Analysis
-
max time kernel
145s -
max time network
160s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
16-05-2021 05:20
Static task
static1
Behavioral task
behavioral1
Sample
ca221e91bfd2d2e7e93196c11ff4db0713f1e41675cc1f1b13b7b742c94612d0.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
ca221e91bfd2d2e7e93196c11ff4db0713f1e41675cc1f1b13b7b742c94612d0.exe
-
Size
143KB
-
MD5
06f15879a3e68a2609e336d793c718c0
-
SHA1
ee7d3502ae1e54699a06719400e11b8e570a8aec
-
SHA256
ca221e91bfd2d2e7e93196c11ff4db0713f1e41675cc1f1b13b7b742c94612d0
-
SHA512
85d6ed14f552806065110ca1808770646ab8a6940aa79cc9ebb2e4086ca69448a40e11aad3425f6571dbc8b8942b08928c3c3541d22560c0e66f7e17e18b4730
Malware Config
Signatures
-
Drops file in System32 directory 5 IoCs
Processes:
itslangs.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat itslangs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 itslangs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE itslangs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies itslangs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 itslangs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
itslangs.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix itslangs.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" itslangs.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" itslangs.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
itslangs.exepid process 3956 itslangs.exe 3956 itslangs.exe 3956 itslangs.exe 3956 itslangs.exe 3956 itslangs.exe 3956 itslangs.exe 3956 itslangs.exe 3956 itslangs.exe 3956 itslangs.exe 3956 itslangs.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
ca221e91bfd2d2e7e93196c11ff4db0713f1e41675cc1f1b13b7b742c94612d0.exepid process 3084 ca221e91bfd2d2e7e93196c11ff4db0713f1e41675cc1f1b13b7b742c94612d0.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ca221e91bfd2d2e7e93196c11ff4db0713f1e41675cc1f1b13b7b742c94612d0.exeitslangs.exedescription pid process target process PID 4656 wrote to memory of 3084 4656 ca221e91bfd2d2e7e93196c11ff4db0713f1e41675cc1f1b13b7b742c94612d0.exe ca221e91bfd2d2e7e93196c11ff4db0713f1e41675cc1f1b13b7b742c94612d0.exe PID 4656 wrote to memory of 3084 4656 ca221e91bfd2d2e7e93196c11ff4db0713f1e41675cc1f1b13b7b742c94612d0.exe ca221e91bfd2d2e7e93196c11ff4db0713f1e41675cc1f1b13b7b742c94612d0.exe PID 4656 wrote to memory of 3084 4656 ca221e91bfd2d2e7e93196c11ff4db0713f1e41675cc1f1b13b7b742c94612d0.exe ca221e91bfd2d2e7e93196c11ff4db0713f1e41675cc1f1b13b7b742c94612d0.exe PID 3032 wrote to memory of 3956 3032 itslangs.exe itslangs.exe PID 3032 wrote to memory of 3956 3032 itslangs.exe itslangs.exe PID 3032 wrote to memory of 3956 3032 itslangs.exe itslangs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca221e91bfd2d2e7e93196c11ff4db0713f1e41675cc1f1b13b7b742c94612d0.exe"C:\Users\Admin\AppData\Local\Temp\ca221e91bfd2d2e7e93196c11ff4db0713f1e41675cc1f1b13b7b742c94612d0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\ca221e91bfd2d2e7e93196c11ff4db0713f1e41675cc1f1b13b7b742c94612d0.exe--52b829992⤵
- Suspicious behavior: RenamesItself
PID:3084
-
C:\Windows\SysWOW64\itslangs.exe"C:\Windows\SysWOW64\itslangs.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\itslangs.exe--3b852e2f2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3956
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3032-121-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3084-115-0x0000000000000000-mapping.dmp
-
memory/3084-117-0x0000000000430000-0x00000000004DE000-memory.dmpFilesize
696KB
-
memory/3084-118-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3956-120-0x0000000000000000-mapping.dmp
-
memory/4656-114-0x00000000001D0000-0x00000000001E1000-memory.dmpFilesize
68KB
-
memory/4656-116-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB