Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220718-en -
submitted
20-07-2022 11:54
Behavioral task
behavioral1
Sample
fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe
Resource
win10v2004-20220718-en
General
-
Target
fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe
-
Size
1.9MB
-
MD5
9fa1ba3e7d6e32f240c790753cdaaf8e
-
SHA1
7bcea3fbfcb4c170c57c9050499e1fae40f5d731
-
SHA256
fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87
-
SHA512
8d2fb58cb8776ead15f445671431eae13a00b48921e545c7ecbf91829015d818d663d9369f181de669ebb771b113c2f675c3a156fac5ede019b5fad9cb8c65fe
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW-TO-DECRYPT-gn9cj.txt
Signatures
-
Hades Ransomware
Ransomware family attributed to Evil Corp APT first seen in late 2020.
-
Hades payload 1 IoCs
resource yara_rule behavioral1/memory/908-54-0x0000000140000000-0x00000001401E2000-memory.dmp family_hades -
resource yara_rule behavioral1/files/0x000a000000012314-57.dat cryptone behavioral1/files/0x000a000000012314-58.dat cryptone behavioral1/files/0x000a000000012314-60.dat cryptone behavioral1/files/0x000a000000012314-69.dat cryptone -
Executes dropped EXE 1 IoCs
pid Process 956 Search -
Modifies extensions of user files 18 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\NewSuspend.tiff.gn9cj Search File renamed C:\Users\Admin\Pictures\RestoreClear.raw => C:\Users\Admin\Pictures\RestoreClear.raw.gn9cj Search File opened for modification C:\Users\Admin\Pictures\RestoreClear.raw.gn9cj Search File renamed C:\Users\Admin\Pictures\AssertConvert.png => C:\Users\Admin\Pictures\AssertConvert.png.gn9cj Search File opened for modification C:\Users\Admin\Pictures\AssertConvert.png.gn9cj Search File opened for modification C:\Users\Admin\Pictures\ConfirmCompress.tiff.gn9cj Search File renamed C:\Users\Admin\Pictures\TestWait.crw => C:\Users\Admin\Pictures\TestWait.crw.gn9cj Search File renamed C:\Users\Admin\Pictures\UnregisterConnect.png => C:\Users\Admin\Pictures\UnregisterConnect.png.gn9cj Search File renamed C:\Users\Admin\Pictures\ConfirmCompress.tiff => C:\Users\Admin\Pictures\ConfirmCompress.tiff.gn9cj Search File renamed C:\Users\Admin\Pictures\NewBackup.tif => C:\Users\Admin\Pictures\NewBackup.tif.gn9cj Search File renamed C:\Users\Admin\Pictures\NewSuspend.tiff => C:\Users\Admin\Pictures\NewSuspend.tiff.gn9cj Search File opened for modification C:\Users\Admin\Pictures\TestWait.crw.gn9cj Search File opened for modification C:\Users\Admin\Pictures\UnregisterConnect.png.gn9cj Search File opened for modification C:\Users\Admin\Pictures\ConvertFromDisconnect.png.gn9cj Search File opened for modification C:\Users\Admin\Pictures\NewBackup.tif.gn9cj Search File opened for modification C:\Users\Admin\Pictures\RestoreFind.crw.gn9cj Search File renamed C:\Users\Admin\Pictures\ConvertFromDisconnect.png => C:\Users\Admin\Pictures\ConvertFromDisconnect.png.gn9cj Search File renamed C:\Users\Admin\Pictures\RestoreFind.crw => C:\Users\Admin\Pictures\RestoreFind.crw.gn9cj Search -
Deletes itself 1 IoCs
pid Process 1676 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 908 fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe 908 fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 908 wrote to memory of 956 908 fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe 28 PID 908 wrote to memory of 956 908 fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe 28 PID 908 wrote to memory of 956 908 fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe 28 PID 956 wrote to memory of 1916 956 Search 30 PID 956 wrote to memory of 1916 956 Search 30 PID 956 wrote to memory of 1916 956 Search 30 PID 908 wrote to memory of 1676 908 fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe 32 PID 908 wrote to memory of 1676 908 fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe 32 PID 908 wrote to memory of 1676 908 fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe 32 PID 1916 wrote to memory of 268 1916 cmd.exe 33 PID 1916 wrote to memory of 268 1916 cmd.exe 33 PID 1916 wrote to memory of 268 1916 cmd.exe 33 PID 1916 wrote to memory of 1424 1916 cmd.exe 35 PID 1916 wrote to memory of 1424 1916 cmd.exe 35 PID 1916 wrote to memory of 1424 1916 cmd.exe 35 PID 1676 wrote to memory of 340 1676 cmd.exe 36 PID 1676 wrote to memory of 340 1676 cmd.exe 36 PID 1676 wrote to memory of 340 1676 cmd.exe 36 PID 1676 wrote to memory of 1440 1676 cmd.exe 37 PID 1676 wrote to memory of 1440 1676 cmd.exe 37 PID 1676 wrote to memory of 1440 1676 cmd.exe 37 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1424 attrib.exe 1440 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe"C:\Users\Admin\AppData\Local\Temp\fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Users\Admin\AppData\Roaming\ShowPolicy\SearchC:\Users\Admin\AppData\Roaming\ShowPolicy\Search /go2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\system32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Roaming\ShowPolicy\Search" & del "C:\Users\Admin\AppData\Roaming\ShowPolicy\Search" & rd "C:\Users\Admin\AppData\Roaming\ShowPolicy\"3⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y4⤵PID:268
-
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\ShowPolicy\Search"4⤵
- Views/modifies file attributes
PID:1424
-
-
-
-
C:\Windows\system32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe" & del "C:\Users\Admin\AppData\Local\Temp\fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe" & rd "C:\Users\Admin\AppData\Local\Temp\"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y3⤵PID:340
-
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe"3⤵
- Views/modifies file attributes
PID:1440
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD59fa1ba3e7d6e32f240c790753cdaaf8e
SHA17bcea3fbfcb4c170c57c9050499e1fae40f5d731
SHA256fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87
SHA5128d2fb58cb8776ead15f445671431eae13a00b48921e545c7ecbf91829015d818d663d9369f181de669ebb771b113c2f675c3a156fac5ede019b5fad9cb8c65fe
-
Filesize
1.9MB
MD59fa1ba3e7d6e32f240c790753cdaaf8e
SHA17bcea3fbfcb4c170c57c9050499e1fae40f5d731
SHA256fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87
SHA5128d2fb58cb8776ead15f445671431eae13a00b48921e545c7ecbf91829015d818d663d9369f181de669ebb771b113c2f675c3a156fac5ede019b5fad9cb8c65fe
-
Filesize
1.9MB
MD59fa1ba3e7d6e32f240c790753cdaaf8e
SHA17bcea3fbfcb4c170c57c9050499e1fae40f5d731
SHA256fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87
SHA5128d2fb58cb8776ead15f445671431eae13a00b48921e545c7ecbf91829015d818d663d9369f181de669ebb771b113c2f675c3a156fac5ede019b5fad9cb8c65fe
-
Filesize
1.9MB
MD59fa1ba3e7d6e32f240c790753cdaaf8e
SHA17bcea3fbfcb4c170c57c9050499e1fae40f5d731
SHA256fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87
SHA5128d2fb58cb8776ead15f445671431eae13a00b48921e545c7ecbf91829015d818d663d9369f181de669ebb771b113c2f675c3a156fac5ede019b5fad9cb8c65fe