Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
16-05-2021 02:01
Static task
static1
Behavioral task
behavioral1
Sample
16d444ef20cedb8a31b7b4731bd23e687055185b489d3c46398736466869eaa3.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
16d444ef20cedb8a31b7b4731bd23e687055185b489d3c46398736466869eaa3.exe
-
Size
149KB
-
MD5
cf635f0a86ef619126c8934478ef1c1b
-
SHA1
9a3d0a1f589cb972c25803628635d2b477cb67bc
-
SHA256
16d444ef20cedb8a31b7b4731bd23e687055185b489d3c46398736466869eaa3
-
SHA512
f670c6befaa44bb4ec38d716f556426a92b6bdf714caebd81a336b7a30859147bf41c9837bc9b28b252826ba4c7932e07891978f9f3779d6b807c637f8ae4e07
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
sourcejobs.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat sourcejobs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 21 IoCs
Processes:
sourcejobs.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 sourcejobs.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32} sourcejobs.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionTime = 108dbf265f4ad701 sourcejobs.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadNetworkName = "Network" sourcejobs.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\32-e2-17-db-d2-77 sourcejobs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0" sourcejobs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections sourcejobs.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 sourcejobs.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix sourcejobs.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070022000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 sourcejobs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionReason = "1" sourcejobs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecision = "0" sourcejobs.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings sourcejobs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings sourcejobs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" sourcejobs.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1" sourcejobs.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 108dbf265f4ad701 sourcejobs.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" sourcejobs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad sourcejobs.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77 sourcejobs.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" sourcejobs.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
sourcejobs.exepid process 1080 sourcejobs.exe 1080 sourcejobs.exe 1080 sourcejobs.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
16d444ef20cedb8a31b7b4731bd23e687055185b489d3c46398736466869eaa3.exepid process 1848 16d444ef20cedb8a31b7b4731bd23e687055185b489d3c46398736466869eaa3.exe -
Suspicious use of UnmapMainImage 4 IoCs
Processes:
16d444ef20cedb8a31b7b4731bd23e687055185b489d3c46398736466869eaa3.exe16d444ef20cedb8a31b7b4731bd23e687055185b489d3c46398736466869eaa3.exesourcejobs.exesourcejobs.exepid process 2036 16d444ef20cedb8a31b7b4731bd23e687055185b489d3c46398736466869eaa3.exe 1848 16d444ef20cedb8a31b7b4731bd23e687055185b489d3c46398736466869eaa3.exe 368 sourcejobs.exe 1080 sourcejobs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
16d444ef20cedb8a31b7b4731bd23e687055185b489d3c46398736466869eaa3.exesourcejobs.exedescription pid process target process PID 2036 wrote to memory of 1848 2036 16d444ef20cedb8a31b7b4731bd23e687055185b489d3c46398736466869eaa3.exe 16d444ef20cedb8a31b7b4731bd23e687055185b489d3c46398736466869eaa3.exe PID 2036 wrote to memory of 1848 2036 16d444ef20cedb8a31b7b4731bd23e687055185b489d3c46398736466869eaa3.exe 16d444ef20cedb8a31b7b4731bd23e687055185b489d3c46398736466869eaa3.exe PID 2036 wrote to memory of 1848 2036 16d444ef20cedb8a31b7b4731bd23e687055185b489d3c46398736466869eaa3.exe 16d444ef20cedb8a31b7b4731bd23e687055185b489d3c46398736466869eaa3.exe PID 2036 wrote to memory of 1848 2036 16d444ef20cedb8a31b7b4731bd23e687055185b489d3c46398736466869eaa3.exe 16d444ef20cedb8a31b7b4731bd23e687055185b489d3c46398736466869eaa3.exe PID 368 wrote to memory of 1080 368 sourcejobs.exe sourcejobs.exe PID 368 wrote to memory of 1080 368 sourcejobs.exe sourcejobs.exe PID 368 wrote to memory of 1080 368 sourcejobs.exe sourcejobs.exe PID 368 wrote to memory of 1080 368 sourcejobs.exe sourcejobs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\16d444ef20cedb8a31b7b4731bd23e687055185b489d3c46398736466869eaa3.exe"C:\Users\Admin\AppData\Local\Temp\16d444ef20cedb8a31b7b4731bd23e687055185b489d3c46398736466869eaa3.exe"1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\16d444ef20cedb8a31b7b4731bd23e687055185b489d3c46398736466869eaa3.exe--848f2402⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\sourcejobs.exe"C:\Windows\SysWOW64\sourcejobs.exe"1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sourcejobs.exe--cfd7b7e32⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1080-67-0x0000000000000000-mapping.dmp
-
memory/1848-61-0x0000000000000000-mapping.dmp
-
memory/1848-65-0x0000000076281000-0x0000000076283000-memory.dmpFilesize
8KB
-
memory/2036-60-0x0000000000230000-0x0000000000241000-memory.dmpFilesize
68KB
-
memory/2036-62-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB