Analysis
-
max time kernel
1540s -
max time network
1556s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
13-09-2022 17:54
General
-
Target
RansomwareSamples/Phoenix_29_03_2021_1930KB.exe
-
Size
1.9MB
-
MD5
d86f451bbff804e59a549f9fb33d6e3f
-
SHA1
3cb0cb07cc2542f1d98060adccda726ea865db98
-
SHA256
008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549
-
SHA512
c86ad7e1d5c445d4de9866faab578b2eb04f72ffef4fac380b7164003471b4b48b09772e735ea15205e2ab4a1f4d194d188cdeb12c7199d0824ddaba393dcaa2
-
SSDEEP
49152:olyGDEemRoq2KKpgL5lWKDFcmjkf8cudB/8WjM:UYerFq/FgUcuf/85
Malware Config
Signatures
-
Hades Ransomware
Ransomware family attributed to Evil Corp APT first seen in late 2020.
-
Hades payload 2 IoCs
-
CryptOne packer 2 IoCs
Detects CryptOne packer defined in NCC blogpost.
-
Executes dropped EXE 1 IoCs
-
Modifies extensions of user files 16 IoCs
Ransomware generally changes the extension on encrypted files.
-
Suspicious use of WriteProcessMemory 14 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Phoenix_29_03_2021_1930KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Phoenix_29_03_2021_1930KB.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RouterAmsi\ServiceC:\Users\Admin\AppData\Roaming\RouterAmsi\Service /go2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Roaming\RouterAmsi\Service" & del "C:\Users\Admin\AppData\Roaming\RouterAmsi\Service" & rd "C:\Users\Admin\AppData\Roaming\RouterAmsi\"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y4⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\RouterAmsi\Service"4⤵
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Phoenix_29_03_2021_1930KB.exe" & del "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Phoenix_29_03_2021_1930KB.exe" & rd "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y3⤵
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Phoenix_29_03_2021_1930KB.exe"3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\RouterAmsi\ServiceFilesize
1.9MB
MD5d86f451bbff804e59a549f9fb33d6e3f
SHA13cb0cb07cc2542f1d98060adccda726ea865db98
SHA256008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549
SHA512c86ad7e1d5c445d4de9866faab578b2eb04f72ffef4fac380b7164003471b4b48b09772e735ea15205e2ab4a1f4d194d188cdeb12c7199d0824ddaba393dcaa2
-
C:\Users\Admin\AppData\Roaming\RouterAmsi\ServiceFilesize
1.9MB
MD5d86f451bbff804e59a549f9fb33d6e3f
SHA13cb0cb07cc2542f1d98060adccda726ea865db98
SHA256008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549
SHA512c86ad7e1d5c445d4de9866faab578b2eb04f72ffef4fac380b7164003471b4b48b09772e735ea15205e2ab4a1f4d194d188cdeb12c7199d0824ddaba393dcaa2
-
memory/1064-143-0x0000000000000000-mapping.dmp
-
memory/1284-148-0x0000000000000000-mapping.dmp
-
memory/1392-144-0x0000000000000000-mapping.dmp
-
memory/1940-147-0x0000000000000000-mapping.dmp
-
memory/3368-146-0x0000000000000000-mapping.dmp
-
memory/3456-142-0x0000000002080000-0x0000000002240000-memory.dmpFilesize
1.8MB
-
memory/3456-139-0x0000000140000000-0x00000001401E4000-memory.dmpFilesize
1.9MB
-
memory/3456-135-0x0000000000000000-mapping.dmp
-
memory/4260-145-0x0000000000000000-mapping.dmp
-
memory/5084-132-0x0000000140000000-0x00000001401E4000-memory.dmpFilesize
1.9MB
-
memory/5084-138-0x0000000002290000-0x0000000002450000-memory.dmpFilesize
1.8MB