Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
17-05-2021 04:58
Static task
static1
Behavioral task
behavioral1
Sample
5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98.exe
Resource
win7v20210410
General
-
Target
5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98.exe
-
Size
372KB
-
MD5
ae7d41c270b9a835e387d6b3794d8db5
-
SHA1
afc7b1e9e5ab0c88038b0f6a021282b9eec549de
-
SHA256
5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98
-
SHA512
c69fd3fb00270ea093f5fb7c28c841c8f31b0f6d930d0f42144e6c3bcee7040c80e6ba707eecf2f3a47b6262cc92114c387ae1f45bd4e1e7be7bf2d3ca820780
Malware Config
Signatures
-
Drops file in System32 directory 5 IoCs
Processes:
leelcompon.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 leelcompon.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE leelcompon.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies leelcompon.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 leelcompon.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat leelcompon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
leelcompon.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix leelcompon.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" leelcompon.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" leelcompon.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
leelcompon.exepid process 3332 leelcompon.exe 3332 leelcompon.exe 3332 leelcompon.exe 3332 leelcompon.exe 3332 leelcompon.exe 3332 leelcompon.exe 3332 leelcompon.exe 3332 leelcompon.exe 3332 leelcompon.exe 3332 leelcompon.exe 3332 leelcompon.exe 3332 leelcompon.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98.exepid process 1192 5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98.exeleelcompon.exedescription pid process target process PID 3652 wrote to memory of 1192 3652 5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98.exe 5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98.exe PID 3652 wrote to memory of 1192 3652 5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98.exe 5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98.exe PID 3652 wrote to memory of 1192 3652 5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98.exe 5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98.exe PID 3956 wrote to memory of 3332 3956 leelcompon.exe leelcompon.exe PID 3956 wrote to memory of 3332 3956 leelcompon.exe leelcompon.exe PID 3956 wrote to memory of 3332 3956 leelcompon.exe leelcompon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98.exe"C:\Users\Admin\AppData\Local\Temp\5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5d5ef6429494a7789f3a086c5aeafd825cb033e74507c1c03495ceb37c81bf98.exe--744c99d72⤵
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\leelcompon.exe"C:\Windows\SysWOW64\leelcompon.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\leelcompon.exe--42bc27202⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\4f7b12359ff0cd5362f9410c19b36a74_89bbad60-16d5-41c2-ad8d-716f4ac5f4c2MD5
e4b53ea64ceb467b80ac8c2a2cdaebdf
SHA16ffec5f65ba74828f2c9e767624c075576546d41
SHA256ee7615f799b8f2710a58f5b765a36ede97c281a1c5fc16044d89d8089e5f8658
SHA512a462b615b016ea6432a0f4fced211a57448f7c19736e50cc020b1c70663ec58beeafeed3f42aa6affabfda11b936b19fc69ce0a102ca7ce92184c5e995e630fe
-
memory/1192-114-0x0000000000000000-mapping.dmp
-
memory/1192-117-0x00000000001F0000-0x0000000000200000-memory.dmpFilesize
64KB
-
memory/3332-118-0x0000000000000000-mapping.dmp
-
memory/3332-122-0x0000000000460000-0x000000000050E000-memory.dmpFilesize
696KB
-
memory/3652-116-0x0000000000680000-0x0000000000690000-memory.dmpFilesize
64KB
-
memory/3956-119-0x00000000001D0000-0x00000000001F3000-memory.dmpFilesize
140KB