Analysis
-
max time kernel
40s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220715-en -
submitted
20-07-2022 11:54
Behavioral task
behavioral1
Sample
e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe
Resource
win10v2004-20220718-en
General
-
Target
e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe
-
Size
1.9MB
-
MD5
49d4bdfa882c8458b86b1e4a5e79c92d
-
SHA1
6c4c9f61119fdc3d9c31e11f9cef3b0902b81884
-
SHA256
e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08
-
SHA512
08313dba9dfa4d3432a374a48e1ad487030c7017947050895f87549efd0545e8df18c00d42aa8a7625d827861a3ab074bf6d104821cb4632e88c43c174c59e57
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW-TO-DECRYPT-kgkq9.txt
Extracted
C:\Users\Admin\Desktop\HOW-TO-DECRYPT-kgkq9.txt
Signatures
-
Hades Ransomware
Ransomware family attributed to Evil Corp APT first seen in late 2020.
-
Hades payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2020-54-0x0000000140000000-0x00000001401E0000-memory.dmp family_hades behavioral1/memory/1624-62-0x0000000140000000-0x00000001401E0000-memory.dmp family_hades -
Processes:
resource yara_rule behavioral1/files/0x000b0000000122de-57.dat cryptone behavioral1/files/0x000b0000000122de-58.dat cryptone behavioral1/files/0x000b0000000122de-60.dat cryptone behavioral1/files/0x000b0000000122de-72.dat cryptone -
Executes dropped EXE 1 IoCs
Processes:
Librarypid Process 1624 Library -
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Librarydescription ioc Process File opened for modification C:\Users\Admin\Pictures\RemoveSubmit.crw.kgkq9 Library File renamed C:\Users\Admin\Pictures\ResetMove.crw => C:\Users\Admin\Pictures\ResetMove.crw.kgkq9 Library File renamed C:\Users\Admin\Pictures\SplitCopy.raw => C:\Users\Admin\Pictures\SplitCopy.raw.kgkq9 Library File opened for modification C:\Users\Admin\Pictures\ResetMove.crw.kgkq9 Library File opened for modification C:\Users\Admin\Pictures\SplitCopy.raw.kgkq9 Library File renamed C:\Users\Admin\Pictures\WaitUnlock.tif => C:\Users\Admin\Pictures\WaitUnlock.tif.kgkq9 Library File opened for modification C:\Users\Admin\Pictures\WaitUnlock.tif.kgkq9 Library File renamed C:\Users\Admin\Pictures\RemoveSubmit.crw => C:\Users\Admin\Pictures\RemoveSubmit.crw.kgkq9 Library File opened for modification C:\Users\Admin\Pictures\DebugComplete.crw.kgkq9 Library File renamed C:\Users\Admin\Pictures\DebugComplete.crw => C:\Users\Admin\Pictures\DebugComplete.crw.kgkq9 Library -
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 268 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exepid Process 2020 e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe 2020 e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exeLibrarycmd.execmd.exedescription pid Process procid_target PID 2020 wrote to memory of 1624 2020 e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe 27 PID 2020 wrote to memory of 1624 2020 e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe 27 PID 2020 wrote to memory of 1624 2020 e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe 27 PID 1624 wrote to memory of 1020 1624 Library 29 PID 1624 wrote to memory of 1020 1624 Library 29 PID 1624 wrote to memory of 1020 1624 Library 29 PID 2020 wrote to memory of 268 2020 e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe 31 PID 2020 wrote to memory of 268 2020 e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe 31 PID 2020 wrote to memory of 268 2020 e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe 31 PID 1020 wrote to memory of 1288 1020 cmd.exe 33 PID 1020 wrote to memory of 1288 1020 cmd.exe 33 PID 1020 wrote to memory of 1288 1020 cmd.exe 33 PID 268 wrote to memory of 1708 268 cmd.exe 34 PID 268 wrote to memory of 1708 268 cmd.exe 34 PID 268 wrote to memory of 1708 268 cmd.exe 34 PID 268 wrote to memory of 916 268 cmd.exe 36 PID 268 wrote to memory of 916 268 cmd.exe 36 PID 268 wrote to memory of 916 268 cmd.exe 36 PID 1020 wrote to memory of 452 1020 cmd.exe 35 PID 1020 wrote to memory of 452 1020 cmd.exe 35 PID 1020 wrote to memory of 452 1020 cmd.exe 35 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 452 attrib.exe 916 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe"C:\Users\Admin\AppData\Local\Temp\e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Roaming\PolicyService\LibraryC:\Users\Admin\AppData\Roaming\PolicyService\Library /go2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\system32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Roaming\PolicyService\Library" & del "C:\Users\Admin\AppData\Roaming\PolicyService\Library" & rd "C:\Users\Admin\AppData\Roaming\PolicyService\"3⤵
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y4⤵PID:1288
-
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\PolicyService\Library"4⤵
- Views/modifies file attributes
PID:452
-
-
-
-
C:\Windows\system32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe" & del "C:\Users\Admin\AppData\Local\Temp\e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe" & rd "C:\Users\Admin\AppData\Local\Temp\"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y3⤵PID:1708
-
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe"3⤵
- Views/modifies file attributes
PID:916
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD549d4bdfa882c8458b86b1e4a5e79c92d
SHA16c4c9f61119fdc3d9c31e11f9cef3b0902b81884
SHA256e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08
SHA51208313dba9dfa4d3432a374a48e1ad487030c7017947050895f87549efd0545e8df18c00d42aa8a7625d827861a3ab074bf6d104821cb4632e88c43c174c59e57
-
Filesize
1.9MB
MD549d4bdfa882c8458b86b1e4a5e79c92d
SHA16c4c9f61119fdc3d9c31e11f9cef3b0902b81884
SHA256e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08
SHA51208313dba9dfa4d3432a374a48e1ad487030c7017947050895f87549efd0545e8df18c00d42aa8a7625d827861a3ab074bf6d104821cb4632e88c43c174c59e57
-
Filesize
1.9MB
MD549d4bdfa882c8458b86b1e4a5e79c92d
SHA16c4c9f61119fdc3d9c31e11f9cef3b0902b81884
SHA256e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08
SHA51208313dba9dfa4d3432a374a48e1ad487030c7017947050895f87549efd0545e8df18c00d42aa8a7625d827861a3ab074bf6d104821cb4632e88c43c174c59e57
-
Filesize
1.9MB
MD549d4bdfa882c8458b86b1e4a5e79c92d
SHA16c4c9f61119fdc3d9c31e11f9cef3b0902b81884
SHA256e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08
SHA51208313dba9dfa4d3432a374a48e1ad487030c7017947050895f87549efd0545e8df18c00d42aa8a7625d827861a3ab074bf6d104821cb4632e88c43c174c59e57