Analysis
-
max time kernel
140s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
07-04-2021 15:10
Static task
static1
Behavioral task
behavioral1
Sample
61ab89f51f3743405d6cc52a82cf70344fc7cbfde25ed42c80c028ebfada023a.exe
Resource
win7v20201028
General
-
Target
61ab89f51f3743405d6cc52a82cf70344fc7cbfde25ed42c80c028ebfada023a.exe
-
Size
672KB
-
MD5
5e02977a2d98faf2de394fce6dbe0d45
-
SHA1
ee177f2ece20347034d056858f2e21136605306a
-
SHA256
61ab89f51f3743405d6cc52a82cf70344fc7cbfde25ed42c80c028ebfada023a
-
SHA512
4bc73e8cd501b9ec39643f9e0328445ab1085e07c6b12f22f40d6fa72caa5e77120916868ec42ca2559d69b85e2a1b571b4985c750d4ccd5cdc6d252d3d13686
Malware Config
Signatures
-
Drops file in System32 directory 5 IoCs
Processes:
titlenetsh.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 titlenetsh.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat titlenetsh.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 titlenetsh.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE titlenetsh.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies titlenetsh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
titlenetsh.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" titlenetsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix titlenetsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" titlenetsh.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
Processes:
61ab89f51f3743405d6cc52a82cf70344fc7cbfde25ed42c80c028ebfada023a.exetitlenetsh.exepid process 720 61ab89f51f3743405d6cc52a82cf70344fc7cbfde25ed42c80c028ebfada023a.exe 4080 titlenetsh.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
titlenetsh.exepid process 4080 titlenetsh.exe 4080 titlenetsh.exe 4080 titlenetsh.exe 4080 titlenetsh.exe 4080 titlenetsh.exe 4080 titlenetsh.exe 4080 titlenetsh.exe 4080 titlenetsh.exe 4080 titlenetsh.exe 4080 titlenetsh.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
61ab89f51f3743405d6cc52a82cf70344fc7cbfde25ed42c80c028ebfada023a.exepid process 720 61ab89f51f3743405d6cc52a82cf70344fc7cbfde25ed42c80c028ebfada023a.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
61ab89f51f3743405d6cc52a82cf70344fc7cbfde25ed42c80c028ebfada023a.exe61ab89f51f3743405d6cc52a82cf70344fc7cbfde25ed42c80c028ebfada023a.exetitlenetsh.exetitlenetsh.exepid process 4648 61ab89f51f3743405d6cc52a82cf70344fc7cbfde25ed42c80c028ebfada023a.exe 720 61ab89f51f3743405d6cc52a82cf70344fc7cbfde25ed42c80c028ebfada023a.exe 3936 titlenetsh.exe 4080 titlenetsh.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
61ab89f51f3743405d6cc52a82cf70344fc7cbfde25ed42c80c028ebfada023a.exetitlenetsh.exedescription pid process target process PID 4648 wrote to memory of 720 4648 61ab89f51f3743405d6cc52a82cf70344fc7cbfde25ed42c80c028ebfada023a.exe 61ab89f51f3743405d6cc52a82cf70344fc7cbfde25ed42c80c028ebfada023a.exe PID 4648 wrote to memory of 720 4648 61ab89f51f3743405d6cc52a82cf70344fc7cbfde25ed42c80c028ebfada023a.exe 61ab89f51f3743405d6cc52a82cf70344fc7cbfde25ed42c80c028ebfada023a.exe PID 4648 wrote to memory of 720 4648 61ab89f51f3743405d6cc52a82cf70344fc7cbfde25ed42c80c028ebfada023a.exe 61ab89f51f3743405d6cc52a82cf70344fc7cbfde25ed42c80c028ebfada023a.exe PID 3936 wrote to memory of 4080 3936 titlenetsh.exe titlenetsh.exe PID 3936 wrote to memory of 4080 3936 titlenetsh.exe titlenetsh.exe PID 3936 wrote to memory of 4080 3936 titlenetsh.exe titlenetsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\61ab89f51f3743405d6cc52a82cf70344fc7cbfde25ed42c80c028ebfada023a.exe"C:\Users\Admin\AppData\Local\Temp\61ab89f51f3743405d6cc52a82cf70344fc7cbfde25ed42c80c028ebfada023a.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\61ab89f51f3743405d6cc52a82cf70344fc7cbfde25ed42c80c028ebfada023a.exe--99f509492⤵
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\titlenetsh.exe"C:\Windows\SysWOW64\titlenetsh.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\titlenetsh.exe--5e548bcc2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6b58dd83fde6e6bdb1d5bcbc2235cb92_4a1d5b5d-6336-41a4-a4da-b4af65e6deffMD5
a3db8a5438ea2c28046dd9f1b37e3b73
SHA14c1f2f336d30cd8e7ec229c5af658fa2e8236e73
SHA256e16642f1248278e20d8bc8e356e75a2f7587e88ff411823a6accdacc78eb2d3f
SHA5124636c1399d63d21b61b0e74dcb000f85f29f5971640d18cfafaab2ef3d56fe3fe753b2a80387beca1c60753c9a01d5cb5d2260201dd15b7883bd813240f5f285
-
memory/720-2-0x0000000000000000-mapping.dmp
-
memory/720-4-0x0000000000400000-0x00000000004AE000-memory.dmpFilesize
696KB
-
memory/4080-6-0x0000000000000000-mapping.dmp
-
memory/4080-9-0x0000000000400000-0x00000000004AE000-memory.dmpFilesize
696KB
-
memory/4648-3-0x0000000002150000-0x0000000002161000-memory.dmpFilesize
68KB