Analysis
-
max time kernel
98s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
submitted
20-07-2022 11:54
General
-
Target
e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe
-
Size
1.9MB
-
MD5
49d4bdfa882c8458b86b1e4a5e79c92d
-
SHA1
6c4c9f61119fdc3d9c31e11f9cef3b0902b81884
-
SHA256
e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08
-
SHA512
08313dba9dfa4d3432a374a48e1ad487030c7017947050895f87549efd0545e8df18c00d42aa8a7625d827861a3ab074bf6d104821cb4632e88c43c174c59e57
Malware Config
Extracted
C:\HOW-TO-DECRYPT-kgkq9.txt
Signatures
-
Hades Ransomware
Ransomware family attributed to Evil Corp APT first seen in late 2020.
-
Hades payload 2 IoCs
-
CryptOne packer 2 IoCs
Detects CryptOne packer defined in NCC blogpost.
-
Executes dropped EXE 1 IoCs
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
-
Suspicious use of WriteProcessMemory 14 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe"C:\Users\Admin\AppData\Local\Temp\e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\PlayTracing\MethodC:\Users\Admin\AppData\Roaming\PlayTracing\Method /go2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Roaming\PlayTracing\Method" & del "C:\Users\Admin\AppData\Roaming\PlayTracing\Method" & rd "C:\Users\Admin\AppData\Roaming\PlayTracing\"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y4⤵
-
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\PlayTracing\Method"4⤵
- Views/modifies file attributes
-
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe" & del "C:\Users\Admin\AppData\Local\Temp\e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe" & rd "C:\Users\Admin\AppData\Local\Temp\"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y3⤵
-
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe"3⤵
- Views/modifies file attributes
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD549d4bdfa882c8458b86b1e4a5e79c92d
SHA16c4c9f61119fdc3d9c31e11f9cef3b0902b81884
SHA256e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08
SHA51208313dba9dfa4d3432a374a48e1ad487030c7017947050895f87549efd0545e8df18c00d42aa8a7625d827861a3ab074bf6d104821cb4632e88c43c174c59e57
-
Filesize
1.9MB
MD549d4bdfa882c8458b86b1e4a5e79c92d
SHA16c4c9f61119fdc3d9c31e11f9cef3b0902b81884
SHA256e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08
SHA51208313dba9dfa4d3432a374a48e1ad487030c7017947050895f87549efd0545e8df18c00d42aa8a7625d827861a3ab074bf6d104821cb4632e88c43c174c59e57
-
-
-
-
-
Filesize
1.8MB
-
Filesize
1.9MB
-
-
-
Filesize
1.9MB
-
Filesize
1.8MB
-