Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
18-05-2021 09:39
Static task
static1
Behavioral task
behavioral1
Sample
361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694.exe
Resource
win7v20210408
General
-
Target
361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694.exe
-
Size
292KB
-
MD5
244374204971acc756b7ef1c1616e4a0
-
SHA1
50a3ca99a3e8009ebc70671ae6df4e84e67c9a2f
-
SHA256
361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694
-
SHA512
8c99f3d5c71b078b58932c764b9585c12dd7cc449b7509639d592a026aec69e630753f9008eff7c353f2eac27694978abb9980f7d9b67815f2d9b508e3ef1669
Malware Config
Signatures
-
Drops file in System32 directory 5 IoCs
Processes:
angledef.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat angledef.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 angledef.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE angledef.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies angledef.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 angledef.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
angledef.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix angledef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" angledef.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" angledef.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
angledef.exepid process 3976 angledef.exe 3976 angledef.exe 3976 angledef.exe 3976 angledef.exe 3976 angledef.exe 3976 angledef.exe 3976 angledef.exe 3976 angledef.exe 3976 angledef.exe 3976 angledef.exe 3976 angledef.exe 3976 angledef.exe 3976 angledef.exe 3976 angledef.exe 3976 angledef.exe 3976 angledef.exe 3976 angledef.exe 3976 angledef.exe 3976 angledef.exe 3976 angledef.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694.exepid process 1668 361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694.exeangledef.exedescription pid process target process PID 1832 wrote to memory of 1668 1832 361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694.exe 361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694.exe PID 1832 wrote to memory of 1668 1832 361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694.exe 361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694.exe PID 1832 wrote to memory of 1668 1832 361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694.exe 361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694.exe PID 3368 wrote to memory of 3976 3368 angledef.exe angledef.exe PID 3368 wrote to memory of 3976 3368 angledef.exe angledef.exe PID 3368 wrote to memory of 3976 3368 angledef.exe angledef.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694.exe"C:\Users\Admin\AppData\Local\Temp\361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\361531ae945f36019323f6047778a7b9f70093f3d41aa0507452b4c51a30d694.exe--355c77342⤵
- Suspicious behavior: RenamesItself
PID:1668
-
C:\Windows\SysWOW64\angledef.exe"C:\Windows\SysWOW64\angledef.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\angledef.exe--aa428ca42⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3976
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\4f7b12359ff0cd5362f9410c19b36a74_89bbad60-16d5-41c2-ad8d-716f4ac5f4c2MD5
e4b53ea64ceb467b80ac8c2a2cdaebdf
SHA16ffec5f65ba74828f2c9e767624c075576546d41
SHA256ee7615f799b8f2710a58f5b765a36ede97c281a1c5fc16044d89d8089e5f8658
SHA512a462b615b016ea6432a0f4fced211a57448f7c19736e50cc020b1c70663ec58beeafeed3f42aa6affabfda11b936b19fc69ce0a102ca7ce92184c5e995e630fe
-
memory/1668-116-0x0000000000000000-mapping.dmp
-
memory/1668-117-0x0000000000450000-0x000000000059A000-memory.dmpFilesize
1.3MB
-
memory/1832-115-0x0000000000560000-0x00000000006AA000-memory.dmpFilesize
1.3MB
-
memory/3368-120-0x0000000000450000-0x00000000004FE000-memory.dmpFilesize
696KB
-
memory/3976-119-0x0000000000000000-mapping.dmp
-
memory/3976-123-0x00000000001F0000-0x00000000001FF000-memory.dmpFilesize
60KB