Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
13-05-2021 01:57
Static task
static1
Behavioral task
behavioral1
Sample
3478eb7d70c27498d0c4bd842f41313c3223fcb9a572a6b57460fb556cf4a866.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
3478eb7d70c27498d0c4bd842f41313c3223fcb9a572a6b57460fb556cf4a866.exe
-
Size
89KB
-
MD5
e32f62d6e87f259d879eaa8a879de76f
-
SHA1
82f8f9187a297d0e3da61639113d853d4f795a27
-
SHA256
3478eb7d70c27498d0c4bd842f41313c3223fcb9a572a6b57460fb556cf4a866
-
SHA512
bffdaef490fae873c1c41bd921d90763684b07e5523ccd4f0f19a3a1b93aeb1f8d7395fb2a6fa77b31ff11aa343e956997f5b110b86d8c5ffc96614dd643c9e9
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
dmaphoenix.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat dmaphoenix.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 21 IoCs
Processes:
dmaphoenix.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070015000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 dmaphoenix.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionReason = "1" dmaphoenix.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionTime = 40336f5ca147d701 dmaphoenix.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings dmaphoenix.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 dmaphoenix.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1" dmaphoenix.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0" dmaphoenix.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad dmaphoenix.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32} dmaphoenix.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\32-e2-17-db-d2-77 dmaphoenix.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecision = "0" dmaphoenix.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadNetworkName = "Network" dmaphoenix.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" dmaphoenix.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" dmaphoenix.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings dmaphoenix.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" dmaphoenix.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 dmaphoenix.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77 dmaphoenix.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections dmaphoenix.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix dmaphoenix.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 40336f5ca147d701 dmaphoenix.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
dmaphoenix.exepid process 336 dmaphoenix.exe 336 dmaphoenix.exe 336 dmaphoenix.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
3478eb7d70c27498d0c4bd842f41313c3223fcb9a572a6b57460fb556cf4a866.exepid process 2044 3478eb7d70c27498d0c4bd842f41313c3223fcb9a572a6b57460fb556cf4a866.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3478eb7d70c27498d0c4bd842f41313c3223fcb9a572a6b57460fb556cf4a866.exedmaphoenix.exedescription pid process target process PID 1240 wrote to memory of 2044 1240 3478eb7d70c27498d0c4bd842f41313c3223fcb9a572a6b57460fb556cf4a866.exe 3478eb7d70c27498d0c4bd842f41313c3223fcb9a572a6b57460fb556cf4a866.exe PID 1240 wrote to memory of 2044 1240 3478eb7d70c27498d0c4bd842f41313c3223fcb9a572a6b57460fb556cf4a866.exe 3478eb7d70c27498d0c4bd842f41313c3223fcb9a572a6b57460fb556cf4a866.exe PID 1240 wrote to memory of 2044 1240 3478eb7d70c27498d0c4bd842f41313c3223fcb9a572a6b57460fb556cf4a866.exe 3478eb7d70c27498d0c4bd842f41313c3223fcb9a572a6b57460fb556cf4a866.exe PID 1240 wrote to memory of 2044 1240 3478eb7d70c27498d0c4bd842f41313c3223fcb9a572a6b57460fb556cf4a866.exe 3478eb7d70c27498d0c4bd842f41313c3223fcb9a572a6b57460fb556cf4a866.exe PID 1632 wrote to memory of 336 1632 dmaphoenix.exe dmaphoenix.exe PID 1632 wrote to memory of 336 1632 dmaphoenix.exe dmaphoenix.exe PID 1632 wrote to memory of 336 1632 dmaphoenix.exe dmaphoenix.exe PID 1632 wrote to memory of 336 1632 dmaphoenix.exe dmaphoenix.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3478eb7d70c27498d0c4bd842f41313c3223fcb9a572a6b57460fb556cf4a866.exe"C:\Users\Admin\AppData\Local\Temp\3478eb7d70c27498d0c4bd842f41313c3223fcb9a572a6b57460fb556cf4a866.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Users\Admin\AppData\Local\Temp\3478eb7d70c27498d0c4bd842f41313c3223fcb9a572a6b57460fb556cf4a866.exe--6583a3e2⤵
- Suspicious behavior: RenamesItself
PID:2044
-
C:\Windows\SysWOW64\dmaphoenix.exe"C:\Windows\SysWOW64\dmaphoenix.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\dmaphoenix.exe--4cf0af092⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:336
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/336-68-0x0000000000000000-mapping.dmp
-
memory/1240-59-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1240-63-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1240-62-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2044-60-0x0000000000000000-mapping.dmp
-
memory/2044-66-0x00000000752B1000-0x00000000752B3000-memory.dmpFilesize
8KB