Analysis
-
max time kernel
125s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
07-04-2021 15:28
Static task
static1
Behavioral task
behavioral1
Sample
675bfe119daa42f8c92dcacee797128117a63f91dd1d0793d0ab0cc35de25a6b.exe
Resource
win7v20201028
General
-
Target
675bfe119daa42f8c92dcacee797128117a63f91dd1d0793d0ab0cc35de25a6b.exe
-
Size
404KB
-
MD5
e4fb62d297655a172fea821a2b9df01f
-
SHA1
62ed27f2423b852c525a72cd3cf85434f948c94d
-
SHA256
675bfe119daa42f8c92dcacee797128117a63f91dd1d0793d0ab0cc35de25a6b
-
SHA512
7763dc10326dade3c915dc075845496eb5edc9d573b1145c49053caf8798f4f263ad6bf08135b8e0dbfa20897c466171dd02c7e8936381408d88e6d7c8ee118a
Malware Config
Signatures
-
Drops file in System32 directory 5 IoCs
Processes:
funcdispid.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 funcdispid.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE funcdispid.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies funcdispid.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 funcdispid.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat funcdispid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
funcdispid.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" funcdispid.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix funcdispid.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" funcdispid.exe -
Suspicious behavior: EmotetMutantsSpam 2 IoCs
Processes:
675bfe119daa42f8c92dcacee797128117a63f91dd1d0793d0ab0cc35de25a6b.exefuncdispid.exepid process 752 675bfe119daa42f8c92dcacee797128117a63f91dd1d0793d0ab0cc35de25a6b.exe 2008 funcdispid.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
funcdispid.exepid process 2008 funcdispid.exe 2008 funcdispid.exe 2008 funcdispid.exe 2008 funcdispid.exe 2008 funcdispid.exe 2008 funcdispid.exe 2008 funcdispid.exe 2008 funcdispid.exe 2008 funcdispid.exe 2008 funcdispid.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
675bfe119daa42f8c92dcacee797128117a63f91dd1d0793d0ab0cc35de25a6b.exepid process 752 675bfe119daa42f8c92dcacee797128117a63f91dd1d0793d0ab0cc35de25a6b.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
675bfe119daa42f8c92dcacee797128117a63f91dd1d0793d0ab0cc35de25a6b.exe675bfe119daa42f8c92dcacee797128117a63f91dd1d0793d0ab0cc35de25a6b.exefuncdispid.exefuncdispid.exepid process 636 675bfe119daa42f8c92dcacee797128117a63f91dd1d0793d0ab0cc35de25a6b.exe 752 675bfe119daa42f8c92dcacee797128117a63f91dd1d0793d0ab0cc35de25a6b.exe 2400 funcdispid.exe 2008 funcdispid.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
675bfe119daa42f8c92dcacee797128117a63f91dd1d0793d0ab0cc35de25a6b.exefuncdispid.exedescription pid process target process PID 636 wrote to memory of 752 636 675bfe119daa42f8c92dcacee797128117a63f91dd1d0793d0ab0cc35de25a6b.exe 675bfe119daa42f8c92dcacee797128117a63f91dd1d0793d0ab0cc35de25a6b.exe PID 636 wrote to memory of 752 636 675bfe119daa42f8c92dcacee797128117a63f91dd1d0793d0ab0cc35de25a6b.exe 675bfe119daa42f8c92dcacee797128117a63f91dd1d0793d0ab0cc35de25a6b.exe PID 636 wrote to memory of 752 636 675bfe119daa42f8c92dcacee797128117a63f91dd1d0793d0ab0cc35de25a6b.exe 675bfe119daa42f8c92dcacee797128117a63f91dd1d0793d0ab0cc35de25a6b.exe PID 2400 wrote to memory of 2008 2400 funcdispid.exe funcdispid.exe PID 2400 wrote to memory of 2008 2400 funcdispid.exe funcdispid.exe PID 2400 wrote to memory of 2008 2400 funcdispid.exe funcdispid.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\675bfe119daa42f8c92dcacee797128117a63f91dd1d0793d0ab0cc35de25a6b.exe"C:\Users\Admin\AppData\Local\Temp\675bfe119daa42f8c92dcacee797128117a63f91dd1d0793d0ab0cc35de25a6b.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\675bfe119daa42f8c92dcacee797128117a63f91dd1d0793d0ab0cc35de25a6b.exe--b10e2adc2⤵
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\funcdispid.exe"C:\Windows\SysWOW64\funcdispid.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\funcdispid.exe--9bb68e132⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EmotetMutantsSpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\b36208c2e0ba1c7f0e7f094499ea3452_72727c5d-8d0e-47bb-8579-8067735277ffMD5
d854e5bf32f6eff669679c3a9acd847a
SHA10d43be3bd4161a1cbb329c910fdf62346fa45b20
SHA2565a08f974f0f6e267fb0a7658b1d80e809a3f4f1293a9149238b647f3ed305660
SHA5122dafe095dadaf0536ab48043a05b71900717e49c6a344e3fcd4fa1282db0a46559e67528d541195efaafc77e53d2e69cbe6da46f4ce0fcf827f9d94c4bb48259
-
memory/636-3-0x00000000004F0000-0x0000000000501000-memory.dmpFilesize
68KB
-
memory/752-2-0x0000000000000000-mapping.dmp
-
memory/752-4-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/2008-6-0x0000000000000000-mapping.dmp
-
memory/2008-9-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB