Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
13-05-2021 02:19
Static task
static1
Behavioral task
behavioral1
Sample
c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9.exe
-
Size
143KB
-
MD5
28b6e7754847c8c90eed3c0d8b82819f
-
SHA1
e960661b7f2e2e2465dd4fe9eb1b69dd049b8e34
-
SHA256
c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9
-
SHA512
84ff731622c8ac225da655c4f1c5859dae48c8a7d37318584b50820aabe948ac320faf04424e29ed8d88192ad97c19e79cfedb6d31114a18957cdfc43342cf48
Malware Config
Signatures
-
Drops file in System32 directory 5 IoCs
Processes:
unpackbulk.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 unpackbulk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE unpackbulk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies unpackbulk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 unpackbulk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat unpackbulk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
unpackbulk.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix unpackbulk.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" unpackbulk.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" unpackbulk.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
unpackbulk.exepid process 1908 unpackbulk.exe 1908 unpackbulk.exe 1908 unpackbulk.exe 1908 unpackbulk.exe 1908 unpackbulk.exe 1908 unpackbulk.exe 1908 unpackbulk.exe 1908 unpackbulk.exe 1908 unpackbulk.exe 1908 unpackbulk.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9.exepid process 3992 c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9.exeunpackbulk.exedescription pid process target process PID 3872 wrote to memory of 3992 3872 c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9.exe c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9.exe PID 3872 wrote to memory of 3992 3872 c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9.exe c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9.exe PID 3872 wrote to memory of 3992 3872 c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9.exe c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9.exe PID 1484 wrote to memory of 1908 1484 unpackbulk.exe unpackbulk.exe PID 1484 wrote to memory of 1908 1484 unpackbulk.exe unpackbulk.exe PID 1484 wrote to memory of 1908 1484 unpackbulk.exe unpackbulk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9.exe"C:\Users\Admin\AppData\Local\Temp\c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Users\Admin\AppData\Local\Temp\c9c9bc27f596eb25d234491aeb394d85bbba1a640bcf72f39e4b3c373fbe8eb9.exe--c48b4b282⤵
- Suspicious behavior: RenamesItself
PID:3992
-
C:\Windows\SysWOW64\unpackbulk.exe"C:\Windows\SysWOW64\unpackbulk.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\unpackbulk.exe--7407af962⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1908
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1484-121-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/1908-120-0x0000000000000000-mapping.dmp
-
memory/3872-114-0x00000000001E0000-0x00000000001F1000-memory.dmpFilesize
68KB
-
memory/3872-116-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/3992-115-0x0000000000000000-mapping.dmp
-
memory/3992-117-0x0000000000570000-0x00000000006BA000-memory.dmpFilesize
1.3MB
-
memory/3992-118-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB