Overview

overview

3

Static

static

RsEncP.exe

windows7_x64

3

RsEncP.exe

windows10_x64

3

Resubmissions

08-12-2021 11:46

211208-nxfx8scgh4 3

08-07-2021 12:20

210708-lww6e74kma 1

08-07-2021 07:33

210708-x3v895zhz2 1

Analysis

  • max time kernel
    143s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    08-12-2021 11:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RsEncP.exe

  • Size

    195KB

  • MD5

    1e8c10aca8b1af079d130d59585bbe87

  • SHA1

    fffad47c0363a714ad2b1804ec98fd86e1577e88

  • SHA256

    22240b86f52405d2d69523a3c74e5aa576e5251d72cccbf07e91273e4391a324

  • SHA512

    cddd29afc17bca6324aaf422aa197fe2b2343f587aeadd40b3b5e13cddebf94a65bf46ab87ba66288562d899357fbb726df127ce316c2d4e930f8415cee09ef8

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 25 IoCs
    adwarespyware
  • Modifies registry class 4 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RsEncP.exe
    "C:\Users\Admin\AppData\Local\Temp\RsEncP.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://116.123.119.125:50007//Pages/ResultCollect/Msg_Pop.aspx?strKey=dDcyZkNRSExEVGowSXhvOUM1QXJYamFsQUNYcHdXajExOE9tV0xqczNoST0=&p_encode=dkc3aTlVZTdLWE1MZkJWaHc4aXg0OWF6UWJGTGFYL2J6dmI3bEhVK0Z2QVJnaEtlSmdyTHZhdUJZZTgzWmdjZ1NYY0E1blcxZld6SDQzcGN0clE2UTV2NVEreUhza1pOOVV0cyt2Y2hDU1FOdk9XbkdkS3FSS01LeVdzeERQb3NFNm5uc3BaZ3VhUHZIWjBpTVZtaUpRPT0=&p_ip=175.196.87.251&p_host=175.196.87.251
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1556
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1556 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1780
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x17c
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1704
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\fa46ac485979471c9b9e9780945712ee.Recon
    1⤵
    • Modifies registry class
    PID:1824
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\806f3a7dc96a40089f5981991b698a39.Recon
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\806f3a7dc96a40089f5981991b698a39.Recon
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1748
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\01bcc0e224b94fef965a277dd0cfef88.Recon
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:960
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\01bcc0e224b94fef965a277dd0cfef88.Recon
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Desktop\01bcc0e224b94fef965a277dd0cfef88.Recon
    MD5

    994490cc3aa828dfcd94477f2cdfd231

    SHA1

    6880442e78ece0cee63d982ac6148068d5eaccb3

    SHA256

    d1203a58ce329466919774c2685309e21df3f9dae97260429719a00fcc244df6

    SHA512

    a6efd995b867b9987f74071efc91eba1a7776dbed409c6b9662440654b8d21919dede0e73b282f17fa32e68f7f8cd2bc37f14b6e5e58f9effc0ec3b99c53f4f8

    Download Submit
  • C:\Users\Admin\Desktop\806f3a7dc96a40089f5981991b698a39.Recon
    MD5

    994490cc3aa828dfcd94477f2cdfd231

    SHA1

    6880442e78ece0cee63d982ac6148068d5eaccb3

    SHA256

    d1203a58ce329466919774c2685309e21df3f9dae97260429719a00fcc244df6

    SHA512

    a6efd995b867b9987f74071efc91eba1a7776dbed409c6b9662440654b8d21919dede0e73b282f17fa32e68f7f8cd2bc37f14b6e5e58f9effc0ec3b99c53f4f8

    Download Submit
  • memory/1500-68-0x0000000000000000-mapping.dmp
    Download
  • memory/1556-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1748-64-0x0000000000000000-mapping.dmp
    Download
  • memory/1780-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1820-55-0x0000000000390000-0x0000000000391000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1820-57-0x00000000757E1000-0x00000000757E3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1820-58-0x0000000004DB0000-0x0000000004DB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1820-59-0x0000000004DB5000-0x0000000004DC6000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1824-62-0x000007FEFBD61000-0x000007FEFBD63000-memory.dmp
    Filesize

    8KB

    Download