Resubmissions

03-07-2024 22:59

240703-2yn7wszhlp 10

03-07-2024 16:13

240703-tn93lsyglf 10

03-07-2024 16:11

240703-tm84xsyfma 10

10-05-2024 16:25

240510-tw1h5shh47 10

24-08-2023 11:16

230824-nda8msdf8z 10

Analysis

  • max time kernel
    302s
  • max time network
    311s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    03-02-2021 11:43

General

  • Target

  • Size

    1.1MB

  • MD5

    2eb3ce80b26345bd139f7378330b19c1

  • SHA1

    10122bd8dd749e20c132d108d176794f140242b0

  • SHA256

    8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2

  • SHA512

    e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Drops file in Program Files directory 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 61 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 38 IoCs
  • Suspicious use of SendNotifyMessage 37 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe
      "C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1084
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.porntube.com
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2084
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2084 CREDAT:82945 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3176

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1084-8-0x00000000022B0000-0x00000000022B2000-memory.dmp

    Filesize

    8KB

  • memory/1084-11-0x00000000022B6000-0x00000000022B8000-memory.dmp

    Filesize

    8KB

  • memory/1084-10-0x00000000022B5000-0x00000000022B6000-memory.dmp

    Filesize

    4KB

  • memory/1084-9-0x00000000022B4000-0x00000000022B5000-memory.dmp

    Filesize

    4KB

  • memory/1084-7-0x00007FF8DA490000-0x00007FF8DAE30000-memory.dmp

    Filesize

    9.6MB

  • memory/1084-6-0x00007FF8F09C0000-0x00007FF8F0A3E000-memory.dmp

    Filesize

    504KB