Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
16-05-2021 01:06
Static task
static1
Behavioral task
behavioral1
Sample
2a66d935b5f241a7592063bdb3293a9614abc5dac09f2668839bda53198defdf.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
2a66d935b5f241a7592063bdb3293a9614abc5dac09f2668839bda53198defdf.exe
-
Size
135KB
-
MD5
6e561be14e05c25a7f317172f73f2117
-
SHA1
063dc4313363b3eb96f1f0fecfa7709aa288f37c
-
SHA256
2a66d935b5f241a7592063bdb3293a9614abc5dac09f2668839bda53198defdf
-
SHA512
ae6d76057abe06e0f1058304270d1311b8c58f96c14cbfcb22efe175d16add88311a912bb4e63f780c8d7481ae82dc9eb4e16c4b9fc09e7bdea4a97a1e8e7aae
Malware Config
Signatures
-
Drops file in System32 directory 5 IoCs
Processes:
sourcetexture.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 sourcetexture.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat sourcetexture.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 sourcetexture.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE sourcetexture.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies sourcetexture.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
sourcetexture.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix sourcetexture.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" sourcetexture.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" sourcetexture.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
sourcetexture.exepid process 2744 sourcetexture.exe 2744 sourcetexture.exe 2744 sourcetexture.exe 2744 sourcetexture.exe 2744 sourcetexture.exe 2744 sourcetexture.exe 2744 sourcetexture.exe 2744 sourcetexture.exe 2744 sourcetexture.exe 2744 sourcetexture.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
2a66d935b5f241a7592063bdb3293a9614abc5dac09f2668839bda53198defdf.exepid process 2660 2a66d935b5f241a7592063bdb3293a9614abc5dac09f2668839bda53198defdf.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2a66d935b5f241a7592063bdb3293a9614abc5dac09f2668839bda53198defdf.exesourcetexture.exedescription pid process target process PID 3968 wrote to memory of 2660 3968 2a66d935b5f241a7592063bdb3293a9614abc5dac09f2668839bda53198defdf.exe 2a66d935b5f241a7592063bdb3293a9614abc5dac09f2668839bda53198defdf.exe PID 3968 wrote to memory of 2660 3968 2a66d935b5f241a7592063bdb3293a9614abc5dac09f2668839bda53198defdf.exe 2a66d935b5f241a7592063bdb3293a9614abc5dac09f2668839bda53198defdf.exe PID 3968 wrote to memory of 2660 3968 2a66d935b5f241a7592063bdb3293a9614abc5dac09f2668839bda53198defdf.exe 2a66d935b5f241a7592063bdb3293a9614abc5dac09f2668839bda53198defdf.exe PID 2904 wrote to memory of 2744 2904 sourcetexture.exe sourcetexture.exe PID 2904 wrote to memory of 2744 2904 sourcetexture.exe sourcetexture.exe PID 2904 wrote to memory of 2744 2904 sourcetexture.exe sourcetexture.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a66d935b5f241a7592063bdb3293a9614abc5dac09f2668839bda53198defdf.exe"C:\Users\Admin\AppData\Local\Temp\2a66d935b5f241a7592063bdb3293a9614abc5dac09f2668839bda53198defdf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Users\Admin\AppData\Local\Temp\2a66d935b5f241a7592063bdb3293a9614abc5dac09f2668839bda53198defdf.exe--46a47f692⤵
- Suspicious behavior: RenamesItself
PID:2660
-
C:\Windows\SysWOW64\sourcetexture.exe"C:\Windows\SysWOW64\sourcetexture.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\sourcetexture.exe--ece484762⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2744
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2660-115-0x0000000000000000-mapping.dmp
-
memory/2660-117-0x0000000000490000-0x00000000005DA000-memory.dmpFilesize
1.3MB
-
memory/2744-120-0x0000000000000000-mapping.dmp
-
memory/2904-119-0x0000000000560000-0x00000000006AA000-memory.dmpFilesize
1.3MB
-
memory/2904-121-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/3968-114-0x0000000000480000-0x0000000000491000-memory.dmpFilesize
68KB
-
memory/3968-116-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB