Analysis
-
max time kernel
41s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 13:03
Static task
static1
Behavioral task
behavioral1
Sample
BANK_DET.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
BANK_DET.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
REVERSE_.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
REVERSE_.exe
Resource
win10v2004-20220414-en
General
-
Target
REVERSE_.exe
-
Size
507KB
-
MD5
b378a8a59c97e5db6fc1c6faf37c90de
-
SHA1
1ba14ba7adab7d5903f0dd6c9e8ef9a9d40115e7
-
SHA256
ab85c8e3305016e7806bf71583c6100e8249054dbb2701b9944a190ae15a7284
-
SHA512
d31d6c7d52fe576ae7f5d3276fabcf56ae1d0b30786df1b795e7b03ccb4b0e607fcd95e9e7229f5017dd059803c5c2415243091109163cca424dcfeb10197a4d
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 240 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1616 240 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
REVERSE_.exerundll32.exedescription pid process target process PID 1444 wrote to memory of 240 1444 REVERSE_.exe rundll32.exe PID 1444 wrote to memory of 240 1444 REVERSE_.exe rundll32.exe PID 1444 wrote to memory of 240 1444 REVERSE_.exe rundll32.exe PID 1444 wrote to memory of 240 1444 REVERSE_.exe rundll32.exe PID 1444 wrote to memory of 240 1444 REVERSE_.exe rundll32.exe PID 1444 wrote to memory of 240 1444 REVERSE_.exe rundll32.exe PID 1444 wrote to memory of 240 1444 REVERSE_.exe rundll32.exe PID 240 wrote to memory of 1616 240 rundll32.exe WerFault.exe PID 240 wrote to memory of 1616 240 rundll32.exe WerFault.exe PID 240 wrote to memory of 1616 240 rundll32.exe WerFault.exe PID 240 wrote to memory of 1616 240 rundll32.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\REVERSE_.exe"C:\Users\Admin\AppData\Local\Temp\REVERSE_.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe Pentagon,Maia2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 240 -s 2283⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HeleniumFilesize
250KB
MD5e0671641d426de50ad7c213f6e20a62e
SHA114bc1c6609a404952f3a18db64f658d24b44a0a7
SHA256c7400e7ce60118d11dd93c40c1d8804998a174caa9f71bb73ccaa11174e117cf
SHA512fa8dbc736af60464f367645c125d750195bf11554f91253ad0b3cd61af96291f68b14c54a94c64bd8cde1de42aeee24792f1c18460fe85ff9c261a958c13060a
-
C:\Users\Admin\AppData\Local\Temp\Pentagon.DLLFilesize
56KB
MD584efccfc8c97ebda74559a289f41c769
SHA15325f8b9e8a20a0ac8911f48b6f744c69665650a
SHA2560515fa8a1ed1d74e440cb372c981b8e3b703fe5c1593e26deaba5a47704cebc8
SHA5128c0845739ee37d658c91899f947604cbd69c126e9e0cfc6af275a007ef99802cf86e4af4af180b4a14a786aec9645144f737dafb87543c7d3faa13544888e66b
-
\Users\Admin\AppData\Local\Temp\Pentagon.dllFilesize
56KB
MD584efccfc8c97ebda74559a289f41c769
SHA15325f8b9e8a20a0ac8911f48b6f744c69665650a
SHA2560515fa8a1ed1d74e440cb372c981b8e3b703fe5c1593e26deaba5a47704cebc8
SHA5128c0845739ee37d658c91899f947604cbd69c126e9e0cfc6af275a007ef99802cf86e4af4af180b4a14a786aec9645144f737dafb87543c7d3faa13544888e66b
-
memory/240-55-0x0000000000000000-mapping.dmp
-
memory/240-61-0x00000000000B0000-0x00000000000B3000-memory.dmpFilesize
12KB
-
memory/1444-54-0x0000000075B71000-0x0000000075B73000-memory.dmpFilesize
8KB
-
memory/1616-60-0x0000000000000000-mapping.dmp