Analysis
-
max time kernel
355s -
max time network
352s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
20-10-2021 11:41
General
-
Target
282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe
-
Size
52KB
-
MD5
28945b625617cfdcc444b428de0a7a00
-
SHA1
9cab670cd0d11e901cdb3f197aa18f1a6e2930ba
-
SHA256
282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636
-
SHA512
eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
-
Modifies Installed Components in the registry 2 TTPs
-
Modifies extensions of user files 18 IoCs
Ransomware generally changes the extension on encrypted files.
-
Deletes itself 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 11 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Discovers systems in the same network 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies registry class 31 IoCs
-
NTFS ADS 2 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 36 IoCs
-
Suspicious use of FindShellTrayWindow 46 IoCs
-
Suspicious use of SendNotifyMessage 29 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe"1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\q5TGHi\aluR8m.exe 22⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\q5TGHi\aluR8m.exeC:\Users\Admin\AppData\Local\q5TGHi\aluR8m.exe 23⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\1LLDO:exeC:\Users\Admin\AppData\Local\1LLDO:exe 3 C:\Users\Admin\AppData\Local\q5TGHi\aluR8m.exe4⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\kosJKJL:exeC:\Users\Admin\AppData\Local\kosJKJL:exe 1 C:\Users\Admin\AppData\Local\Temp\282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe2⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exeC:\Windows\system32\net.exe view3⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\net.exeC:\Windows\system32\net.exe view \\RSSLLXYN3⤵
- Discovers systems in the same network
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 392 -s 71041⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 392 -s 71881⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Caches\cversions.2.dbMD5
ac43cc8da9cb3fb5bedbc3e5b9d9c44b
SHA1697367119e627c1be27cd86e0dce98b6987f05a8
SHA2563f8f00035833cfd74d64b03ee8bc2952728c1a1f248211781a9c24f1f75d4a68
SHA5127b093eeeee05f858708e538a9aafb5e76cbcf426ead8bb2f6fcd4264b61c35dc9a4ebed67c3b0e1c1b166bb5de4c6f4d4c5d1b4f8b14d00f08f7168b902529fc
-
C:\Users\Admin\AppData\Local\1LLDO:exeMD5
28945b625617cfdcc444b428de0a7a00
SHA19cab670cd0d11e901cdb3f197aa18f1a6e2930ba
SHA256282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636
SHA512eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d
-
C:\Users\Admin\AppData\Local\1LLDO:exeMD5
28945b625617cfdcc444b428de0a7a00
SHA19cab670cd0d11e901cdb3f197aa18f1a6e2930ba
SHA256282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636
SHA512eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001e.dbMD5
dadd366ab1152f68b38ce1ab230990df
SHA12628b6371b08837ce1f319f209499fb390333279
SHA2562b577056cb197795ac117e9ace17027b48d42fec63641d086f46191f37df8828
SHA5125f37d3e270c9bba26f04c5f72769055c4d82a5bdcc84b90fd90fb2f549f0abdc33a34c32928f0e6fb88a8d4eca279819ff5c112f74af29aec9a0f3931f1db38d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.3.ver0x0000000000000001.dbMD5
19f84ea3fab4132d5044f8a35d1f8796
SHA1b30d1d80ade09203807b753a049811c6b7276386
SHA256add8434053f73ee6a960a5e1dca1f72e059a349fa2bf7d6ed83f1637b79b8cb1
