Analysis
-
max time kernel
67s -
max time network
89s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
submitted
20-07-2022 11:54
General
-
Target
fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe
-
Size
1.9MB
-
MD5
9fa1ba3e7d6e32f240c790753cdaaf8e
-
SHA1
7bcea3fbfcb4c170c57c9050499e1fae40f5d731
-
SHA256
fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87
-
SHA512
8d2fb58cb8776ead15f445671431eae13a00b48921e545c7ecbf91829015d818d663d9369f181de669ebb771b113c2f675c3a156fac5ede019b5fad9cb8c65fe
Malware Config
Extracted
C:\HOW-TO-DECRYPT-gn9cj.txt
Signatures
-
Hades Ransomware
Ransomware family attributed to Evil Corp APT first seen in late 2020.
-
Hades payload 2 IoCs
-
CryptOne packer 2 IoCs
Detects CryptOne packer defined in NCC blogpost.
-
Executes dropped EXE 1 IoCs
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
-
Suspicious use of WriteProcessMemory 14 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe"C:\Users\Admin\AppData\Local\Temp\fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ActiveImetc\LogC:\Users\Admin\AppData\Roaming\ActiveImetc\Log /go2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Roaming\ActiveImetc\Log" & del "C:\Users\Admin\AppData\Roaming\ActiveImetc\Log" & rd "C:\Users\Admin\AppData\Roaming\ActiveImetc\"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y4⤵
-
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\ActiveImetc\Log"4⤵
- Views/modifies file attributes
-
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe" & del "C:\Users\Admin\AppData\Local\Temp\fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe" & rd "C:\Users\Admin\AppData\Local\Temp\"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y3⤵
-
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe"3⤵
- Views/modifies file attributes
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD59fa1ba3e7d6e32f240c790753cdaaf8e
SHA17bcea3fbfcb4c170c57c9050499e1fae40f5d731
SHA256fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87
SHA5128d2fb58cb8776ead15f445671431eae13a00b48921e545c7ecbf91829015d818d663d9369f181de669ebb771b113c2f675c3a156fac5ede019b5fad9cb8c65fe
-
Filesize
1.9MB
MD59fa1ba3e7d6e32f240c790753cdaaf8e
SHA17bcea3fbfcb4c170c57c9050499e1fae40f5d731
SHA256fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87
SHA5128d2fb58cb8776ead15f445671431eae13a00b48921e545c7ecbf91829015d818d663d9369f181de669ebb771b113c2f675c3a156fac5ede019b5fad9cb8c65fe
-
Filesize
1.8MB
-
-
Filesize
1.9MB
-
Filesize
1.8MB
-
Filesize
1.9MB
-
-
-
-
-
-