Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
07-04-2021 13:08
Static task
static1
Behavioral task
behavioral1
Sample
22d7305553fb73065b56e2fcaeb399653a8a79bb7104a9e8ce44c5f7534a4b3b.exe
Resource
win7v20201028
General
-
Target
22d7305553fb73065b56e2fcaeb399653a8a79bb7104a9e8ce44c5f7534a4b3b.exe
-
Size
572KB
-
MD5
6394ab67821651c32b6778a2a79bda66
-
SHA1
d9083e0f56cf231aaa22044d28829e94e464b7d2
-
SHA256
22d7305553fb73065b56e2fcaeb399653a8a79bb7104a9e8ce44c5f7534a4b3b
-
SHA512
dff9db981012d5e930fd24d544524be84ee4df11a36dbda5f276ca7bc95af2ce994730dad23b11905aa6be965cacd65733fb6b4ae6cdbf0a7bb69e2b31ed2540
Malware Config
Signatures
-
Drops file in System32 directory 5 IoCs
Processes:
texttofooter.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat texttofooter.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 texttofooter.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE texttofooter.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies texttofooter.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 texttofooter.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
texttofooter.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" texttofooter.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" texttofooter.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix texttofooter.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
Processes:
22d7305553fb73065b56e2fcaeb399653a8a79bb7104a9e8ce44c5f7534a4b3b.exetexttofooter.exepid process 3532 22d7305553fb73065b56e2fcaeb399653a8a79bb7104a9e8ce44c5f7534a4b3b.exe 3832 texttofooter.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
texttofooter.exepid process 3832 texttofooter.exe 3832 texttofooter.exe 3832 texttofooter.exe 3832 texttofooter.exe 3832 texttofooter.exe 3832 texttofooter.exe 3832 texttofooter.exe 3832 texttofooter.exe 3832 texttofooter.exe 3832 texttofooter.exe 3832 texttofooter.exe 3832 texttofooter.exe 3832 texttofooter.exe 3832 texttofooter.exe 3832 texttofooter.exe 3832 texttofooter.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
22d7305553fb73065b56e2fcaeb399653a8a79bb7104a9e8ce44c5f7534a4b3b.exepid process 3532 22d7305553fb73065b56e2fcaeb399653a8a79bb7104a9e8ce44c5f7534a4b3b.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
22d7305553fb73065b56e2fcaeb399653a8a79bb7104a9e8ce44c5f7534a4b3b.exe22d7305553fb73065b56e2fcaeb399653a8a79bb7104a9e8ce44c5f7534a4b3b.exetexttofooter.exetexttofooter.exepid process 832 22d7305553fb73065b56e2fcaeb399653a8a79bb7104a9e8ce44c5f7534a4b3b.exe 3532 22d7305553fb73065b56e2fcaeb399653a8a79bb7104a9e8ce44c5f7534a4b3b.exe 1476 texttofooter.exe 3832 texttofooter.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
22d7305553fb73065b56e2fcaeb399653a8a79bb7104a9e8ce44c5f7534a4b3b.exetexttofooter.exedescription pid process target process PID 832 wrote to memory of 3532 832 22d7305553fb73065b56e2fcaeb399653a8a79bb7104a9e8ce44c5f7534a4b3b.exe 22d7305553fb73065b56e2fcaeb399653a8a79bb7104a9e8ce44c5f7534a4b3b.exe PID 832 wrote to memory of 3532 832 22d7305553fb73065b56e2fcaeb399653a8a79bb7104a9e8ce44c5f7534a4b3b.exe 22d7305553fb73065b56e2fcaeb399653a8a79bb7104a9e8ce44c5f7534a4b3b.exe PID 832 wrote to memory of 3532 832 22d7305553fb73065b56e2fcaeb399653a8a79bb7104a9e8ce44c5f7534a4b3b.exe 22d7305553fb73065b56e2fcaeb399653a8a79bb7104a9e8ce44c5f7534a4b3b.exe PID 1476 wrote to memory of 3832 1476 texttofooter.exe texttofooter.exe PID 1476 wrote to memory of 3832 1476 texttofooter.exe texttofooter.exe PID 1476 wrote to memory of 3832 1476 texttofooter.exe texttofooter.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\22d7305553fb73065b56e2fcaeb399653a8a79bb7104a9e8ce44c5f7534a4b3b.exe"C:\Users\Admin\AppData\Local\Temp\22d7305553fb73065b56e2fcaeb399653a8a79bb7104a9e8ce44c5f7534a4b3b.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\22d7305553fb73065b56e2fcaeb399653a8a79bb7104a9e8ce44c5f7534a4b3b.exe--f584da8b2⤵
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\texttofooter.exe"C:\Windows\SysWOW64\texttofooter.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\texttofooter.exe--352881152⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\b36208c2e0ba1c7f0e7f094499ea3452_72727c5d-8d0e-47bb-8579-8067735277ffMD5
d854e5bf32f6eff669679c3a9acd847a
SHA10d43be3bd4161a1cbb329c910fdf62346fa45b20
SHA2565a08f974f0f6e267fb0a7658b1d80e809a3f4f1293a9149238b647f3ed305660
SHA5122dafe095dadaf0536ab48043a05b71900717e49c6a344e3fcd4fa1282db0a46559e67528d541195efaafc77e53d2e69cbe6da46f4ce0fcf827f9d94c4bb48259
-
memory/832-3-0x0000000000640000-0x0000000000651000-memory.dmpFilesize
68KB
-
memory/3532-2-0x0000000000000000-mapping.dmp
-
memory/3532-4-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/3832-6-0x0000000000000000-mapping.dmp
-
memory/3832-9-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB