Analysis
-
max time kernel
98s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
submitted
20-07-2022 11:54
Behavioral task
behavioral1
Sample
e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe
Resource
win10v2004-20220718-en
General
-
Target
e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe
-
Size
1.9MB
-
MD5
49d4bdfa882c8458b86b1e4a5e79c92d
-
SHA1
6c4c9f61119fdc3d9c31e11f9cef3b0902b81884
-
SHA256
e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08
-
SHA512
08313dba9dfa4d3432a374a48e1ad487030c7017947050895f87549efd0545e8df18c00d42aa8a7625d827861a3ab074bf6d104821cb4632e88c43c174c59e57
Malware Config
Extracted
C:\HOW-TO-DECRYPT-kgkq9.txt
Signatures
-
Hades Ransomware
Ransomware family attributed to Evil Corp APT first seen in late 2020.
-
Hades payload 2 IoCs
resource yara_rule behavioral2/memory/3536-130-0x0000000140000000-0x00000001401E0000-memory.dmp family_hades behavioral2/memory/4308-137-0x0000000140000000-0x00000001401E0000-memory.dmp family_hades -
resource yara_rule behavioral2/files/0x0007000000022e01-134.dat cryptone behavioral2/files/0x0007000000022e01-135.dat cryptone -
Executes dropped EXE 1 IoCs
pid Process 4308 Method -
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\GetSync.tiff => C:\Users\Admin\Pictures\GetSync.tiff.kgkq9 Method File opened for modification C:\Users\Admin\Pictures\MeasureDisable.crw.kgkq9 Method File renamed C:\Users\Admin\Pictures\NewInstall.tif => C:\Users\Admin\Pictures\NewInstall.tif.kgkq9 Method File opened for modification C:\Users\Admin\Pictures\NewInstall.tif.kgkq9 Method File renamed C:\Users\Admin\Pictures\PushSave.raw => C:\Users\Admin\Pictures\PushSave.raw.kgkq9 Method File opened for modification C:\Users\Admin\Pictures\PushSave.raw.kgkq9 Method File renamed C:\Users\Admin\Pictures\ConfirmPush.crw => C:\Users\Admin\Pictures\ConfirmPush.crw.kgkq9 Method File opened for modification C:\Users\Admin\Pictures\ConfirmPush.crw.kgkq9 Method File opened for modification C:\Users\Admin\Pictures\GetSync.tiff.kgkq9 Method File renamed C:\Users\Admin\Pictures\MeasureDisable.crw => C:\Users\Admin\Pictures\MeasureDisable.crw.kgkq9 Method -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3536 wrote to memory of 4308 3536 e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe 76 PID 3536 wrote to memory of 4308 3536 e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe 76 PID 4308 wrote to memory of 4300 4308 Method 78 PID 4308 wrote to memory of 4300 4308 Method 78 PID 3536 wrote to memory of 920 3536 e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe 80 PID 3536 wrote to memory of 920 3536 e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe 80 PID 4300 wrote to memory of 2080 4300 cmd.exe 81 PID 4300 wrote to memory of 2080 4300 cmd.exe 81 PID 4300 wrote to memory of 3972 4300 cmd.exe 83 PID 4300 wrote to memory of 3972 4300 cmd.exe 83 PID 920 wrote to memory of 468 920 cmd.exe 84 PID 920 wrote to memory of 468 920 cmd.exe 84 PID 920 wrote to memory of 1168 920 cmd.exe 85 PID 920 wrote to memory of 1168 920 cmd.exe 85 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 3972 attrib.exe 1168 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe"C:\Users\Admin\AppData\Local\Temp\e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Users\Admin\AppData\Roaming\PlayTracing\MethodC:\Users\Admin\AppData\Roaming\PlayTracing\Method /go2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SYSTEM32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Roaming\PlayTracing\Method" & del "C:\Users\Admin\AppData\Roaming\PlayTracing\Method" & rd "C:\Users\Admin\AppData\Roaming\PlayTracing\"3⤵
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y4⤵PID:2080
-
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\PlayTracing\Method"4⤵
- Views/modifies file attributes
PID:3972
-
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe" & del "C:\Users\Admin\AppData\Local\Temp\e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe" & rd "C:\Users\Admin\AppData\Local\Temp\"2⤵
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y3⤵PID:468
-
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe"3⤵
- Views/modifies file attributes
PID:1168
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD549d4bdfa882c8458b86b1e4a5e79c92d
SHA16c4c9f61119fdc3d9c31e11f9cef3b0902b81884
SHA256e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08
SHA51208313dba9dfa4d3432a374a48e1ad487030c7017947050895f87549efd0545e8df18c00d42aa8a7625d827861a3ab074bf6d104821cb4632e88c43c174c59e57
-
Filesize
1.9MB
MD549d4bdfa882c8458b86b1e4a5e79c92d
SHA16c4c9f61119fdc3d9c31e11f9cef3b0902b81884
SHA256e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08
SHA51208313dba9dfa4d3432a374a48e1ad487030c7017947050895f87549efd0545e8df18c00d42aa8a7625d827861a3ab074bf6d104821cb4632e88c43c174c59e57