SHA512780bbbe083b1b978af74e7d1b7747950c4c04a3b292c1601bed4d4690ce6dfd95035112d7ebafde011faaea764a9b2716ac17b4064a091415c1420d6b9af0cda
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\counters2.datMD5
d6cd101ed81f35516610222b6814042b
SHA12e3660d95aa941b0f6270fd9003ace1bb41902e5
SHA256a690d50e9a9500b05b9a459e64a36227c2a3a4ce8ef637819003ad72841659b0
SHA512e4766dc395578997cc7905707e59da4c678cecd6f16f40c4033b4f4f85a936b1d79e23b829f5957880b3977c870b324f6adc90fb7f6b15051b7a2b58e23cba05
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4032412167\2690874625.priMD5
6fcb6c89d8d5bb045a017720f61ce2cb
SHA161d1533654f577051fc727619a5ddaa2c78a6f67
SHA25619a8d7b9343b628082b251dd110502d953a91c2adc596222bcacab1b32eb4546
SHA512b934bd6ec2c557f06e7d337ff7ac87ed54e869193f1b471303911cbb2bf458961f345970bdd56bcafe428eb1a4a082a217a0feb54d2fee2c3a44f43fcec95f5c
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.cortana_cw5n1h2txyewy\AC\Microsoft\Windows\1601268389\3068621934.priMD5
96e6252fb6b02b98439c87a0c59fe505
SHA10658b8ed5195697e85ce50590d851c3c0c96a0c0
SHA2564defd2bca9d0c6c68c76d9e2ed95ee2f3ff884c69d1630d8a926ff479b67c65a
SHA51267ef437e1f2d0095c282538070043cc1c9bfbbddeb82c1e429fe1b14cdb2a745ac168f1c87716153cb65cbe91b708403df042998705e829f9ffb789c5104c709
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\AC\Microsoft\Windows\4032412167\2690874625.priMD5
6fcb6c89d8d5bb045a017720f61ce2cb
SHA161d1533654f577051fc727619a5ddaa2c78a6f67
SHA25619a8d7b9343b628082b251dd110502d953a91c2adc596222bcacab1b32eb4546
SHA512b934bd6ec2c557f06e7d337ff7ac87ed54e869193f1b471303911cbb2bf458961f345970bdd56bcafe428eb1a4a082a217a0feb54d2fee2c3a44f43fcec95f5c
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\AC\Microsoft\Windows\4183903823\1195458082.priMD5
2228c467ea0ebfe0080106d30a7ae6f0
SHA156f35a7ae6eef9db110b7cf008c1e43e68af7cb6
SHA256f6c050c6655b8ac3e145ee48756cbdfb8fa73dd3cb3ddec9eb51cb4d2225f190
SHA512d938f77b1654062887f2fd0de912abcdea7f5521590d40c95d5792c82bed8e99fe70041bee2393f6b712463a6d23050da7f0dffa678c0662b14e63cf2e4d3bec
-
C:\Users\Admin\AppData\Local\kosJKJL:exeMD5
28945b625617cfdcc444b428de0a7a00
SHA19cab670cd0d11e901cdb3f197aa18f1a6e2930ba
SHA256282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636
SHA512eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d
-
C:\Users\Admin\AppData\Local\kosJKJL:exeMD5
28945b625617cfdcc444b428de0a7a00
SHA19cab670cd0d11e901cdb3f197aa18f1a6e2930ba
SHA256282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636
SHA512eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d
-
C:\Users\Admin\AppData\Local\q5TGHi\aluR8m.exeMD5
28945b625617cfdcc444b428de0a7a00
SHA19cab670cd0d11e901cdb3f197aa18f1a6e2930ba
SHA256282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636
SHA512eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d
-
C:\Users\Admin\AppData\Local\q5TGHi\aluR8m.exeMD5
28945b625617cfdcc444b428de0a7a00
SHA19cab670cd0d11e901cdb3f197aa18f1a6e2930ba
SHA256282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636
SHA512eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d
-
memory/416-116-0x0000000000000000-mapping.dmp
-
memory/496-115-0x0000000000000000-mapping.dmp
-
memory/1112-119-0x0000000000000000-mapping.dmp
-
memory/1528-125-0x0000000000000000-mapping.dmp
-
memory/3052-126-0x0000000000000000-mapping.dmp
-
memory/4036-122-0x0000000000000000-mapping.dmp