Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
13-05-2021 01:59
Static task
static1
Behavioral task
behavioral1
Sample
84fecc89d0e95d9fab6a35ad6fc2a39242d756fa85c8e6cb7fba4da84feb077a.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
84fecc89d0e95d9fab6a35ad6fc2a39242d756fa85c8e6cb7fba4da84feb077a.exe
-
Size
149KB
-
MD5
171737287ba86c79b03985c56b621c15
-
SHA1
d5dd66318e054ad25f87676d5e72253abbdae1cc
-
SHA256
84fecc89d0e95d9fab6a35ad6fc2a39242d756fa85c8e6cb7fba4da84feb077a
-
SHA512
fac8d38a25492b74716d7cf052d7af178bfe0f98de6d794b09511a88d5eb31e3a825adabf0142589ef953ec278da35c9b08b77823273a4eb2335ed61e536d790
Malware Config
Signatures
-
Drops file in System32 directory 5 IoCs
Processes:
guiddefpinned.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies guiddefpinned.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 guiddefpinned.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat guiddefpinned.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 guiddefpinned.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE guiddefpinned.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
guiddefpinned.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix guiddefpinned.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" guiddefpinned.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" guiddefpinned.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
guiddefpinned.exepid process 8 guiddefpinned.exe 8 guiddefpinned.exe 8 guiddefpinned.exe 8 guiddefpinned.exe 8 guiddefpinned.exe 8 guiddefpinned.exe 8 guiddefpinned.exe 8 guiddefpinned.exe 8 guiddefpinned.exe 8 guiddefpinned.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
84fecc89d0e95d9fab6a35ad6fc2a39242d756fa85c8e6cb7fba4da84feb077a.exepid process 1136 84fecc89d0e95d9fab6a35ad6fc2a39242d756fa85c8e6cb7fba4da84feb077a.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
84fecc89d0e95d9fab6a35ad6fc2a39242d756fa85c8e6cb7fba4da84feb077a.exeguiddefpinned.exedescription pid process target process PID 508 wrote to memory of 1136 508 84fecc89d0e95d9fab6a35ad6fc2a39242d756fa85c8e6cb7fba4da84feb077a.exe 84fecc89d0e95d9fab6a35ad6fc2a39242d756fa85c8e6cb7fba4da84feb077a.exe PID 508 wrote to memory of 1136 508 84fecc89d0e95d9fab6a35ad6fc2a39242d756fa85c8e6cb7fba4da84feb077a.exe 84fecc89d0e95d9fab6a35ad6fc2a39242d756fa85c8e6cb7fba4da84feb077a.exe PID 508 wrote to memory of 1136 508 84fecc89d0e95d9fab6a35ad6fc2a39242d756fa85c8e6cb7fba4da84feb077a.exe 84fecc89d0e95d9fab6a35ad6fc2a39242d756fa85c8e6cb7fba4da84feb077a.exe PID 3400 wrote to memory of 8 3400 guiddefpinned.exe guiddefpinned.exe PID 3400 wrote to memory of 8 3400 guiddefpinned.exe guiddefpinned.exe PID 3400 wrote to memory of 8 3400 guiddefpinned.exe guiddefpinned.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\84fecc89d0e95d9fab6a35ad6fc2a39242d756fa85c8e6cb7fba4da84feb077a.exe"C:\Users\Admin\AppData\Local\Temp\84fecc89d0e95d9fab6a35ad6fc2a39242d756fa85c8e6cb7fba4da84feb077a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:508 -
C:\Users\Admin\AppData\Local\Temp\84fecc89d0e95d9fab6a35ad6fc2a39242d756fa85c8e6cb7fba4da84feb077a.exe--c008463b2⤵
- Suspicious behavior: RenamesItself
PID:1136
-
C:\Windows\SysWOW64\guiddefpinned.exe"C:\Windows\SysWOW64\guiddefpinned.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\guiddefpinned.exe--da687eca2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:8
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/8-120-0x0000000000000000-mapping.dmp
-
memory/508-114-0x0000000000560000-0x00000000006AA000-memory.dmpFilesize
1.3MB
-
memory/508-116-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1136-115-0x0000000000000000-mapping.dmp
-
memory/1136-117-0x0000000000560000-0x00000000006AA000-memory.dmpFilesize
1.3MB
-
memory/3400-119-0x00000000004A0000-0x00000000005EA000-memory.dmpFilesize
1.3MB
-
memory/3400-121-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB