Analysis

  • max time kernel
    301s
  • max time network
    288s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    09/12/2021, 07:42

General

  • Target

    Doitman.exe

  • Size

    125KB

  • MD5

    f28ac8c53e1776f0bb151bfe969cb50c

  • SHA1

    ac6d92aa5213bf0431999688f63c37d72a6206bf

  • SHA256

    e95902e83c3cd7ceef665f91faba200dd487a073996e34ae3f041a00d0a061a5

  • SHA512

    5ccb69f839dda459fca95a0731a152f831e32e23521e47506710a824a1d5779d59ce1752f623b700a1416263a5537f7c92c16f43c6c9ded028839493bbed8e7c

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 24 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies registry class 62 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 57 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Doitman.exe
    "C:\Users\Admin\AppData\Local\Temp\Doitman.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:3032
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3004 -s 3392
    1⤵
    • Program crash
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3948
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1340
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1340 -s 7404
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3152
  • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
    "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:3848
  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2600
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3616
  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3280
  • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
    "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:3252

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1340-122-0x0000000004020000-0x0000000004021000-memory.dmp

    Filesize

    4KB

  • memory/3032-115-0x0000000000A60000-0x0000000000A61000-memory.dmp

    Filesize

    4KB

  • memory/3032-120-0x0000000002B40000-0x0000000002B42000-memory.dmp

    Filesize

    8KB

  • memory/3032-119-0x00000000011A0000-0x00000000011A1000-memory.dmp

    Filesize

    4KB

  • memory/3032-118-0x0000000000F80000-0x0000000000F92000-memory.dmp

    Filesize

    72KB

  • memory/3032-117-0x0000000000F70000-0x0000000000F71000-memory.dmp

    Filesize

    4KB