Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
07-04-2021 15:24
Static task
static1
Behavioral task
behavioral1
Sample
4e3888c0c289fa84a59aa771e8b948e88805268273d758d279d0c76876ccb4ae.exe
Resource
win7v20201028
General
-
Target
4e3888c0c289fa84a59aa771e8b948e88805268273d758d279d0c76876ccb4ae.exe
-
Size
400KB
-
MD5
d782643d2a7eec1f892226c6dd4a71d6
-
SHA1
a4fa2d85f3314c10e43bc374fdb3ccd4b902feac
-
SHA256
4e3888c0c289fa84a59aa771e8b948e88805268273d758d279d0c76876ccb4ae
-
SHA512
36cb6ea7265401bd3ff8c7290352fa2c47f1396e494c303478e6bb534943a36a8c33469623cf01209b0b542e5738d72d8739448f6f25534a3e398a94b2e3cda6
Malware Config
Signatures
-
Drops file in System32 directory 5 IoCs
Processes:
dispidleel.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat dispidleel.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 dispidleel.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE dispidleel.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies dispidleel.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 dispidleel.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
dispidleel.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix dispidleel.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" dispidleel.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" dispidleel.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
Processes:
4e3888c0c289fa84a59aa771e8b948e88805268273d758d279d0c76876ccb4ae.exedispidleel.exepid process 3140 4e3888c0c289fa84a59aa771e8b948e88805268273d758d279d0c76876ccb4ae.exe 2424 dispidleel.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
dispidleel.exepid process 2424 dispidleel.exe 2424 dispidleel.exe 2424 dispidleel.exe 2424 dispidleel.exe 2424 dispidleel.exe 2424 dispidleel.exe 2424 dispidleel.exe 2424 dispidleel.exe 2424 dispidleel.exe 2424 dispidleel.exe 2424 dispidleel.exe 2424 dispidleel.exe 2424 dispidleel.exe 2424 dispidleel.exe 2424 dispidleel.exe 2424 dispidleel.exe 2424 dispidleel.exe 2424 dispidleel.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
4e3888c0c289fa84a59aa771e8b948e88805268273d758d279d0c76876ccb4ae.exepid process 3140 4e3888c0c289fa84a59aa771e8b948e88805268273d758d279d0c76876ccb4ae.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
4e3888c0c289fa84a59aa771e8b948e88805268273d758d279d0c76876ccb4ae.exe4e3888c0c289fa84a59aa771e8b948e88805268273d758d279d0c76876ccb4ae.exedispidleel.exedispidleel.exepid process 3116 4e3888c0c289fa84a59aa771e8b948e88805268273d758d279d0c76876ccb4ae.exe 3140 4e3888c0c289fa84a59aa771e8b948e88805268273d758d279d0c76876ccb4ae.exe 3548 dispidleel.exe 2424 dispidleel.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
4e3888c0c289fa84a59aa771e8b948e88805268273d758d279d0c76876ccb4ae.exedispidleel.exedescription pid process target process PID 3116 wrote to memory of 3140 3116 4e3888c0c289fa84a59aa771e8b948e88805268273d758d279d0c76876ccb4ae.exe 4e3888c0c289fa84a59aa771e8b948e88805268273d758d279d0c76876ccb4ae.exe PID 3116 wrote to memory of 3140 3116 4e3888c0c289fa84a59aa771e8b948e88805268273d758d279d0c76876ccb4ae.exe 4e3888c0c289fa84a59aa771e8b948e88805268273d758d279d0c76876ccb4ae.exe PID 3116 wrote to memory of 3140 3116 4e3888c0c289fa84a59aa771e8b948e88805268273d758d279d0c76876ccb4ae.exe 4e3888c0c289fa84a59aa771e8b948e88805268273d758d279d0c76876ccb4ae.exe PID 3548 wrote to memory of 2424 3548 dispidleel.exe dispidleel.exe PID 3548 wrote to memory of 2424 3548 dispidleel.exe dispidleel.exe PID 3548 wrote to memory of 2424 3548 dispidleel.exe dispidleel.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e3888c0c289fa84a59aa771e8b948e88805268273d758d279d0c76876ccb4ae.exe"C:\Users\Admin\AppData\Local\Temp\4e3888c0c289fa84a59aa771e8b948e88805268273d758d279d0c76876ccb4ae.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4e3888c0c289fa84a59aa771e8b948e88805268273d758d279d0c76876ccb4ae.exe--84ca9d772⤵
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\dispidleel.exe"C:\Windows\SysWOW64\dispidleel.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dispidleel.exe--c2fa54f2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\b36208c2e0ba1c7f0e7f094499ea3452_72727c5d-8d0e-47bb-8579-8067735277ffMD5
d854e5bf32f6eff669679c3a9acd847a
SHA10d43be3bd4161a1cbb329c910fdf62346fa45b20
SHA2565a08f974f0f6e267fb0a7658b1d80e809a3f4f1293a9149238b647f3ed305660
SHA5122dafe095dadaf0536ab48043a05b71900717e49c6a344e3fcd4fa1282db0a46559e67528d541195efaafc77e53d2e69cbe6da46f4ce0fcf827f9d94c4bb48259
-
memory/2424-6-0x0000000000000000-mapping.dmp
-
memory/2424-9-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/3116-3-0x00000000001E0000-0x00000000001F1000-memory.dmpFilesize
68KB
-
memory/3140-2-0x0000000000000000-mapping.dmp
-
memory/3140-4-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB