Resubmissions
06-03-2021 03:32
210306-m3rvqme486 629-05-2020 01:26
200529-gb7z4ayft2 628-05-2020 12:20
200528-54npk69lb6 10Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
29-05-2020 01:26
Static task
static1
Behavioral task
behavioral1
Sample
appinstall.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
appinstall.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
appinstall.exe
-
Size
168KB
-
MD5
4aea355a977144665082077acfe9528b
-
SHA1
1fcfc6db3d051c15e043c0cec6d788a5368347b3
-
SHA256
662df407f177b9d63dc16fe5c1068d65c8e1fbe602d05a7cae1db651179b746e
-
SHA512
785c5b6d437ea566bfe801d6c32ef6df8d543d681daf9ab44a6d0a9c1b3cd47481b8bca2ebf8a7e4fe51265662e63e62b78d771e7861d821bde6ac45b6c719f3
Score
6/10
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
appinstall.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 appinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e appinstall.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
appinstall.exepid process 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe 4688 appinstall.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
appinstall.execmd.exedescription pid process target process PID 4688 wrote to memory of 3256 4688 appinstall.exe cmd.exe PID 4688 wrote to memory of 3256 4688 appinstall.exe cmd.exe PID 4688 wrote to memory of 3256 4688 appinstall.exe cmd.exe PID 4688 wrote to memory of 572 4688 appinstall.exe cmd.exe PID 4688 wrote to memory of 572 4688 appinstall.exe cmd.exe PID 4688 wrote to memory of 572 4688 appinstall.exe cmd.exe PID 3256 wrote to memory of 368 3256 cmd.exe reg.exe PID 3256 wrote to memory of 368 3256 cmd.exe reg.exe PID 3256 wrote to memory of 368 3256 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\appinstall.exe"C:\Users\Admin\AppData\Local\Temp\appinstall.exe"1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\d92t4y" /v nt3ckj /t REG_DWORD /d 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\d92t4y" /v nt3ckj /t REG_DWORD /d 03⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" >> NUL2⤵