Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
03-10-2023 01:42
Behavioral task
behavioral1
Sample
fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe
Resource
win10v2004-20230915-en
General
-
Target
fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe
-
Size
1.9MB
-
MD5
9fa1ba3e7d6e32f240c790753cdaaf8e
-
SHA1
7bcea3fbfcb4c170c57c9050499e1fae40f5d731
-
SHA256
fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87
-
SHA512
8d2fb58cb8776ead15f445671431eae13a00b48921e545c7ecbf91829015d818d663d9369f181de669ebb771b113c2f675c3a156fac5ede019b5fad9cb8c65fe
-
SSDEEP
49152:zHOalx8WJjq64Hv7OHxTAhEu5undVmB9dn5AI7EyP3S:Z/8WJjiPSRRu5undVmDd5VEyvS
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW-TO-DECRYPT-gn9cj.txt
Signatures
-
Hades Ransomware
Ransomware family attributed to Evil Corp APT first seen in late 2020.
-
Hades payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2160-0-0x0000000140000000-0x00000001401E2000-memory.dmp family_hades behavioral1/memory/3032-11-0x0000000140000000-0x00000001401E2000-memory.dmp family_hades behavioral1/memory/3032-507-0x0000000140000000-0x00000001401E2000-memory.dmp family_hades behavioral1/memory/2160-509-0x0000000140000000-0x00000001401E2000-memory.dmp family_hades -
Processes:
resource yara_rule behavioral1/files/0x00040000000130e5-5.dat cryptone behavioral1/files/0x00040000000130e5-6.dat cryptone behavioral1/files/0x00040000000130e5-10.dat cryptone behavioral1/files/0x00040000000130e5-510.dat cryptone -
Renames multiple (243) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 1536 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
Wisppid Process 3032 Wisp -
Loads dropped DLL 2 IoCs
Processes:
fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exepid Process 2160 fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe 2160 fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exeWispcmd.execmd.exedescription pid Process procid_target PID 2160 wrote to memory of 3032 2160 fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe 28 PID 2160 wrote to memory of 3032 2160 fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe 28 PID 2160 wrote to memory of 3032 2160 fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe 28 PID 3032 wrote to memory of 320 3032 Wisp 30 PID 3032 wrote to memory of 320 3032 Wisp 30 PID 3032 wrote to memory of 320 3032 Wisp 30 PID 320 wrote to memory of 2428 320 cmd.exe 32 PID 320 wrote to memory of 2428 320 cmd.exe 32 PID 320 wrote to memory of 2428 320 cmd.exe 32 PID 2160 wrote to memory of 1536 2160 fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe 33 PID 2160 wrote to memory of 1536 2160 fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe 33 PID 2160 wrote to memory of 1536 2160 fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe 33 PID 320 wrote to memory of 2176 320 cmd.exe 34 PID 320 wrote to memory of 2176 320 cmd.exe 34 PID 320 wrote to memory of 2176 320 cmd.exe 34 PID 1536 wrote to memory of 2004 1536 cmd.exe 36 PID 1536 wrote to memory of 2004 1536 cmd.exe 36 PID 1536 wrote to memory of 2004 1536 cmd.exe 36 PID 1536 wrote to memory of 1968 1536 cmd.exe 37 PID 1536 wrote to memory of 1968 1536 cmd.exe 37 PID 1536 wrote to memory of 1968 1536 cmd.exe 37 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 2176 attrib.exe 1968 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe"C:\Users\Admin\AppData\Local\Temp\fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Roaming\DiscoveryLibrary\WispC:\Users\Admin\AppData\Roaming\DiscoveryLibrary\Wisp /go2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\system32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Roaming\DiscoveryLibrary\Wisp" & del "C:\Users\Admin\AppData\Roaming\DiscoveryLibrary\Wisp" & rd "C:\Users\Admin\AppData\Roaming\DiscoveryLibrary\"3⤵
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y4⤵PID:2428
-
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\DiscoveryLibrary\Wisp"4⤵
- Views/modifies file attributes
PID:2176
-
-
-
-
C:\Windows\system32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe" & del "C:\Users\Admin\AppData\Local\Temp\fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe" & rd "C:\Users\Admin\AppData\Local\Temp\"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y3⤵PID:2004
-
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.exe"3⤵
- Views/modifies file attributes
PID:1968
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD50c6d0a67b942d06fe27f41c7c582cdfe
SHA17e674cf6375b138cabca2706583d4ced7a1aef27
SHA256014ea5effc97085b7832512b9ad2a5c4487265eb67e8d7b0920ef2bc8768400c
SHA51253ec4509bc58f53419a8923d808c7dfdecf57dc203c37265d061aebab73147720d1c419e79578065a42c3b2a63504370f90516c3f0afad5d6997952592d3a39c
-
Filesize
1.9MB
MD59fa1ba3e7d6e32f240c790753cdaaf8e
SHA17bcea3fbfcb4c170c57c9050499e1fae40f5d731
SHA256fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87
SHA5128d2fb58cb8776ead15f445671431eae13a00b48921e545c7ecbf91829015d818d663d9369f181de669ebb771b113c2f675c3a156fac5ede019b5fad9cb8c65fe
-
Filesize
1.9MB
MD59fa1ba3e7d6e32f240c790753cdaaf8e
SHA17bcea3fbfcb4c170c57c9050499e1fae40f5d731
SHA256fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87
SHA5128d2fb58cb8776ead15f445671431eae13a00b48921e545c7ecbf91829015d818d663d9369f181de669ebb771b113c2f675c3a156fac5ede019b5fad9cb8c65fe
-
Filesize
1.9MB
MD59fa1ba3e7d6e32f240c790753cdaaf8e
SHA17bcea3fbfcb4c170c57c9050499e1fae40f5d731
SHA256fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87
SHA5128d2fb58cb8776ead15f445671431eae13a00b48921e545c7ecbf91829015d818d663d9369f181de669ebb771b113c2f675c3a156fac5ede019b5fad9cb8c65fe
-
Filesize
1.9MB
MD59fa1ba3e7d6e32f240c790753cdaaf8e
SHA17bcea3fbfcb4c170c57c9050499e1fae40f5d731
SHA256fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87
SHA5128d2fb58cb8776ead15f445671431eae13a00b48921e545c7ecbf91829015d818d663d9369f181de669ebb771b113c2f675c3a156fac5ede019b5fad9cb8c65fe