Analysis
-
max time kernel
142s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
16-05-2021 02:00
Static task
static1
Behavioral task
behavioral1
Sample
ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7.exe
-
Size
170KB
-
MD5
5b5b849bbb349fea02d69a076302ddab
-
SHA1
3ddb25d728b7cce43d1948433c27a67cbb6c0ff7
-
SHA256
ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7
-
SHA512
30dd4c08c617cff339b4d235ff0cd72568bd77eeba85a37dd360d2283f56814b0d7088ed810cff8d09e005025aef802e50f4960b780c0be98ca62b43576dbeb8
Malware Config
Signatures
-
Drops file in System32 directory 5 IoCs
Processes:
scrnstarta.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE scrnstarta.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies scrnstarta.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 scrnstarta.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat scrnstarta.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 scrnstarta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
scrnstarta.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" scrnstarta.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix scrnstarta.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" scrnstarta.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
scrnstarta.exepid process 3548 scrnstarta.exe 3548 scrnstarta.exe 3548 scrnstarta.exe 3548 scrnstarta.exe 3548 scrnstarta.exe 3548 scrnstarta.exe 3548 scrnstarta.exe 3548 scrnstarta.exe 3548 scrnstarta.exe 3548 scrnstarta.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7.exepid process 3536 ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7.exescrnstarta.exedescription pid process target process PID 3724 wrote to memory of 3536 3724 ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7.exe ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7.exe PID 3724 wrote to memory of 3536 3724 ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7.exe ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7.exe PID 3724 wrote to memory of 3536 3724 ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7.exe ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7.exe PID 2648 wrote to memory of 3548 2648 scrnstarta.exe scrnstarta.exe PID 2648 wrote to memory of 3548 2648 scrnstarta.exe scrnstarta.exe PID 2648 wrote to memory of 3548 2648 scrnstarta.exe scrnstarta.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7.exe"C:\Users\Admin\AppData\Local\Temp\ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Users\Admin\AppData\Local\Temp\ea65aabffb33b122be980c2ea7a66f9ce8b3f81c83a94fff962bbc7725d8e7b7.exe--42502a942⤵
- Suspicious behavior: RenamesItself
PID:3536
-
C:\Windows\SysWOW64\scrnstarta.exe"C:\Windows\SysWOW64\scrnstarta.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\scrnstarta.exe--7b1067bd2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3548
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2648-121-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/3536-115-0x0000000000000000-mapping.dmp
-
memory/3536-117-0x0000000002020000-0x0000000002031000-memory.dmpFilesize
68KB
-
memory/3536-118-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/3548-120-0x0000000000000000-mapping.dmp
-
memory/3548-123-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/3724-114-0x0000000000560000-0x00000000006AA000-memory.dmpFilesize
1.3MB
-
memory/3724-116-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB