Overview

overview

8

Static

static

1b8081bae0...20.exe

windows7_x64

8

1b8081bae0...20.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    01-07-2022 11:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe

  • Size

    740KB

  • MD5

    95b62355385af3d2711b7a8e759ed664

  • SHA1

    6c66c4005b14c14a1029a601eeed55cab21ae713

  • SHA256

    1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420

  • SHA512

    2b32851fd222e4fc06748b1f6f1f9b6b9ffd1e7d95e5c2c8665de0d55a825cd1918763d2b0af0200c2332dd5c5b33a5fe1183dc565046a7f457a00c4bee180dd

Score
8/10
daveransomwarespywarestealer

Malware Config

Signatures

  • Dave packer 1 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    dave
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 31 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe
    "C:\Users\Admin\AppData\Local\Temp\1b8081bae0e493d098b8756b1e7c4b19715a78946cf227f2c27f9311e6718420.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3276
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DAD79185-F5E6-48D1-959A-E300BEAF61B1}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DAD79185-F5E6-48D1-959A-E300BEAF61B1}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1996
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1848-140-0x0000000000000000-mapping.dmp
    Download
  • memory/1996-141-0x0000000000000000-mapping.dmp
    Download
  • memory/3276-130-0x00000000026B0000-0x00000000026E4000-memory.dmp
    Filesize

    208KB

    Download
  • memory/3276-134-0x00000000026F0000-0x0000000002723000-memory.dmp
    Filesize

    204KB

    Download
  • memory/3276-139-0x0000000002310000-0x0000000002342000-memory.dmp
    Filesize

    200KB

    Download