Analysis
-
max time kernel
98s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
submitted
20-07-2022 13:48
Behavioral task
behavioral1
Sample
e657ff4838e474653b55367aa9d4a0641b35378e2e379ad0fdd1631b3b763ef0.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
e657ff4838e474653b55367aa9d4a0641b35378e2e379ad0fdd1631b3b763ef0.exe
Resource
win10v2004-20220718-en
General
-
Target
e657ff4838e474653b55367aa9d4a0641b35378e2e379ad0fdd1631b3b763ef0.exe
-
Size
1.8MB
-
MD5
ab99a5767c1d598c49b1f5d615a76302
-
SHA1
b4061d4227e08cfaa3190dea9926571fca2736a1
-
SHA256
e657ff4838e474653b55367aa9d4a0641b35378e2e379ad0fdd1631b3b763ef0
-
SHA512
f12db9f7bfaa22747cc38a10a317bd6c7af483f9275f5981186d74435dda80df6faf53d10ee47c63b4b213310d29ca0eef5966983ecaa0dd7463a50c62cfab0c
Malware Config
Extracted
C:\HOW-TO-DECRYPT-cm99v.txt
http://o76s3m7l5ogig4u5.onion
Signatures
-
Hades Ransomware
Ransomware family attributed to Evil Corp APT first seen in late 2020.
-
Hades payload 2 IoCs
resource yara_rule behavioral2/memory/3856-130-0x0000000140000000-0x00000001401D9000-memory.dmp family_hades behavioral2/memory/2860-137-0x0000000140000000-0x00000001401D9000-memory.dmp family_hades -
resource yara_rule behavioral2/files/0x000800000002316c-135.dat cryptone behavioral2/files/0x000800000002316c-134.dat cryptone -
Executes dropped EXE 1 IoCs
pid Process 2860 Log -
Modifies extensions of user files 16 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ApproveDisconnect.crw => C:\Users\Admin\Pictures\ApproveDisconnect.crw.cm99v Log File renamed C:\Users\Admin\Pictures\SuspendConvertFrom.raw => C:\Users\Admin\Pictures\SuspendConvertFrom.raw.cm99v Log File opened for modification C:\Users\Admin\Pictures\SuspendGroup.raw.cm99v Log File opened for modification C:\Users\Admin\Pictures\SuspendConvertFrom.raw.cm99v Log File renamed C:\Users\Admin\Pictures\ConvertPublish.crw => C:\Users\Admin\Pictures\ConvertPublish.crw.cm99v Log File renamed C:\Users\Admin\Pictures\RepairResolve.raw => C:\Users\Admin\Pictures\RepairResolve.raw.cm99v Log File renamed C:\Users\Admin\Pictures\SendOpen.crw => C:\Users\Admin\Pictures\SendOpen.crw.cm99v Log File opened for modification C:\Users\Admin\Pictures\SendOpen.crw.cm99v Log File renamed C:\Users\Admin\Pictures\SuspendGroup.raw => C:\Users\Admin\Pictures\SuspendGroup.raw.cm99v Log File renamed C:\Users\Admin\Pictures\EditHide.png => C:\Users\Admin\Pictures\EditHide.png.cm99v Log File opened for modification C:\Users\Admin\Pictures\EditHide.png.cm99v Log File renamed C:\Users\Admin\Pictures\ReceiveResume.crw => C:\Users\Admin\Pictures\ReceiveResume.crw.cm99v Log File opened for modification C:\Users\Admin\Pictures\RepairResolve.raw.cm99v Log File opened for modification C:\Users\Admin\Pictures\ApproveDisconnect.crw.cm99v Log File opened for modification C:\Users\Admin\Pictures\ConvertPublish.crw.cm99v Log File opened for modification C:\Users\Admin\Pictures\ReceiveResume.crw.cm99v Log -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3856 wrote to memory of 2860 3856 e657ff4838e474653b55367aa9d4a0641b35378e2e379ad0fdd1631b3b763ef0.exe 77 PID 3856 wrote to memory of 2860 3856 e657ff4838e474653b55367aa9d4a0641b35378e2e379ad0fdd1631b3b763ef0.exe 77 PID 2860 wrote to memory of 2456 2860 Log 86 PID 2860 wrote to memory of 2456 2860 Log 86 PID 3856 wrote to memory of 4752 3856 e657ff4838e474653b55367aa9d4a0641b35378e2e379ad0fdd1631b3b763ef0.exe 85 PID 3856 wrote to memory of 4752 3856 e657ff4838e474653b55367aa9d4a0641b35378e2e379ad0fdd1631b3b763ef0.exe 85 PID 2456 wrote to memory of 3420 2456 cmd.exe 84 PID 2456 wrote to memory of 3420 2456 cmd.exe 84 PID 2456 wrote to memory of 728 2456 cmd.exe 80 PID 2456 wrote to memory of 728 2456 cmd.exe 80 PID 4752 wrote to memory of 4016 4752 cmd.exe 82 PID 4752 wrote to memory of 4016 4752 cmd.exe 82 PID 4752 wrote to memory of 3996 4752 cmd.exe 81 PID 4752 wrote to memory of 3996 4752 cmd.exe 81 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 728 attrib.exe 3996 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e657ff4838e474653b55367aa9d4a0641b35378e2e379ad0fdd1631b3b763ef0.exe"C:\Users\Admin\AppData\Local\Temp\e657ff4838e474653b55367aa9d4a0641b35378e2e379ad0fdd1631b3b763ef0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Users\Admin\AppData\Roaming\ActiveImetc\LogC:\Users\Admin\AppData\Roaming\ActiveImetc\Log /go2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SYSTEM32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Roaming\ActiveImetc\Log" & del "C:\Users\Admin\AppData\Roaming\ActiveImetc\Log" & rd "C:\Users\Admin\AppData\Roaming\ActiveImetc\"3⤵
- Suspicious use of WriteProcessMemory
PID:2456
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\e657ff4838e474653b55367aa9d4a0641b35378e2e379ad0fdd1631b3b763ef0.exe" & del "C:\Users\Admin\AppData\Local\Temp\e657ff4838e474653b55367aa9d4a0641b35378e2e379ad0fdd1631b3b763ef0.exe" & rd "C:\Users\Admin\AppData\Local\Temp\"2⤵
- Suspicious use of WriteProcessMemory
PID:4752
-
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\ActiveImetc\Log"1⤵
- Views/modifies file attributes
PID:728
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\e657ff4838e474653b55367aa9d4a0641b35378e2e379ad0fdd1631b3b763ef0.exe"1⤵
- Views/modifies file attributes
PID:3996
-
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y1⤵PID:4016
-
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y1⤵PID:3420
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5ab99a5767c1d598c49b1f5d615a76302
SHA1b4061d4227e08cfaa3190dea9926571fca2736a1
SHA256e657ff4838e474653b55367aa9d4a0641b35378e2e379ad0fdd1631b3b763ef0
SHA512f12db9f7bfaa22747cc38a10a317bd6c7af483f9275f5981186d74435dda80df6faf53d10ee47c63b4b213310d29ca0eef5966983ecaa0dd7463a50c62cfab0c
-
Filesize
1.8MB
MD5ab99a5767c1d598c49b1f5d615a76302
SHA1b4061d4227e08cfaa3190dea9926571fca2736a1
SHA256e657ff4838e474653b55367aa9d4a0641b35378e2e379ad0fdd1631b3b763ef0
SHA512f12db9f7bfaa22747cc38a10a317bd6c7af483f9275f5981186d74435dda80df6faf53d10ee47c63b4b213310d29ca0eef5966983ecaa0dd7463a50c62cfab0c