Malware Analysis Report

2024-10-19 06:17

Sample ID 220320-2kndfagffr
Target tmp
SHA256 2b5bda4a5b69baf73b091ff56f4e093af1ed26b4b6c8e8c091056d8bbf655877
Tags
prometheus ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b5bda4a5b69baf73b091ff56f4e093af1ed26b4b6c8e8c091056d8bbf655877

Threat Level: Known bad

The file tmp was found to be: Known bad.

Malicious Activity Summary

prometheus ransomware

Prometheus Ransomware

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

0001-01-01 00:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-20 22:38

Reported

2022-03-20 22:42

Platform

win7-20220310-en

Max time kernel

4294182s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Prometheus Ransomware

ransomware prometheus

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmon.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\ctfmon.exe

"C:\Users\Admin\AppData\Local\Temp\ctfmon.exe"

Network

N/A

Files

memory/1660-54-0x0000000075421000-0x0000000075423000-memory.dmp

\Users\Admin\AppData\Local\Temp\ctfmon.exe

MD5 c0eebe72f6fe823e4280a1b31d74121e
SHA1 458cf7033bb63bcaee5b1be164d5c3249fbcde68
SHA256 e602795bf0317c1b224ef23be7d3008903c45aff31ff089e80c4b617e674dffb
SHA512 41ed42174dd7271a5c24782a584cce8fb3f7197ed85f222dc1b5198ed58bd4600ffd59f4798de6486fe2054852550a3dd582f09d073ff4df60d1f718cd6bb80e

C:\Users\Admin\AppData\Local\Temp\ctfmon.exe

MD5 c0eebe72f6fe823e4280a1b31d74121e
SHA1 458cf7033bb63bcaee5b1be164d5c3249fbcde68
SHA256 e602795bf0317c1b224ef23be7d3008903c45aff31ff089e80c4b617e674dffb
SHA512 41ed42174dd7271a5c24782a584cce8fb3f7197ed85f222dc1b5198ed58bd4600ffd59f4798de6486fe2054852550a3dd582f09d073ff4df60d1f718cd6bb80e

\Users\Admin\AppData\Local\Temp\gentee00\pauto.dll

MD5 5395e2e30e9347d2292dc3b610163274
SHA1 f87597f156a460608b577da0bc4ab708d142104b
SHA256 492e67102db73433364b6a0163ce3a0f7e9d5d905033cc2fedca45a210c817cf
SHA512 73e50adf7d5967f617c0fcffa0fedbff2837f9582cf762fa62f59340e0b917354405dc5b0f15140b8bd1c719b6c23f66f338f523ac78be8ccfad5033c412783e

\Users\Admin\AppData\Local\Temp\gentee00\cab2g.dll

MD5 c09f5e1f26c8be68974e4a0d44f452f8
SHA1 4c81290a955319c06d132eeb502fa60c795a6332
SHA256 b38561fd94ca95d63cba361fb5ae2f8982796795b95284b9bde7d656a50c3ba1
SHA512 5b5dad5b7fc54ca1e438a72d3e7c71c7d0c562086b2041b15c9fa0f64e692a6af2dcd7f3fd5c01bd0ec269d5608e3f30db2a34faec1982cbeab2f0599c67e704

memory/1792-61-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1792-60-0x00000000021A0000-0x00000000021A1000-memory.dmp

memory/1792-62-0x0000000002840000-0x0000000002841000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pss.cab

MD5 2a16f89dfaf79e0721812cd76ab1c2ca
SHA1 07c4d0a8a2bf6e1e0389019ecf86203363a80e32
SHA256 10bac24cd42801b44f7ad18ed955512176eceeda25dc2f4c8869d1b615214dc8
SHA512 79ffa6e2c7d4b0b227ecc676ce37332358eb5f89063f2266861110ceff000536e1bb1b705d4a73a545a3a34f58ec0dfa7a0c0b85bf01087e58e45bd16c8f04b1

