Analysis
-
max time kernel
138s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
18-05-2021 05:56
Static task
static1
Behavioral task
behavioral1
Sample
88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe
Resource
win10v20210410
General
-
Target
88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe
-
Size
212KB
-
MD5
b32e26f8c8d982d8b1ad942b3e0d32cb
-
SHA1
bd0343fa996118f9f060908579299ebff7980700
-
SHA256
88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2
-
SHA512
58f09caabac2331f23d7fadfb15d85add2d52b4af5fb383888a444f19e3821fc45b00aa50aa130a7e2bcfef7d81e18694fd924d4fbb8dc532dba0715666bdeb2
Malware Config
Signatures
-
Drops file in System32 directory 5 IoCs
Processes:
printstitle.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE printstitle.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies printstitle.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 printstitle.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat printstitle.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 printstitle.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
printstitle.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix printstitle.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" printstitle.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" printstitle.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
printstitle.exepid process 2696 printstitle.exe 2696 printstitle.exe 2696 printstitle.exe 2696 printstitle.exe 2696 printstitle.exe 2696 printstitle.exe 2696 printstitle.exe 2696 printstitle.exe 2696 printstitle.exe 2696 printstitle.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exepid process 208 88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exeprintstitle.exeprintstitle.exepid process 2256 88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe 208 88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe 3724 printstitle.exe 2696 printstitle.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exeprintstitle.exedescription pid process target process PID 2256 wrote to memory of 208 2256 88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe 88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe PID 2256 wrote to memory of 208 2256 88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe 88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe PID 2256 wrote to memory of 208 2256 88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe 88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe PID 3724 wrote to memory of 2696 3724 printstitle.exe printstitle.exe PID 3724 wrote to memory of 2696 3724 printstitle.exe printstitle.exe PID 3724 wrote to memory of 2696 3724 printstitle.exe printstitle.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe"C:\Users\Admin\AppData\Local\Temp\88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\88b6e1df8dd5d0f3345948e81df1f70315927e949e875bdda440002b0c1d16b2.exe--379743e22⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\printstitle.exe"C:\Windows\SysWOW64\printstitle.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\printstitle.exe--6b260fa82⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\4f7b12359ff0cd5362f9410c19b36a74_89bbad60-16d5-41c2-ad8d-716f4ac5f4c2MD5
e4b53ea64ceb467b80ac8c2a2cdaebdf
SHA16ffec5f65ba74828f2c9e767624c075576546d41
SHA256ee7615f799b8f2710a58f5b765a36ede97c281a1c5fc16044d89d8089e5f8658
SHA512a462b615b016ea6432a0f4fced211a57448f7c19736e50cc020b1c70663ec58beeafeed3f42aa6affabfda11b936b19fc69ce0a102ca7ce92184c5e995e630fe
-
memory/208-114-0x0000000000000000-mapping.dmp
-
memory/208-116-0x0000000000590000-0x00000000005A1000-memory.dmpFilesize
68KB
-
memory/2256-115-0x0000000000440000-0x000000000058A000-memory.dmpFilesize
1.3MB
-
memory/2696-117-0x0000000000000000-mapping.dmp