernel
    143s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    08/12/2021, 11:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RsEncP.exe

  • Size

    195KB

  • MD5

    1e8c10aca8b1af079d130d59585bbe87

  • SHA1

    fffad47c0363a714ad2b1804ec98fd86e1577e88

  • SHA256

    22240b86f52405d2d69523a3c74e5aa576e5251d72cccbf07e91273e4391a324

  • SHA512

    cddd29afc17bca6324aaf422aa197fe2b2343f587aeadd40b3b5e13cddebf94a65bf46ab87ba66288562d899357fbb726df127ce316c2d4e930f8415cee09ef8

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 25 IoCs
    adwarespyware
  • Modifies registry class 4 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RsEncP.exe
    "C:\Users\Admin\AppData\Local\Temp\RsEncP.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://116.123.119.125:50007//Pages/ResultCollect/Msg_Pop.aspx?strKey=dDcyZkNRSExEVGowSXhvOUM1QXJYamFsQUNYcHdXajExOE9tV0xqczNoST0=&p_encode=dkc3aTlVZTdLWE1MZkJWaHc4aXg0OWF6UWJGTGFYL2J6dmI3bEhVK0Z2QVJnaEtlSmdyTHZhdUJZZTgzWmdjZ1NYY0E1blcxZld6SDQzcGN0clE2UTV2NVEreUhza1pOOVV0cyt2Y2hDU1FOdk9XbkdkS3FSS01LeVdzeERQb3NFNm5uc3BaZ3VhUHZIWjBpTVZtaUpRPT0=&p_ip=175.196.87.251&p_host=175.196.87.251
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1556
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1556 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1780
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x17c
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1704
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\fa46ac485979471c9b9e9780945712ee.Recon
    1⤵
    • Modifies registry class
    PID:1824
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\806f3a7dc96a40089f5981991b698a39.Recon
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\806f3a7dc96a40089f5981991b698a39.Recon
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1748
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\01bcc0e224b94fef965a277dd0cfef88.Recon
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:960
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\01bcc0e224b94fef965a277dd0cfef88.Recon
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1500

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1820-55-0x0000000000390000-0x0000000000391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1820-57-0x00000000757E1000-0x00000000757E3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1820-58-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1820-59-0x0000000004DB5000-0x0000000004DC6000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1824-62-0x000007FEFBD61000-0x000007FEFBD63000-memory.dmp

    Filesize

    8KB

    Download