Resubmissions
14-01-2022 07:24
220114-h8pfvsehf8 1012-05-2021 05:57
210512-aqe1a5ra6a 1012-05-2021 04:08
210512-1jz67cazwa 10Analysis
-
max time kernel
8s -
max time network
15s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
12-05-2021 05:57
Static task
static1
Behavioral task
behavioral1
Sample
c4da0137cbb99626fd44da707ae1bca8.exe
Resource
win7v20210410
General
-
Target
c4da0137cbb99626fd44da707ae1bca8.exe
-
Size
60KB
-
MD5
c4da0137cbb99626fd44da707ae1bca8
-
SHA1
a38e9891152755d9e7fff7386bb5a1bca375bd91
-
SHA256
1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a
-
SHA512
dd8212ff73522c6590ff8d8a3a48276fd872649eada2315b045c8c9f6cf054c3fe6cd741a16744eb82eff763acb745f07336c44db8f0c693770180cf7fd90645
Malware Config
Extracted
C:\\README.949640ab.TXT
http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC
http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68
Signatures
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
c4da0137cbb99626fd44da707ae1bca8.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ResizeRemove.crw.949640ab c4da0137cbb99626fd44da707ae1bca8.exe File opened for modification C:\Users\Admin\Pictures\StopReset.crw.949640ab c4da0137cbb99626fd44da707ae1bca8.exe File opened for modification C:\Users\Admin\Pictures\UndoUse.tiff.949640ab c4da0137cbb99626fd44da707ae1bca8.exe File opened for modification C:\Users\Admin\Pictures\ClearInstall.tif.949640ab c4da0137cbb99626fd44da707ae1bca8.exe File opened for modification C:\Users\Admin\Pictures\ConvertStop.tiff.949640ab c4da0137cbb99626fd44da707ae1bca8.exe File opened for modification C:\Users\Admin\Pictures\PingRevoke.crw.949640ab c4da0137cbb99626fd44da707ae1bca8.exe -
Drops startup file 2 IoCs
Processes:
c4da0137cbb99626fd44da707ae1bca8.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.949640ab.TXT c4da0137cbb99626fd44da707ae1bca8.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.949640ab.TXT c4da0137cbb99626fd44da707ae1bca8.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
c4da0137cbb99626fd44da707ae1bca8.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\949640ab.BMP" c4da0137cbb99626fd44da707ae1bca8.exe -
Modifies Control Panel 2 IoCs
Processes:
c4da0137cbb99626fd44da707ae1bca8.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop c4da0137cbb99626fd44da707ae1bca8.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "10" c4da0137cbb99626fd44da707ae1bca8.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
c4da0137cbb99626fd44da707ae1bca8.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\949640ab.BMP" c4da0137cbb99626fd44da707ae1bca8.exe -
Modifies registry class 5 IoCs
Processes:
c4da0137cbb99626fd44da707ae1bca8.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.949640ab c4da0137cbb99626fd44da707ae1bca8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.949640ab\ = "949640ab" c4da0137cbb99626fd44da707ae1bca8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\949640ab\DefaultIcon c4da0137cbb99626fd44da707ae1bca8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\949640ab c4da0137cbb99626fd44da707ae1bca8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\949640ab\DefaultIcon\ = "C:\\ProgramData\\949640ab.ico" c4da0137cbb99626fd44da707ae1bca8.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c4da0137cbb99626fd44da707ae1bca8.exec4da0137cbb99626fd44da707ae1bca8.exedescription pid process target process PID 1300 wrote to memory of 1156 1300 c4da0137cbb99626fd44da707ae1bca8.exe c4da0137cbb99626fd44da707ae1bca8.exe PID 1300 wrote to memory of 1156 1300 c4da0137cbb99626fd44da707ae1bca8.exe c4da0137cbb99626fd44da707ae1bca8.exe PID 1300 wrote to memory of 1156 1300 c4da0137cbb99626fd44da707ae1bca8.exe c4da0137cbb99626fd44da707ae1bca8.exe PID 1300 wrote to memory of 1156 1300 c4da0137cbb99626fd44da707ae1bca8.exe c4da0137cbb99626fd44da707ae1bca8.exe PID 1156 wrote to memory of 1924 1156 c4da0137cbb99626fd44da707ae1bca8.exe c4da0137cbb99626fd44da707ae1bca8.exe PID 1156 wrote to memory of 1924 1156 c4da0137cbb99626fd44da707ae1bca8.exe c4da0137cbb99626fd44da707ae1bca8.exe PID 1156 wrote to memory of 1924 1156 c4da0137cbb99626fd44da707ae1bca8.exe c4da0137cbb99626fd44da707ae1bca8.exe PID 1156 wrote to memory of 1924 1156 c4da0137cbb99626fd44da707ae1bca8.exe c4da0137cbb99626fd44da707ae1bca8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe"C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe"1⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe"C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe"C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe"2⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exeC:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe -work worker0 -path \\?\C:\3⤵
- Modifies extensions of user files
- Drops startup file
PID:1924