Analysis
-
max time kernel
197s -
max time network
261s -
platform
windows10_x64 -
resource
win10-20220223-en -
submitted
18-03-2022 15:11
General
-
Target
SECURE_D.exe
-
Size
1.1MB
-
MD5
c5c552951da0e502f8aaf0881e2d26bc
-
SHA1
e279549491a1a76105b0a1d5b258e66de16bd956
-
SHA256
bda7803bc6a630ed5997870eb0b102e590d6f584b11699fb76781564debe9921
-
SHA512
e8d414bf468adfdf8c704e667bc8425ddbb02bc69fbe8cf48bd163c515bbdcab58507d834c836604ab385fb8d41b6a2b1a7f497b04c0ac905538fa53076a4c9c
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SECURE_D.exe"C:\Users\Admin\AppData\Local\Temp\SECURE_D.exe"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SECURE_D.exesecure_d3⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\187559910\payload.dat2⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SECURE_D.exe.logMD5
90acfd72f14a512712b1a7380c0faf60
SHA140ba4accb8faa75887e84fb8e38d598dc8cf0f12
SHA25620806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86
SHA51229dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9
-
memory/952-185-0x0000000004F50000-0x0000000004FEC000-memory.dmpFilesize
624KB
-
memory/952-184-0x0000000004F50000-0x0000000004FEC000-memory.dmpFilesize
624KB
-
memory/952-183-0x0000000073FC0000-0x00000000746AE000-memory.dmpFilesize
6.9MB
-
memory/3292-164-0x000001F1DCF70000-0x000001F1DCFE6000-memory.dmpFilesize
472KB
-
memory/3292-153-0x000001F1DCEB0000-0x000001F1DCEEC000-memory.dmpFilesize
240KB
-
memory/3292-147-0x000001F1DA863000-0x000001F1DA865000-memory.dmpFilesize
8KB
-
memory/3292-144-0x000001F1DA860000-0x000001F1DA862000-memory.dmpFilesize
8KB
-
memory/3292-143-0x00007FFFAE300000-0x00007FFFAECEC000-memory.dmpFilesize
9.9MB
-
memory/3292-129-0x000001F1DC8E0000-0x000001F1DC902000-memory.dmpFilesize
136KB
-
memory/3960-123-0x0000000004D90000-0x000000000528E000-memory.dmpFilesize
5.0MB
-
memory/3960-122-0x0000000008360000-0x0000000008410000-memory.dmpFilesize
704KB
-
memory/3960-121-0x0000000004D90000-0x000000000528E000-memory.dmpFilesize
5.0MB
-
memory/3960-120-0x0000000004F50000-0x0000000004FA6000-memory.dmpFilesize
344KB
-
memory/3960-119-0x0000000004C90000-0x0000000004C9A000-memory.dmpFilesize
40KB
-
memory/3960-114-0x0000000000360000-0x000000000047C000-memory.dmpFilesize
1.1MB
-
memory/3960-118-0x0000000073F20000-0x000000007460E000-memory.dmpFilesize
6.9MB
-
memory/3960-117-0x0000000004D90000-0x0000000004E22000-memory.dmpFilesize
584KB
-
memory/3960-116-0x0000000005290000-0x000000000578E000-memory.dmpFilesize
5.0MB
-
memory/3960-115-0x0000000004CF0000-0x0000000004D8C000-memory.dmpFilesize
624KB