Analysis
-
max time kernel
142s -
max time network
157s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
13-05-2021 02:34
Static task
static1
Behavioral task
behavioral1
Sample
f886202f15a93ff1bd3522be14dd3143c4f7443cc700c7840fe8667e8abf4656.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
f886202f15a93ff1bd3522be14dd3143c4f7443cc700c7840fe8667e8abf4656.exe
-
Size
134KB
-
MD5
9a4c58c9a89a06da19007a28186d454a
-
SHA1
0e0e436266e1dc0bde5ea0bd7a0421f17d483dc0
-
SHA256
f886202f15a93ff1bd3522be14dd3143c4f7443cc700c7840fe8667e8abf4656
-
SHA512
25595c1bbdb2d1a42f48d53e86e7b854f7ac90df31b392d71c618e29811158589dd83469833055afc00b972d0df7850fd1d0b0f317b381f75b669761019262ba
Malware Config
Signatures
-
Drops file in System32 directory 5 IoCs
Processes:
ribbonrelated.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 ribbonrelated.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat ribbonrelated.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 ribbonrelated.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE ribbonrelated.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies ribbonrelated.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
ribbonrelated.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix ribbonrelated.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" ribbonrelated.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" ribbonrelated.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
ribbonrelated.exepid process 2628 ribbonrelated.exe 2628 ribbonrelated.exe 2628 ribbonrelated.exe 2628 ribbonrelated.exe 2628 ribbonrelated.exe 2628 ribbonrelated.exe 2628 ribbonrelated.exe 2628 ribbonrelated.exe 2628 ribbonrelated.exe 2628 ribbonrelated.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
f886202f15a93ff1bd3522be14dd3143c4f7443cc700c7840fe8667e8abf4656.exepid process 2076 f886202f15a93ff1bd3522be14dd3143c4f7443cc700c7840fe8667e8abf4656.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f886202f15a93ff1bd3522be14dd3143c4f7443cc700c7840fe8667e8abf4656.exeribbonrelated.exedescription pid process target process PID 2544 wrote to memory of 2076 2544 f886202f15a93ff1bd3522be14dd3143c4f7443cc700c7840fe8667e8abf4656.exe f886202f15a93ff1bd3522be14dd3143c4f7443cc700c7840fe8667e8abf4656.exe PID 2544 wrote to memory of 2076 2544 f886202f15a93ff1bd3522be14dd3143c4f7443cc700c7840fe8667e8abf4656.exe f886202f15a93ff1bd3522be14dd3143c4f7443cc700c7840fe8667e8abf4656.exe PID 2544 wrote to memory of 2076 2544 f886202f15a93ff1bd3522be14dd3143c4f7443cc700c7840fe8667e8abf4656.exe f886202f15a93ff1bd3522be14dd3143c4f7443cc700c7840fe8667e8abf4656.exe PID 2928 wrote to memory of 2628 2928 ribbonrelated.exe ribbonrelated.exe PID 2928 wrote to memory of 2628 2928 ribbonrelated.exe ribbonrelated.exe PID 2928 wrote to memory of 2628 2928 ribbonrelated.exe ribbonrelated.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f886202f15a93ff1bd3522be14dd3143c4f7443cc700c7840fe8667e8abf4656.exe"C:\Users\Admin\AppData\Local\Temp\f886202f15a93ff1bd3522be14dd3143c4f7443cc700c7840fe8667e8abf4656.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\f886202f15a93ff1bd3522be14dd3143c4f7443cc700c7840fe8667e8abf4656.exe--e5d549442⤵
- Suspicious behavior: RenamesItself
PID:2076
-
C:\Windows\SysWOW64\ribbonrelated.exe"C:\Windows\SysWOW64\ribbonrelated.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\ribbonrelated.exe--2a48e34b2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2628
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2076-115-0x0000000000000000-mapping.dmp
-
memory/2076-118-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2544-114-0x00000000004E0000-0x000000000062A000-memory.dmpFilesize
1.3MB
-
memory/2544-116-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2628-120-0x0000000000000000-mapping.dmp
-
memory/2628-123-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2928-119-0x00000000001E0000-0x00000000001F1000-memory.dmpFilesize
68KB
-
memory/2928-121-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB