Analysis
-
max time kernel
127s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
16-05-2021 04:25
Static task
static1
Behavioral task
behavioral1
Sample
ef542a6656488836225eab031154badda2b5ec3ee52f12f5eaca4bb73a4151e2.exe
Resource
win7v20210410
0 signatures
0 seconds
General
-
Target
ef542a6656488836225eab031154badda2b5ec3ee52f12f5eaca4bb73a4151e2.exe
-
Size
162KB
-
MD5
9500a8ed79991a7c9276e62b663df95e
-
SHA1
d2e5add104ece763d0de4abb0c22129f61852144
-
SHA256
ef542a6656488836225eab031154badda2b5ec3ee52f12f5eaca4bb73a4151e2
-
SHA512
ef3ddf271c2fd4e56f3511f825ae66983ba788d03457f3560358859dab6b32444ad322f4c8530e5648e3a3f837acb032ae241c7fe11ced7b2cfe56ae3c08af99
Malware Config
Signatures
-
Drops file in System32 directory 5 IoCs
Processes:
sitkasource.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 sitkasource.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat sitkasource.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 sitkasource.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE sitkasource.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies sitkasource.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
sitkasource.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix sitkasource.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" sitkasource.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" sitkasource.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
sitkasource.exepid process 3932 sitkasource.exe 3932 sitkasource.exe 3932 sitkasource.exe 3932 sitkasource.exe 3932 sitkasource.exe 3932 sitkasource.exe 3932 sitkasource.exe 3932 sitkasource.exe 3932 sitkasource.exe 3932 sitkasource.exe 3932 sitkasource.exe 3932 sitkasource.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
ef542a6656488836225eab031154badda2b5ec3ee52f12f5eaca4bb73a4151e2.exepid process 1788 ef542a6656488836225eab031154badda2b5ec3ee52f12f5eaca4bb73a4151e2.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ef542a6656488836225eab031154badda2b5ec3ee52f12f5eaca4bb73a4151e2.exesitkasource.exedescription pid process target process PID 648 wrote to memory of 1788 648 ef542a6656488836225eab031154badda2b5ec3ee52f12f5eaca4bb73a4151e2.exe ef542a6656488836225eab031154badda2b5ec3ee52f12f5eaca4bb73a4151e2.exe PID 648 wrote to memory of 1788 648 ef542a6656488836225eab031154badda2b5ec3ee52f12f5eaca4bb73a4151e2.exe ef542a6656488836225eab031154badda2b5ec3ee52f12f5eaca4bb73a4151e2.exe PID 648 wrote to memory of 1788 648 ef542a6656488836225eab031154badda2b5ec3ee52f12f5eaca4bb73a4151e2.exe ef542a6656488836225eab031154badda2b5ec3ee52f12f5eaca4bb73a4151e2.exe PID 2832 wrote to memory of 3932 2832 sitkasource.exe sitkasource.exe PID 2832 wrote to memory of 3932 2832 sitkasource.exe sitkasource.exe PID 2832 wrote to memory of 3932 2832 sitkasource.exe sitkasource.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef542a6656488836225eab031154badda2b5ec3ee52f12f5eaca4bb73a4151e2.exe"C:\Users\Admin\AppData\Local\Temp\ef542a6656488836225eab031154badda2b5ec3ee52f12f5eaca4bb73a4151e2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ef542a6656488836225eab031154badda2b5ec3ee52f12f5eaca4bb73a4151e2.exe--5d7f8462⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\sitkasource.exe"C:\Windows\SysWOW64\sitkasource.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sitkasource.exe--6d9974e52⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/648-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/648-115-0x0000000002140000-0x0000000002151000-memory.dmpFilesize
68KB
-
memory/1788-114-0x0000000000000000-mapping.dmp
-
memory/1788-118-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2832-119-0x0000000000430000-0x00000000004DE000-memory.dmpFilesize
696KB
-
memory/2832-121-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3932-120-0x0000000000000000-mapping.dmp
-
memory/3932-122-0x0000000000480000-0x000000000052E000-memory.dmpFilesize
696KB