Analysis
-
max time kernel
143s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
13-05-2021 01:59
Static task
static1
Behavioral task
behavioral1
Sample
25a65373ed73d1db68ff1e4f547f7c6d886305f38520b909779655475ccf7049.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
25a65373ed73d1db68ff1e4f547f7c6d886305f38520b909779655475ccf7049.exe
-
Size
149KB
-
MD5
910058e8576f630e45d1e6b5885bd9de
-
SHA1
a40cd6b0ad1231da40c4f22926f0ede102a49eba
-
SHA256
25a65373ed73d1db68ff1e4f547f7c6d886305f38520b909779655475ccf7049
-
SHA512
74c5265c351604ad3163f45084035905452837ed93a281b40bab284f3ba5767a65aa285b5355ddb11c1f5f9ba4b7a2e4dbc758b6fd76661a4a55edeb14494deb
Malware Config
Signatures
-
Drops file in System32 directory 5 IoCs
Processes:
scrnstarta.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat scrnstarta.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 scrnstarta.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE scrnstarta.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies scrnstarta.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 scrnstarta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
scrnstarta.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" scrnstarta.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix scrnstarta.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" scrnstarta.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
scrnstarta.exepid process 2120 scrnstarta.exe 2120 scrnstarta.exe 2120 scrnstarta.exe 2120 scrnstarta.exe 2120 scrnstarta.exe 2120 scrnstarta.exe 2120 scrnstarta.exe 2120 scrnstarta.exe 2120 scrnstarta.exe 2120 scrnstarta.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
25a65373ed73d1db68ff1e4f547f7c6d886305f38520b909779655475ccf7049.exepid process 2712 25a65373ed73d1db68ff1e4f547f7c6d886305f38520b909779655475ccf7049.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
25a65373ed73d1db68ff1e4f547f7c6d886305f38520b909779655475ccf7049.exescrnstarta.exedescription pid process target process PID 3724 wrote to memory of 2712 3724 25a65373ed73d1db68ff1e4f547f7c6d886305f38520b909779655475ccf7049.exe 25a65373ed73d1db68ff1e4f547f7c6d886305f38520b909779655475ccf7049.exe PID 3724 wrote to memory of 2712 3724 25a65373ed73d1db68ff1e4f547f7c6d886305f38520b909779655475ccf7049.exe 25a65373ed73d1db68ff1e4f547f7c6d886305f38520b909779655475ccf7049.exe PID 3724 wrote to memory of 2712 3724 25a65373ed73d1db68ff1e4f547f7c6d886305f38520b909779655475ccf7049.exe 25a65373ed73d1db68ff1e4f547f7c6d886305f38520b909779655475ccf7049.exe PID 1408 wrote to memory of 2120 1408 scrnstarta.exe scrnstarta.exe PID 1408 wrote to memory of 2120 1408 scrnstarta.exe scrnstarta.exe PID 1408 wrote to memory of 2120 1408 scrnstarta.exe scrnstarta.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\25a65373ed73d1db68ff1e4f547f7c6d886305f38520b909779655475ccf7049.exe"C:\Users\Admin\AppData\Local\Temp\25a65373ed73d1db68ff1e4f547f7c6d886305f38520b909779655475ccf7049.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Users\Admin\AppData\Local\Temp\25a65373ed73d1db68ff1e4f547f7c6d886305f38520b909779655475ccf7049.exe--83697ce52⤵
- Suspicious behavior: RenamesItself
PID:2712
-
C:\Windows\SysWOW64\scrnstarta.exe"C:\Windows\SysWOW64\scrnstarta.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\scrnstarta.exe--7b1067bd2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2120
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1408-119-0x0000000000430000-0x000000000057A000-memory.dmpFilesize
1.3MB
-
memory/1408-121-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2120-120-0x0000000000000000-mapping.dmp
-
memory/2120-122-0x0000000000550000-0x000000000069A000-memory.dmpFilesize
1.3MB
-
memory/2120-123-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2712-115-0x0000000000000000-mapping.dmp
-
memory/2712-117-0x0000000000430000-0x000000000057A000-memory.dmpFilesize
1.3MB
-
memory/2712-118-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/3724-114-0x0000000000430000-0x00000000004DE000-memory.dmpFilesize
696KB
-
memory/3724-116-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB