Analysis
-
max time kernel
145s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
13-05-2021 01:51
Static task
static1
Behavioral task
behavioral1
Sample
aa4f15adcee5aab1fa0a590bab912edb0e1b79815a5754201f5efe15f7bd9a48.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
aa4f15adcee5aab1fa0a590bab912edb0e1b79815a5754201f5efe15f7bd9a48.exe
-
Size
134KB
-
MD5
f8d3d5c5be06f752607af2bf6ca54a62
-
SHA1
b8894b64b3cf0d6ed3336dbcf14b7e520b15e92c
-
SHA256
aa4f15adcee5aab1fa0a590bab912edb0e1b79815a5754201f5efe15f7bd9a48
-
SHA512
137a88e61a2dd84b4b151efc286167ed04ba9e44f80d44c0b96a8beb8cf9bd9d76f49a01b4ca48932c8242be59c651e1e0d3afe46cdfff37e29d32e5e711150e
Malware Config
Signatures
-
Drops file in System32 directory 5 IoCs
Processes:
boxesrandom.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat boxesrandom.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 boxesrandom.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE boxesrandom.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies boxesrandom.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 boxesrandom.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
boxesrandom.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix boxesrandom.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" boxesrandom.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" boxesrandom.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
boxesrandom.exepid process 4052 boxesrandom.exe 4052 boxesrandom.exe 4052 boxesrandom.exe 4052 boxesrandom.exe 4052 boxesrandom.exe 4052 boxesrandom.exe 4052 boxesrandom.exe 4052 boxesrandom.exe 4052 boxesrandom.exe 4052 boxesrandom.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
aa4f15adcee5aab1fa0a590bab912edb0e1b79815a5754201f5efe15f7bd9a48.exepid process 5040 aa4f15adcee5aab1fa0a590bab912edb0e1b79815a5754201f5efe15f7bd9a48.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
aa4f15adcee5aab1fa0a590bab912edb0e1b79815a5754201f5efe15f7bd9a48.exeboxesrandom.exedescription pid process target process PID 4440 wrote to memory of 5040 4440 aa4f15adcee5aab1fa0a590bab912edb0e1b79815a5754201f5efe15f7bd9a48.exe aa4f15adcee5aab1fa0a590bab912edb0e1b79815a5754201f5efe15f7bd9a48.exe PID 4440 wrote to memory of 5040 4440 aa4f15adcee5aab1fa0a590bab912edb0e1b79815a5754201f5efe15f7bd9a48.exe aa4f15adcee5aab1fa0a590bab912edb0e1b79815a5754201f5efe15f7bd9a48.exe PID 4440 wrote to memory of 5040 4440 aa4f15adcee5aab1fa0a590bab912edb0e1b79815a5754201f5efe15f7bd9a48.exe aa4f15adcee5aab1fa0a590bab912edb0e1b79815a5754201f5efe15f7bd9a48.exe PID 4060 wrote to memory of 4052 4060 boxesrandom.exe boxesrandom.exe PID 4060 wrote to memory of 4052 4060 boxesrandom.exe boxesrandom.exe PID 4060 wrote to memory of 4052 4060 boxesrandom.exe boxesrandom.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa4f15adcee5aab1fa0a590bab912edb0e1b79815a5754201f5efe15f7bd9a48.exe"C:\Users\Admin\AppData\Local\Temp\aa4f15adcee5aab1fa0a590bab912edb0e1b79815a5754201f5efe15f7bd9a48.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\aa4f15adcee5aab1fa0a590bab912edb0e1b79815a5754201f5efe15f7bd9a48.exe--48a8fc9d2⤵
- Suspicious behavior: RenamesItself
PID:5040
-
C:\Windows\SysWOW64\boxesrandom.exe"C:\Windows\SysWOW64\boxesrandom.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\boxesrandom.exe--9a74c3d22⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4052
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4052-120-0x0000000000000000-mapping.dmp
-
memory/4052-122-0x0000000000520000-0x000000000066A000-memory.dmpFilesize
1.3MB
-
memory/4060-119-0x0000000000430000-0x00000000004DE000-memory.dmpFilesize
696KB
-
memory/4060-121-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/4440-114-0x0000000002180000-0x0000000002191000-memory.dmpFilesize
68KB
-
memory/4440-116-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/5040-115-0x0000000000000000-mapping.dmp