Analysis
-
max time kernel
4294182s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
20-03-2022 22:38
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20220310-en
General
-
Target
tmp.exe
-
Size
5.6MB
-
MD5
8553fce61d3e5901ac350a295ea9ab43
-
SHA1
a0a153fe479ced746588ad6d8507feae48a8faf7
-
SHA256
2b5bda4a5b69baf73b091ff56f4e093af1ed26b4b6c8e8c091056d8bbf655877
-
SHA512
e945653a21e6b8c9c47061634c5f99e93ad9fa0d532a2091af01e345f82ebf3bde6932b56bb453fac6e7489a4e94d0480fe1687270ca6a8aa51e945615c37ad8
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\pss.txt
prometheus
http
http!23
http1
http12
http123
http1234
httpd
httpd!@#$
httpd112233
httpd123
httpd1234
httpdroot
httpds
https
Signatures
-
Prometheus Ransomware
Ransomware family mostly targeting manufacturing industry and claims to be affiliated with REvil.
-
Executes dropped EXE 1 IoCs
Processes:
ctfmon.exepid Process 1792 ctfmon.exe -
Loads dropped DLL 3 IoCs
Processes:
tmp.exectfmon.exepid Process 1660 tmp.exe 1792 ctfmon.exe 1792 ctfmon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
tmp.exedescription pid Process procid_target PID 1660 wrote to memory of 1792 1660 tmp.exe 29 PID 1660 wrote to memory of 1792 1660 tmp.exe 29 PID 1660 wrote to memory of 1792 1660 tmp.exe 29 PID 1660 wrote to memory of 1792 1660 tmp.exe 29 PID 1660 wrote to memory of 1792 1660 tmp.exe 29 PID 1660 wrote to memory of 1792 1660 tmp.exe 29 PID 1660 wrote to memory of 1792 1660 tmp.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\ctfmon.exe"C:\Users\Admin\AppData\Local\Temp\ctfmon.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD5c0eebe72f6fe823e4280a1b31d74121e
SHA1458cf7033bb63bcaee5b1be164d5c3249fbcde68
SHA256e602795bf0317c1b224ef23be7d3008903c45aff31ff089e80c4b617e674dffb
SHA51241ed42174dd7271a5c24782a584cce8fb3f7197ed85f222dc1b5198ed58bd4600ffd59f4798de6486fe2054852550a3dd582f09d073ff4df60d1f718cd6bb80e
-
Filesize
5.4MB
MD52a16f89dfaf79e0721812cd76ab1c2ca
SHA107c4d0a8a2bf6e1e0389019ecf86203363a80e32
SHA25610bac24cd42801b44f7ad18ed955512176eceeda25dc2f4c8869d1b615214dc8
SHA51279ffa6e2c7d4b0b227ecc676ce37332358eb5f89063f2266861110ceff000536e1bb1b705d4a73a545a3a34f58ec0dfa7a0c0b85bf01087e58e45bd16c8f04b1
-
Filesize
236KB
MD5c0eebe72f6fe823e4280a1b31d74121e
SHA1458cf7033bb63bcaee5b1be164d5c3249fbcde68
SHA256e602795bf0317c1b224ef23be7d3008903c45aff31ff089e80c4b617e674dffb
SHA51241ed42174dd7271a5c24782a584cce8fb3f7197ed85f222dc1b5198ed58bd4600ffd59f4798de6486fe2054852550a3dd582f09d073ff4df60d1f718cd6bb80e
-
Filesize
20KB
MD5c09f5e1f26c8be68974e4a0d44f452f8
SHA14c81290a955319c06d132eeb502fa60c795a6332
SHA256b38561fd94ca95d63cba361fb5ae2f8982796795b95284b9bde7d656a50c3ba1
SHA5125b5dad5b7fc54ca1e438a72d3e7c71c7d0c562086b2041b15c9fa0f64e692a6af2dcd7f3fd5c01bd0ec269d5608e3f30db2a34faec1982cbeab2f0599c67e704
-
Filesize
31KB
MD55395e2e30e9347d2292dc3b610163274
SHA1f87597f156a460608b577da0bc4ab708d142104b
SHA256492e67102db73433364b6a0163ce3a0f7e9d5d905033cc2fedca45a210c817cf
SHA51273e50adf7d5967f617c0fcffa0fedbff2837f9582cf762fa62f59340e0b917354405dc5b0f15140b8bd1c719b6c23f66f338f523ac78be8ccfad5033c412783e