Overview

overview

7

Static

static

3

Ention FULL.exe

windows10-1703-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    136s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    23-05-2024 21:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ention FULL.exe

  • Size

    6.2MB

  • MD5

    3afdd7b7018fff0ff6c7d378ddc641d6

  • SHA1

    2915697b0e41ec983e489166152cdddf8a13a5f7

  • SHA256

    9755b75a23a85e19954802f757b2f86e5dde5bd661e7dbed2141d89090da924e

  • SHA512

    04435208aa767888c296d007ba25711f5d21d2edc38a6c3271ad8b10d33516f67b04c60f579a5ad48ef34fa09e380b7cd2b0d9959591875b1aae14efb118fed4

  • SSDEEP

    98304:x7LLFjNI2/wH2ra222JahmMcvjDovOiovQVginsS7RCcUy43pk3VnbpL:RZjGuwH2ra0JahCDo209k8spi5pL

Score
7/10
ransomware

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ention FULL.exe
    "C:\Users\Admin\AppData\Local\Temp\Ention FULL.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4256
    • C:\Users\Admin\AppData\Local\Temp\Ention.exe
      "C:\Users\Admin\AppData\Local\Temp\Ention.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3660
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Новый текстовый документ.txt
        3⤵
          PID:3448
      • C:\Users\Admin\AppData\Local\Temp\Locker.exe
        "C:\Users\Admin\AppData\Local\Temp\Locker.exe"
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Sets desktop wallpaper using registry
        • Modifies Control Panel
        PID:2136

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Ention.exe
      Filesize

      3.3MB

      MD5

      f3190916167cb54a187814271f35b77b

      SHA1

      a8d0b0713347145bb961f2d42c049924be24e101

      SHA256

      0b4b213d68fb24ab6c2b9cc889b20f3662b79eb2dac519f00d2d97bdd10f6e46

      SHA512

      a5b728ec6f0619bd2061ec71b2460e2c99621443e1c39a8c88f043be949db26161a5b7a4baa52e5fa2bd6014b7bf971130df19722580dbc73c6483f0495e4921

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Locker.exe
      Filesize

      793KB

      MD5

      a83185ef7c03bfe0e0fbe10098876a34

      SHA1

      b166fed95e9bcc9f8b0ac4deafa9c45c21e91d0d

      SHA256

      7a923db27ae488a02e77242b1bbceb9a64898b9c2d085372a5ef5fca06b2a4be

      SHA512

      283e698b326d044480c49351531249ab9ed3a851c1d2c4a36c87fc5ecbaf2771af58f39cc0fc1551d08a4674ad766a3d4b96b6ee6ca1e6e967727f320f599f4c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\autF443.tmp
      Filesize

      138KB

      MD5

      7c30424c525cb64760083e066ca1f77d

      SHA1

      69c369028e3db4fe5c2fbc69cbd837d66496c480

      SHA256

      b75685e5fe51601632066ae2cb162738b340c9873f3b30cd4eb0b6f80cc27643

      SHA512

      59d726222ffc846ada2e7c6d040e0f0114e2cb92e72f81f23489aa6681b07a1c8cfceb7e81f9b7d7678d33b313302d9cf39c345d862e43f2768e145df14ef8df

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Новый текстовый документ.txt
      Filesize

      331B

      MD5

      e7cf6700045181cb6889772d0d915586

      SHA1

      ec2478210baee9d7e7ac72d43b66ce642ffc4147

      SHA256

      3f93a8b1cdb1a748236e3d4230bd856abefa8d3660b691de89c5fc4e249a0fed

      SHA512

      79f764665cabbba8cf707b6af065c92c3a91ee8f393c6bfe121db64e8fc446aef39bbd8d47efea20c948d907454bde6b1deefba3ef3fb847ec3452bf136a3352

      Download Submit
    • memory/3660-12-0x0000000000400000-0x000000000075A000-memory.dmp
      Filesize

      3.4MB

      Download
    • memory/4256-0-0x0000000000400000-0x0000000000A31000-memory.dmp
      Filesize

      6.2MB

      Download