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-20 22:38

Reported

2022-03-20 22:42

Platform

win10v2004-20220310-en

Max time kernel

160s

Max time network

188s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Prometheus Ransomware

ransomware prometheus

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ctfmon.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3472 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\ctfmon.exe
PID 3472 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\ctfmon.exe
PID 3472 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\ctfmon.exe

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\ctfmon.exe

"C:\Users\Admin\AppData\Local\Temp\ctfmon.exe"

Network

Files

C:\Users\Admin\AppData\Local\Temp\ctfmon.exe

MD5 c0eebe72f6fe823e4280a1b31d74121e
SHA1 458cf7033bb63bcaee5b1be164d5c3249fbcde68
SHA256 e602795bf0317c1b224ef23be7d3008903c45aff31ff089e80c4b617e674dffb
SHA512 41ed42174dd7271a5c24782a584cce8fb3f7197ed85f222dc1b5198ed58bd4600ffd59f4798de6486fe2054852550a3dd582f09d073ff4df60d1f718cd6bb80e

C:\Users\Admin\AppData\Local\Temp\ctfmon.exe

MD5 c0eebe72f6fe823e4280a1b31d74121e
SHA1 458cf7033bb63bcaee5b1be164d5c3249fbcde68
SHA256 e602795bf0317c1b224ef23be7d3008903c45aff31ff089e80c4b617e674dffb
SHA512 41ed42174dd7271a5c24782a584cce8fb3f7197ed85f222dc1b5198ed58bd4600ffd59f4798de6486fe2054852550a3dd582f09d073ff4df60d1f718cd6bb80e

C:\Users\Admin\AppData\Local\Temp\gentee00\pauto.dll

MD5 5395e2e30e9347d2292dc3b610163274
SHA1 f87597f156a460608b577da0bc4ab708d142104b
SHA256 492e67102db73433364b6a0163ce3a0f7e9d5d905033cc2fedca45a210c817cf
SHA512 73e50adf7d5967f617c0fcffa0fedbff2837f9582cf762fa62f59340e0b917354405dc5b0f15140b8bd1c719b6c23f66f338f523ac78be8ccfad5033c412783e

C:\Users\Admin\AppData\Local\Temp\gentee00\cab2g.dll

MD5 c09f5e1f26c8be68974e4a0d44f452f8
SHA1 4c81290a955319c06d132eeb502fa60c795a6332
SHA256 b38561fd94ca95d63cba361fb5ae2f8982796795b95284b9bde7d656a50c3ba1
SHA512 5b5dad5b7fc54ca1e438a72d3e7c71c7d0c562086b2041b15c9fa0f64e692a6af2dcd7f3fd5c01bd0ec269d5608e3f30db2a34faec1982cbeab2f0599c67e704

C:\Users\Admin\AppData\Local\Temp\gentee00\cab2g.dll

MD5 c09f5e1f26c8be68974e4a0d44f452f8
SHA1 4c81290a955319c06d132eeb502fa60c795a6332
SHA256 b38561fd94ca95d63cba361fb5ae2f8982796795b95284b9bde7d656a50c3ba1
SHA512 5b5dad5b7fc54ca1e438a72d3e7c71c7d0c562086b2041b15c9fa0f64e692a6af2dcd7f3fd5c01bd0ec269d5608e3f30db2a34faec1982cbeab2f0599c67e704

memory/1172-139-0x0000000002660000-0x0000000002661000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pss.cab

MD5 2a16f89dfaf79e0721812cd76ab1c2ca
SHA1 07c4d0a8a2bf6e1e0389019ecf86203363a80e32
SHA256 10bac24cd42801b44f7ad18ed955512176eceeda25dc2f4c8869d1b615214dc8
SHA512 79ffa6e2c7d4b0b227ecc676ce37332358eb5f89063f2266861110ceff000536e1bb1b705d4a73a545a3a34f58ec0dfa7a0c0b85bf01087e58e45bd16c8f04b1

memory/1172-142-0x00000000043D0000-0x00000000043D1000-memory.dmp

memory/1172-141-0x00000000027D0000-0x00000000027D1000-memory.dmp