Analysis
-
max time kernel
128s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
15-03-2022 15:50
Static task
static1
Behavioral task
behavioral1
Sample
COMMANDE.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
COMMANDE.exe
Resource
win10v2004-en-20220113
General
-
Target
COMMANDE.exe
-
Size
300KB
-
MD5
15ed95eaed3d1031c2e7dcc9d129e0f0
-
SHA1
98148eb8665763ed2b1dafbe2050d4b638f5078f
-
SHA256
5310b41169311c55d3dbdd3bf129510349d4eccac82ebe11ab34be1a291f2916
-
SHA512
2bbc1be0e8a703071cc6859b83db4032f92ba234bf4e41b4a221eb29191a208564995b356b24de9727e0abf669a6f79986742be0321249a8d0041abcbd39b341
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
eudupag.exepid process 4196 eudupag.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
COMMANDE.exeeudupag.exedescription pid process target process PID 3668 wrote to memory of 4196 3668 COMMANDE.exe eudupag.exe PID 3668 wrote to memory of 4196 3668 COMMANDE.exe eudupag.exe PID 3668 wrote to memory of 4196 3668 COMMANDE.exe eudupag.exe PID 4196 wrote to memory of 2188 4196 eudupag.exe eudupag.exe PID 4196 wrote to memory of 2188 4196 eudupag.exe eudupag.exe PID 4196 wrote to memory of 2188 4196 eudupag.exe eudupag.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\COMMANDE.exe"C:\Users\Admin\AppData\Local\Temp\COMMANDE.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\eudupag.exeC:\Users\Admin\AppData\Local\Temp\eudupag.exe C:\Users\Admin\AppData\Local\Temp\nhddajnigp2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\eudupag.exeC:\Users\Admin\AppData\Local\Temp\eudupag.exe C:\Users\Admin\AppData\Local\Temp\nhddajnigp3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\eudupag.exeMD5
b0864289f09d4f400ff18bccd2fe858e
SHA1345ac756ae1b5b3230c5032e96bb4976787fc447
SHA2560bebe910efbed34fe37976921cdece0364c0548ea2938404d3c66287b1b37667
SHA51232475f1a02bafbe4e0860713d399a22a45fb5137ce8f3a5cb615e54faec87e69a5b4edf006cc9c9aa9edc6d6af3e6ed62e1d733f06bd63867703a3091ed77223
-
C:\Users\Admin\AppData\Local\Temp\eudupag.exeMD5
b0864289f09d4f400ff18bccd2fe858e
SHA1345ac756ae1b5b3230c5032e96bb4976787fc447
SHA2560bebe910efbed34fe37976921cdece0364c0548ea2938404d3c66287b1b37667
SHA51232475f1a02bafbe4e0860713d399a22a45fb5137ce8f3a5cb615e54faec87e69a5b4edf006cc9c9aa9edc6d6af3e6ed62e1d733f06bd63867703a3091ed77223
-
C:\Users\Admin\AppData\Local\Temp\i0bvw9ieywzl0xhhqo1yMD5
4dcb394819e0edf751119d26b4ff65c8
SHA10af4583869297dacf26ddbea8b6598c2d0384386
SHA256d3dfcdbea4f79f747a95a4353b10e9bbeafe9069915f27e41e4444b8433331a0
SHA5123a0f9ddd9a8f038d1297c94c7f173391b49d00e67d9893e5f33d4504d93575905af55d329a4d7c5febd5a4000cc530d56a6daa044a672c30162c8bc4106480f1
-
C:\Users\Admin\AppData\Local\Temp\nhddajnigpMD5
e42f7db839c8b5d49522864853556254
SHA10540d291746f405aeb5801fb333e697c8100fe98
SHA2564f3524205dc82fc76c546010af8c492fdad5dfd49a91cfdb427019a96fa7b20f
SHA512a95ca20eee536da0dc4ad83b86e5549b4c126b73ae91759a6e93350088d684ec968deb9843c2612aad3c25fc668ec279eef94271a829e4409222a9c08e7bb803